AOH :: IS2118.HTM

RE: Unsafe at any speed: Memcpy() banished in Redmond




RE: Unsafe at any speed: Memcpy() banished in Redmond
RE: Unsafe at any speed: Memcpy() banished in Redmond



Forwarded from: Michael Howard 

Brilliant ending

It also wondered aloud when "Larry, Steve, and Linus" plan to issue 
similar security edicts in their products. It's a question worth asking. 
(r)

-----Original Message-----
From: InfoSec News
Sent: Friday, May 15, 2009 2:40 AM
Subject: [ISN] Unsafe at any speed: Memcpy() banished in Redmond 

http://www.theregister.co.uk/2009/05/15/microsoft_banishes_memcpy/ 

By Dan Goodin in San Francisco 
The Register
15th May 2009

Memcpy() and brethren, your days are numbered. At least in development 
shops that aspire to secure coding.

Microsoft plans to formally banish the popular programming function 
that's been responsible for an untold number of security vulnerabilities 
over the years, not just in Windows but in countless other applications 
based on the C language. Effective later this year, Microsoft will add 
memcpy(), CopyMemory(), and RtlCopyMemory() to its list of function 
calls banned under its secure development lifecycle.

Memcpy has long served as a basic staple of C-based languages, providing 
a simple way to copy the contents from one chunk of memory to another. 
Its drawback comes when the source to be copied contains more bytes than 
its destination, creating overflows that present attackers with 
opportunities to remotely execute code in the underlying application.

"That's definitely one of those notoriously dangerous C commands," said 
Johannes Ullrich, CTO of the SANS Institute, who teaches secure coding 
classes to developers. He likened memcpy() to other risky functions such 
as strcpy() and strcat(), which have Microsoft has already banned after 
exacting untold misery over the years.

[...]


--
LayerOne 2009, Information Security for the discerning professional. 
May 23-24 2009 @ The Anaheim Marriott in Anaheim, California 
Visit http://layerone.info for more information 


--
LayerOne 2009, Information Security for the discerning professional. 
May 23-24 2009 @ The Anaheim Marriott in Anaheim, California 
Visit http://layerone.info for more information 



Site design & layout copyright © 1986-2014 CodeGods