Security Best Practices for C++
This topic contains information about recommended security tools and practices. Using these resources and tools does not make applications immune from attack, but it makes successful attacks less likely.
Visual C++ Security Features
This section discusses security features that are built into the Visual C++ compiler and linker.
/GS (Buffer Security Check)
This compiler option instructs the compiler to insert overrun detection code into functions that are at risk of being exploited. When an overrun is detected, execution is stopped. By default this option is on.
/SAFESEH (Image has Safe Exception Handlers)
This linker option instructs the linker to include into the output image, a table that contains the address of each exception handler. At runtime, the operating system uses this table to make sure that only legitimate exception handlers are executed. This helps prevent the execution of exception handlers introduced by a runtime malicious attack. By default this option is disabled.
/analyze (Enterprise Code Analysis)
This compiler option activates code analysis that reports potential security issues such as buffer overrun, un-initialized memory, null pointer dereferencing, and memory leaks. By default this option is disabled. See Code Analysis for C/C++ Overview for more information.
For Visual C++ 2005, the C Runtime Library (CRT) has been augmented to include secure versions of functions that pose security risks. (The unchecked strcpy string copy function, for example.) The older, nonsecure versions of these functions are now deprecated, and therefore their use causes compile-time warnings. Programmers are strongly encouraged to use the secure versions of these CRT functions rather than suppress these compilation warnings. See Security Enhancements in the CRT for more information.
With checked iterators, users of the Standard C++ Library container classes are notified of attempts to access elements outside the bounds of a container. See Checked Iterators for more information.
Code Analysis for Managed Code
Code Analysis for Managed Code, also known as FxCop, is a tool which checks assemblies for conformance to the Microsoft .NET Framework Design Guidelines. FxCop analyzes the code and metadata within each assembly to check for defects in the following areas:
Code Analysis for Managed Code is included in Visual Studio Team System, and can also be downloaded at http://www.gotdotnet.com/team/fxcop/.
Windows Application Verifier
Available as part of the Application Compatibility Toolkit, the Application Verifier (AppVerifier) is a tool that can help developers identify potential application compatibility, stability, and security issues.
The AppVerifier works by monitoring an application's use of the operating system, including the file system, registry, memory, and APIs, while the application is running. The tool provides guidance for source-code level fixes of the issues it uncovers.
The verifier lets you perform the following:
Test for potential application compatibility errors caused by common programming mistakes.
Examine an application for memory-related issues.
Determine an application's compliance with various requirements of the Designed for Windows XP or Certified for Windows Server™ 2003 Logo Programs.
Identify potential security issues in an application.
The Windows Application Verifier is available at http://www.microsoft.com/windows/appcompatibility/appverifier.mspx.
.NET Framework Security Features
This section provides an overview of two related .NET Framework security features.
Code Access Security
Describes the .NET Framework security system and how it interfaces with application code.
Configuring Security Policy
Describes guidelines and tools for adjusting .NET Framework security policies.
Windows User Accounts
Using Windows user accounts that belong to the Administrators group exposes developers and--by extension--customers to security risks. See Running as a Member of the Users Group for more information.
Increasing Security by Using User Account Control under Windows Vista
User Account Control (UAC) is a feature of Windows Vista in which user accounts have limited privileges. For more information, see How User Account Control (UAC) Affects Your Application.