Security Stuff in Whidbey – The Safer CRT


There has always been a very strong relationship with our team and the developer division (aka DevDiv), in part because they take some of our ideas and turn them into solutions that can be used by our developer customers. And I want to take an opportunity over the next few days to outline some of the excellent security stuff added to Whidbey, most of which you will see when beta 2 ships.

One of my favorites is a more up-to-date C runtime library, dubbed the Safer CRT. Let’s face it, the CRT of 20 or so years ago has turned out to be a little, well, challenging to use from a security perspective. When David and I wrote Writing Secure Code we wrote an appendix describing “issues” with certain functions in Windows and the CRT. The CRT library folks, under the watchful eye of Martyn Lovell, decided to fix the “Appendix A Problem” and they did so with the Safer CRT.

Essentially, they have deprecated a whole bunch of old CRT functions (strcpy, strncpy, _itoa and so on) I don’t know the final number of functions, but my guess is it’s in the 100 ballpark, and replaced them with more secure versions. For example strcpy_s, _itoa_s and so on. By “more secure” I mean more consistant functions that help make it a little harder to shoot yourself in the foot.

One interesting addition is rand_s, which calls RtlGenRandom to create cryptographically secure random numbers, rather than rand’s highly predictable numbers. I mentioned how you can call RtlGenRandom directly in a prior blog. Calling rand_s is a little different to calling rand, however:

#define _CRT_RAND_S
#include “stdlib.h”

unsigned int r = 0;
errno_t err = rand_s(&r);

Comments (13)

  1. Ilya says:

    I don’t know… all this Safer CRT is well worth indeed but from the other hand… Yeah, let’s make it the way even a dumb can use safely. And the dumb surely will. Technical workarounds instead of literacy and responsibility – there is something wrong with it. “Hey, these scalpels are so sharp and dangerous! Let’s make them nice and shiny and blunt so even a neighbor can use them safely while surgery on your kidney”

  2. kathryne says:

    thats really good writing you should check out my weblog when you get a chance, and tell em if its as good as yours..k? well here ya go-http://katzthoughtz.bloghaqrbor.com

    thank you!!

  3. Michael Howard says:

    I hate anaologies 🙂

    That said, I actually disagree, this is not about removing scalpels – it’s about adding a safety net under the guy on the tightrope.

    Like I said, I hate analogies!

  4. Ilya says:

    Ok, flag the analogies then 🙂 Otherwise it would go to the guy who cannot walk on tightrope should not do it. Or the safety net may give an extremely overweight guy a false sense of safety of trying to walk. So flag it 🙂

    Do not take me as an “against” one, I just tried to make a point from the different angle. Safe CRT to deal with buffer overflows, semantic checkers to deal with something like fgets(stdin, buf, sizeof(buf)-1); printf(buf); or read(req); sql.execute(“select salary from staff where id=”+req); and so on, and so on. Doing a lot of efforts to minimize potential damage from the dumb (well, ok, insufficiently educated person) instead of simply banishing him from programming or at least giving him a book. Just a point.

  5. Dave Conrad says:

    A few questions. First, is this, or will it become, standard? That is, are any of the Safer CRT functions in C99, or is there any chance they could get into "C 2k9"? Also, are there any functions that you’ve just dropped entirely? gets() doesn’t need to be deprecated, it needs to be expunged.

    Second, what does "deprecated" mean? Do you get a warning if you try to compile/link code that calls sprintf()? Does a tooltip appear in Visual Studio?

    Finally, and this may be spurious since I guess this is limited to just one platform, but can’t sizeof(int) ever change? (And why pull in stdlib.h with double quotes?) I would have expected:

    #define _CRT_RAND_S

    #include <stdlib.h>

    #include <stdint.h>



    uint32_t r = 0;

    errno_t err = rand_s(&r);

    It sounds like these new functions will really facilitate writing secure code, and that’s a great thing.

  6. Michael Howard says:

    We have put forward the Safer CRT spec to ISO, here’s the email we rcvd Apr04:

    The Security New Work Item Proposal ballot at the SC22 level has passed.

    This means we can officially begin work on the Security TR, the ISO/IEC designation is "24731".

    ‘Deprecated’ means you get a compiler warning.

  7. reader says:

    Mike, you did not answer D. Conrad’s question:

    (And why pull in stdlib.h with double quotes?) I would have expected:

    #define _CRT_RAND_S

    #include <stdlib.h>

    #include <stdint.h>

  8. Johnny Lee says:

    It’s about time.

    I remember suggesting that the VC group do something similar to Bell Labs’s LibSafe (at about the time that LibSafe was publicized).

    See <http://www.research.avayalabs.com/project/libsafe/&gt;

    But I think they were preoccupied get VS2002 out.

    I can’t wait to install Whidbey and VSTS.

  9. In my previous blog I very briefly touched on the new C runtime library added to Whidbey. Take a look