A Brief Introduction to the Standard Annotation Language (SAL)

Kernel Mustard » Blog Archive » What about SAL for the rest of us?

Kernel Mustard » Blog Archive » What about SAL for the rest of us? — Sat, 20 May 2006 22:54:56 GMT

PingBack from http://kernelmustard.com/2006/05/20/what-about-sal-for-the-rest-of-us/

re: A Brief Introduction to the Standard Annotation Language (SAL)

Alexei — Sun, 21 May 2006 03:14:13 GMT

Instead of trying to make C safer, you should have advocated proper use of C++. Your code snippet:

void FillString(
TCHAR* buf,
size_t cchBuf,
char ch) {

for (size_t i = 0; i < cchBuf; i++) {
buf[i] = ch;
}
}

TCHAR *b = (TCHAR*)malloc(200*sizeof(TCHAR));
FillString(b,210,'x');

re-written in C++ is nothing but:

std::string b(199, 'x');

See? I choose this simplicity over SAL ugliness any day.

C is an inherently low level programming language. You can't fix it with SAL annotations.

The general idea is that if you want to make your code more secure, use higher level abstractions. That's all there is to it. There is a pattern, don't you see it? The proof is that up to this day you haven't provided a single example of higher level abstractions having security problems. The use of std::vector over C arrays beats that stupid integer overflow problem, the use of std::string over C strings beats an array of C security problems like the one in this post of yours. I can go on and on. More than that. There are whole books made obsolete by use of higher level abstractions, like "Secure Coding in C and C++." Such books are all about fixing security bugs in C.

SAL - pipped at the post by Michael Howard.

Tales from the Crypto — Sun, 21 May 2006 03:31:43 GMT

I've been spending some time this week in the evenings thinking on how I should introduce SAL - the Standard...

re: A Brief Introduction to the Standard Annotation Language (SAL)

michael_HOWARD — Sun, 21 May 2006 21:05:36 GMT

To Alexei

Agreed - I like using STL where it's appropriate, but imagine FillString is used in a 100,000 places, and you don't want to bloat the code with std::string (and let's be frank, all of STL's ugliness too :) then it makes sense to annotate the call to FillString.

re: A Brief Introduction to the Standard Annotation Language (SAL)

Alun Jones — Mon, 22 May 2006 04:45:47 GMT

You're not even annotating the call to FillString - you annotate only the declaration and definition.

Okay, scratch what I said about SAL

Tales from the Crypto — Mon, 22 May 2006 04:57:50 GMT

Despite what Michael Howard says about how wonderful SAL is, and my own post from earlier today, I really...

re: A Brief Introduction to the Standard Annotation Language (SAL)

Jayaram Mulupuru — Tue, 23 May 2006 18:59:39 GMT

Can you elaborate on the differences in the nature of buffer overruns caught by SAL (as you illustrated in the examples above) and the /GS flag?

Thanks.

PREfast, SAL and the Windows SDK

Michael Howard's Web Log — Tue, 23 May 2006 20:26:10 GMT

In a prior article, I wrote about the benefits of the Standard Annotation Language (SAL) available in...

re: A Brief Introduction to the Standard Annotation Language (SAL)

Anon Coward — Mon, 29 May 2006 07:04:18 GMT

> Can you elaborate on the differences in the nature of buffer overruns caught by SAL (as you illustrated in the examples above) and the /GS flag?

/GS is a runtime check trying to mitigate stack buffer overflows leading to running expolit code.

SAL enables static analysis to better find overflow (stack or heap) at compile time.

Draw two circles that have some overlap... and then use both.

re: A Brief Introduction to the Standard Annotation Language (SAL)

Robert C. Seacord — Mon, 29 May 2006 18:05:18 GMT

Michael,

This particular example strikes me as something that could be solved by better compiler technology rather than moving the burden out to the already overburdened application developer.

In your example:

void FillString(
TCHAR* buf,
size_t cchBuf,
char ch) {

for (size_t i = 0; i < cchBuf; i++) {
buf[i] = ch;
}
}
Analysis of the foor loop indicates that cchBuf is the "TooFar" for buf (that is, values of cchBuf from 0 to cchBuf-1 must be suitable as an index for buf. The compiler could easily associated this requirement with the function definition and flag any invocations of the function where this requirement is not met.

For more please read my article at:
http://www.ddj.com/dept/cpp/184402075

re: A Brief Introduction to the Standard Annotation Language (SAL)

michael_HOWARD — Mon, 29 May 2006 19:02:56 GMT

Robert - i'll pass this to the compiler guys - are there compilers doing this today?

