We recommend using Visual Studio 2017
This documentation is archived and is not being maintained.

Security Best Practices for C++

This topic contains information about recommended security tools and practices. Using these resources and tools does not make applications immune from attack, but it makes successful attacks less likely.

This section discusses security features that are built into the Visual C++ compiler and linker.

/GS (Buffer Security Check)

This compiler option instructs the compiler to insert overrun detection code into functions that are at risk of being exploited. When an overrun is detected, execution is stopped. By default this option is on.

/SAFESEH (Image has Safe Exception Handlers)

This linker option instructs the linker to include in the output image a table that contains the address of each exception handler. At runtime, the operating system uses this table to make sure that only legitimate exception handlers are executed. This helps prevent the execution of exception handlers introduced by a malicious attack at runtime. By default this option is disabled.

/NXCOMPAT, /NXCOMPAT (Compatible with Data Execution Prevention)

These compiler and linker options enable Data Execution Prevention (DEP) Compatibility. DEP guards the CPU against executing non-code pages.

/analyze (Enterprise Code Analysis)

This compiler option activates code analysis that reports potential security issues such as buffer overrun, un-initialized memory, null pointer dereferencing, and memory leaks. By default this option is disabled. See Code Analysis for C/C++ Overview for more information.

/DYNAMICBASE (Use address space layout randomization)

This linker option enables building an executable image that can be loaded at different locations in memory at the beginning of execution. This option also makes the stack location in memory much less predictable.

The C Runtime Library (CRT) has been augmented to include secure versions of functions that pose security risks. (The unchecked strcpy string copy function, for example.) The older, nonsecure versions of these functions are now deprecated, and therefore their use causes compile-time warnings. We strongly encourage you to use the secure versions of these CRT functions instead of choosing to suppress the compilation warnings. See Security Features in the CRT for more information.

SafeInt Library helps prevent integer overflows and other exploitable errors that might result when the application performs mathematical operations. The SafeInt library includes the SafeInt Class, the SafeIntException Class, and several SafeInt Functions.

The SafeInt class protects against integer overflow and divide-by-zero exploits. It lets you handle comparisons between values of different types, and provides two error handling policies. The default policy is for the SafeInt class to throw a SafeIntException class exception to report why a mathematical operation cannot be completed. The second policy is for the SafeInt class to stop program execution. You can also define a custom policy.

Each SafeInt function protects one mathematical operation from an exploitable error. You can use two different types of parameters without having to convert them to the same type. Use the SafeInt class to protect multiple mathematical operations.

A checked iterator is an iterator that enforces container boundaries. By default, when a checked iterator is out of bounds, it generates an exception and ends program execution. A checked iterator provides other levels of response that depend on values assigned to preprocessor defines such as _SECURE_SCL_THROWS and _ITERATOR_DEBUG_LEVEL. For example, at _ITERATOR_DEBUG_LEVEL=2, a checked iterator provides comprehensive correctness checks in debug mode, that are made available by using asserts. See Checked Iterators for more information.

Code Analysis for Managed Code, also known as FxCop, is a tool which checks assemblies for conformance to the Microsoft .NET Framework Design Guidelines. FxCop analyzes the code and metadata within each assembly to check for defects in the following areas:

  • Library design

  • Localization

  • Naming conventions

  • Performance

  • Security

Code Analysis for Managed Code is included in Visual Studio Application Lifecycle Management, and can also be downloaded at http://www.gotdotnet.com/team/fxcop/.

Available as part of the Application Compatibility Toolkit, the Application Verifier (AppVerifier) is a tool that can help developers identify potential application compatibility, stability, and security issues.

The AppVerifier monitors how an application uses the operating system. It watches the file system, registry, memory, and APIs while the application is running, and recommends source-code level fixes for the issues it uncovers.

The verifier lets you perform the following:

  • Test for potential application compatibility errors caused by common programming mistakes.

  • Examine an application for memory-related issues.

  • Test an application's compliance with the requirements for current logo programs such as the Windows 7 Software Logo Program and Windows Server 2008 R2 Logo Program.

  • Identify potential security issues in an application.

The Windows Application Compatibility Toolkit is available from the "Application Compatibility" page at the TechNet web site.

Configuring Security Policy describes guidelines and tools for adjusting .NET Framework security policies.

Using Windows user accounts that belong to the Administrators group exposes developers and--by extension--customers to security risks. See Running as a Member of the Users Group for more information.

User Account Control (UAC) is a feature of Windows Vista in which user accounts have limited privileges. For more information, see How User Account Control (UAC) Affects Your Application.