Updated Writing Secure Code 2nd Ed Errata

  • Article

Big thanks to Peter Gutmann and Morten Andersen for their comments.I have highlighted what's new in RED.

Errata for Writing Secure Code 2nd Edition

By Michael Howard and David LeBlanc

Last Updated 2-Jun-2004

Entire Book

Please replace all references to Windows® .NET Server with Windows® Server 2003.

Chapter 2, Page 44

There is a small typo:

This effect is called the Hawthorn effect.

          Should read:

This effect is called the Hawthorne effect.

Chapter 8, Page 276

There’s a small typo in the right column of Figure 8-3:

hKey = GetKey(“MyKey”);

Should read

hKey = GetKeyHandle(“MyKey”);

Chapter 8, Page 284

The sentence that starts “DES encrypts the first eight bytes and then pads the remaining five bytes with three bytes, usually null” requires more explanation. Usually, the extra n-bytes are padded with value n. So if there are five extra bytes that require padding, they are padded with five bytes of value 0x05.

Chapter 8, Page 295

There is a small type:

However, if you want to access a certificate a private key stored by CryptoAPI

          Should read:

However, if you want to access a certificate or a private key stored by CryptoAPI

Chapter 9, Page 302

In the code sample, the lines:

                                                  

BYTE *pbSaltedHash = new BYTE[cbSaltedHash];

if (NULL == *pbSaltedHash) throw;

Should read

BYTE *pbSaltedHash = new BYTE[cbSaltedHash];

if (NULL == pbSaltedHash) throw;

Also, this code is labeled as C/C++ code; it is in fact C++ code.

Chapter 9, Page 304

In the code sample, the line:

                                                  

return p.GetBytes(16);

Should read

return p.GetBytes(20);

Chapter 9, Page 322

There is a small typo in the #define at the top of the page.

#define RtlZeroMemory(Destination,Length) –

     memset((Destination),0,(Length))

Should read:

#define RtlZeroMemory(Destination,Length) \

     memset((Destination),0,(Length))

Chapter 9, Page 322

The assembly language listing has lost whitespace, for example pusheax should read push eax, the corrected listing is:

; 30 : void DatabaseConnect(char *szDB) {

     sub esp, 68 ; 00000044H

     mov eax, DWORD PTR ___security_cookie

     xor eax, DWORD PTR __$ReturnAddr$[esp+64]

; 31 : char szPwd[64];

; 32 : if (GetPasswordFromUser(szPwd,sizeof(szPwd))) {

     push 64 ; 00000040H

     mov DWORD PTR __$ArrayPad$[esp+72], eax

     lea eax, DWORD PTR _szPwd$[esp+72]

     push eax

     call GetPasswordFromUser

     add esp, 8

     test al, al

     je SHORT $L1344

; 33 : if (ConnectToDatabase(szDB, szPwd)) {

     mov edx, DWORD PTR _szDB$[esp+64]

     lea ecx, DWORD PTR _szPwd$[esp+68]

     push ecx

     push edx

     call ConnectToDatabase

     add esp, 8

$L1344:

; 34 : // Cool, we’re connected

; 35 : // Now do database stuff

; 36 : }

; 37 : }

; 38 :

; 39 : ZeroMemory(szPwd,sizeof(szPwd));

; 40 : }

     mov ecx, DWORD PTR __$ArrayPad$[esp+68]

     xor ecx, DWORD PTR __$ReturnAddr$[esp+64]

     add esp, 68 ; 00000044H

     jmp @__security_check_cookie@4

DatabaseConnect ENDP

Chapter 10, Page 350

There is an error in the C# and Perl regular expressions used to determine if a file extension is valid.

In both cases the expression:

txt|rtf|gif|jpg|bmp$

Should read:

(?:txt|rtf|gif|jpg|bmp)$

Chapter 11, Page 387

There is an error in the note at the top of the page; simply stat’ing a file in Linux/Unix is not safe. There’s a nice write up in Viega/McGraw’s Building Secure Software about how to do this properly. The chapter is also available online at https://www.awprofessional.com/articles/article.asp?p=23947&seqNum=3.

Chapter 16, Page 492

If a privacy level protection is set on an RPC binding handle or a protocol sequence that always provides private communication is used (like ncalrpc), context handles are no longer subject to hijacking starting with Windows Server 2003 and Windows 2000 SP4.

Chapter 16, Page 495

Starting with Windows XP and Windows Server 2003, RpcServerInqCallAttributes is recommended over RpcBindingInqAuthClient as it is faster, more versatile and lends itself to future extensions because of built-in versioning.

Chapter 16, Page 496

You can also set a flag, RPC_IF_ALLOW_SECURE_ONLY, on the call to RpcServerRegisterIfEx and RpcServerRegisterIf2 to allow only secured connections.

Should read:

If all you want to do is reject unauthenticated connections, you can set a flag, RPC_IF_ALLOW_SECURE_ONLY, on the call to RpcServerRegisterIfEx and RpcServerRegisterIf2 to allow only secured connections instead of using a security callback.

Chapter 16, Page 497

Add the following text prior to the paragraph that starts, “It is preferable”

However, using this flag has one important limitation – it tells you nothing about who the user is. To pass the check imposed by this flag, the client simply has to have valid authentication information. If you have low privileged accounts on your server (like guest), using this flag will not reject requests by these users. If there is any account enabled on the machine that you don’t want to accept requests from, you should use a security callback function and check for user identity.

Chapter 16, Page 515

The registry subkey to set an ActiveX killbit is misspelled.

ActiveX Compatability

Should read:

ActiveX Compatibility

Chapter 18, Page 535

A friend told me I would soon by out of a job

Should read:

A friend told me I would soon be out of a job

Chapter 18, Page 544

PermMaximum È (PermMinimum Ç PermOptional)) - PermRefused

Should read:

PermMaximum Ç (PermMinimum È PermOptional)) - PermRefused

Chapter 19, Page 549

There is an error in the C# sample code at the top of the page, the line reading:

new PermissionSet(PermissionState.Unrestricted);

Should read:

new PermissionSet(PermissionState.None);

Chapter 19, Page 550

There are two error in the C# sample code. In the SendAlert() function, the line reading:

CodeAccessPermission.RevertAssert();

Should read:

SocketPermission.RevertAssert();

And in the C() function

CodeAccessPermission.RevertAssert();

Should read:

FileIOPermission.RevertAssert();

Chapter 19, Page 587

is the Cenzic product named Hailstorm This tool allows a tester to construct

Is missing a period character, and should read:

is the Cenzic product named Hailstorm. This tool allows a tester to construct

Chapter 19, Page 596

There is a small, but important, typo in the first code sample:

# Note the use of back ticks – like calling system()

'$exe $FILE';

          Should read:

# Note the use of back ticks – like calling system()

`$exe $FILE`;

Chapter 19, Page 610

This leads to more complete test code, but even with broad test plans the test must code must be good quality,

Should read:

This leads to more complete test code, but even with broad test plans the test code must be good quality,

Chapter 23, Page 665

In the second bullet, SetThreatDesktop should read SetThreadDesktop.