Insecurity Training

I spent most of the day yesterday in a conference room with about a thousand other co-workers of mine.  I know them all personally. You should have seen the size of the table!  But seriously, it was a mandatory training session for the likes of us unruly code slingers.  Microsoft is serious about security.  I’m not cheerleading here.  I’m not trying to convince you of anything.  The powers-that-be have raised the focus on security to a level of utter annoyance; security reviews, threat analysis, tools that discover, tools that defend.  Now they even want to rate us on whether we adhere to these ‘rules’ or not; no more flagrant use of strcpy; no more cryptic pointer arithmetic; no more fixed sized buffers sitting innocently on the stack;  no more XOR encryption.  It’s gotten to the point where I don’t know if I can code anymore.  Between security concerns and the paralyzing fear that just about every common practice is now buried in some gold-digger’s patent portfolio, I don’t know if there is a safe line of code to write; seriously. 


We’d be better off just compiling large libraries of last-known-safe algorithms.  Then if we needed to build something we could just cut-and-paste these suckers into our editor.  We would never actually be ‘writing’ code anymore.  We’d be ‘orchestrating’ code.  I can see it now, the operating system of the future comes complete with a vast library of API’s that are deemed safe and covered by licensing that allow you free use of such things as:  assignment, arithmetic, comparison, and if you buy the enterprise edition you even get the ‘branch’ instruction.  The compilers of tomorrow would only compile to these calls, they would not generate any other processor instructions, because those would all be patented by someone or proven a threat to security.


But I digress



Comments (8)

  1. "the operating system of the future comes complete with a vast library of API’s that are deemed safe"

    You mean like .net is giving us? (Assuming of course that there are no buffer overflows in the .net libraries).

    If you go down that route you end up wondering if the libraries you are using are, in fact, safe. One argument for Open Source I guess.

  2. Matt says:

    That was all sarcasm from me! Libraries of functions like ‘assignment’ and ‘addition’. Because if you wrote it yourself ‘a + b’ you’d be violating someone’s patent or openning a security hole.

    Open Source would not help you here. By only relying on your ability to read the source to instill trust, open source fails because it assumes its readers would actually know the difference between good and bad code!

  3. I was being a little sarcastic when I suggested trusting the .net libraries, as got bitten in the butt last week by the socket bug in 1.1 <g> ( )

    Whatever happens, be it open source or not, you are always ending up trusting someone else’s code, be it the framework libraries in .net, or, for example zip libraries in Open Source programs, in which 4 vunerabilities were found this weekend, Oh dear, having the code didn’t do much good.

    So the question becomes who do you trust? Are you only trusting yourself to write decent code (in which case you’re probably deluded!), your colleagues, your managers, someone you don’t know and have never heard of?

    Code guidelines are good, heck code guidelines are great, but every time I’ve seen them float out over a company you see them broken, ignored, warped and rarely tested against. Now combine decent guidelines with a checking tool, (BufferCop anyone), which becomes part of the build process (and before MSBuild arrives please, some of us are going to be stuck on VS 2003 for quite a while) and it would be a decent first step.

  4. Matt says:

    I agree. It seems you cannot trust yourself anymore. Maybe it should have been paranioa training instead.

  5. Wow… Thanks for the rant. I enjoyed it.

  6. Mike Dimmick says:

    Microsoft apparently use a couple of tools, PREfast and PREfix, internally for enforcing these coding guidelines. They’re basically the same thing, as I understand it; PREfast (as the name suggests) is a lot faster, but tests fewer rules.

    Am I right in thinking that PREfast is automatically run on check-in to certain source repositories, while PREfix runs on the daily build?

    Driver developers can use a driver-tuned version of PREfast (shipped in the current DDK, IIRC). I believe that the intention is to ship it with Visual Studio 2005 (no, I can’t remember where I read that!)

  7. Matt says:

    It was not really a rant. It was sort of tongue-in-cheek. I do think security is serious, I just think the types of mistakes that most commonly lead to security holes is just stupid programmers! 🙂

  8. Sean says:

    In defense, there are no stupid programmers… just misinformed ones..