An Intro to the Standard Annotation Language (SAL)

Rob Caron — Wed, 31 May 2006 21:49:22 GMT

Earlier this month, security guru Michael Howard authored a brief introduction to the Standard Annotation...

MSDN Flash Ireland - International Resources - 7 June 06

Robert Burke's Weblog — Tue, 06 Jun 2006 19:07:02 GMT

&nbsp;

Web Resources

&nbsp;

[Default] Register for the Windows Vista and Microsoft...

Windows Vista Security – A Bigger Picture

Michael Howard's Web Log — Mon, 12 Jun 2006 17:44:10 GMT

A couple of people have asked about the relationship between /GS, SAL and ASLR in Windows Vista. Here’s...

Cl??rigo » Blog Archive » (In)Seguridad en Vista

Cl??rigo » Blog Archive » (In)Seguridad en Vista — Wed, 12 Jul 2006 19:28:00 GMT

PingBack from http://clerigo.alucardx.net/index.php/2006/07/12/inseguridad-en-vista/

How I will judge Windows Vista Security

Michael Howard's Web Log — Fri, 09 Mar 2007 07:59:33 GMT

Before I get started, I want to point out this is my opinion, not necessarily anyone else’s viewpoint.

Lessons learned from the Animated Cursor Security Bug

The Security Development Lifecycle — Fri, 27 Apr 2007 01:57:00 GMT

Michael Howard here. A core tenet of the SDL is to take and incorporate lessons learned when we issue

The Most Complex SAL annotation

Michael Howard's Web Log — Sun, 03 Jun 2007 17:00:54 GMT

While working on " Writing Secure Code for Windows Vista " I spent a good deal of time spelunking the

Introduction to the Standard Annotation Language (SAL) for VC

DotNetKicks.com — Wed, 24 Oct 2007 05:09:35 GMT

You've been kicked (a good thing) - Trackback from DotNetKicks.com

How to Get a Job in Information Security | Perimeter Grid

How to Get a Job in Information Security | Perimeter Grid — Fri, 01 Feb 2008 04:27:23 GMT

PingBack from http://perimetergrid.com/wp/2008/01/31/how-to-get-a-job-in-information-security/

OS-Based Mitigations Against Common Attacks | Perimeter Grid

OS-Based Mitigations Against Common Attacks | Perimeter Grid — Tue, 05 Feb 2008 02:41:57 GMT

PingBack from http://perimetergrid.com/wp/2008/02/04/os-based-mitigations-against-common-attacks/

Prefast And SAL Annotations

Visual C++ Team Blog — Wed, 06 Feb 2008 03:36:39 GMT

One thing that continues to amaze me are the powerful tools available to developers and QA nowadays.

Prefast And SAL Annotations

Noticias externas — Wed, 06 Feb 2008 04:39:23 GMT

One thing that continues to amaze me are the powerful tools available to developers and QA nowadays.

MSDN Blog Postings » Prefast And SAL Annotations

MSDN Blog Postings » Prefast And SAL Annotations — Wed, 06 Feb 2008 04:41:44 GMT

PingBack from http://msdnrss.thecoderblogs.com/2008/02/05/prefast-and-sal-annotations/

Resources to help you annotate code for static analysis

Windows Driver Kit (WDK) Documentation Blog — Thu, 17 Apr 2008 00:39:52 GMT

What are annotations? } Essentially comments in the code that can be understood by static analysis tools

How to Improve the Web | Mike Andrews

How to Improve the Web | Mike Andrews — Wed, 21 May 2008 02:46:23 GMT

PingBack from http://www.mikeandrews.com/2008/05/20/how-to-improve-the-web/

Secure Coding Secrets?

The Security Development Lifecycle — Wed, 19 Nov 2008 00:38:55 GMT

Hi, Michael here. A recent article titled "NSA posts secrets to writing secure code" caught my eye in

A szoftver minőségbiztosítási eszközök valós lehetőségei és korlátai

Termékinformációk fejlesztőknek — Wed, 04 Feb 2009 08:07:16 GMT

[Nacsa Sándor, 2009. január 13. – február 3.]  A minőségbiztosítás kérdésköre szinte alig ismert

Please Join me in welcoming memcpy() to the SDL Rogues Gallery

The Security Development Lifecycle — Fri, 15 May 2009 00:44:41 GMT

Over the last few years I have written a number of articles, papers and books describing some of the