Security Best Practices for C++
This topic contains information about recommended security tools and practices. Using these resources and tools does not make applications immune from attack, but it makes successful attacks less likely.
The C Runtime Library (CRT) has been augmented to include secure versions of functions that pose security risks. (The unchecked strcpy string copy function, for example.) The older, nonsecure versions of these functions are now deprecated, and therefore their use causes compile-time warnings. We strongly encourage you to use the secure versions of these CRT functions instead of choosing to suppress the compilation warnings. See Security Features in the CRT for more information.
SafeInt Library helps prevent integer overflows and other exploitable errors that might result when the application performs mathematical operations. The SafeInt library includes the SafeInt Class, the SafeIntException Class, and several SafeInt Functions.
The SafeInt class protects against integer overflow and divide-by-zero exploits. It lets you handle comparisons between values of different types, and provides two error handling policies. The default policy is for the SafeInt class to throw a SafeIntException class exception to report why a mathematical operation cannot be completed. The second policy is for the SafeInt class to stop program execution. You can also define a custom policy.
Each SafeInt function protects one mathematical operation from an exploitable error. You can use two different types of parameters without having to convert them to the same type. Use the SafeInt class to protect multiple mathematical operations.
A checked iterator is an iterator that enforces container boundaries. By default, when a checked iterator is out of bounds, it generates an exception and ends program execution. A checked iterator provides other levels of response that depend on values assigned to preprocessor defines such as _SECURE_SCL_THROWS and _ITERATOR_DEBUG_LEVEL. For example, at _ITERATOR_DEBUG_LEVEL=2, a checked iterator provides comprehensive correctness checks in debug mode, that are made available by using asserts. See Checked Iterators for more information.
Code Analysis for Managed Code, also known as FxCop, is a tool which checks assemblies for conformance to the Microsoft .NET Framework Design Guidelines. FxCop analyzes the code and metadata within each assembly to check for defects in the following areas:
Code Analysis for Managed Code is included in Visual Studio Application Lifecycle Management, and can also be downloaded at http://www.gotdotnet.com/team/fxcop/.
Available as part of the Application Compatibility Toolkit, the Application Verifier (AppVerifier) is a tool that can help developers identify potential application compatibility, stability, and security issues.
The AppVerifier monitors how an application uses the operating system. It watches the file system, registry, memory, and APIs while the application is running, and recommends source-code level fixes for the issues it uncovers.
The verifier lets you perform the following:
Test for potential application compatibility errors caused by common programming mistakes.
Examine an application for memory-related issues.
Test an application's compliance with the requirements for current logo programs such as the Windows 7 Software Logo Program and Windows Server 2008 R2 Logo Program.
Identify potential security issues in an application.
The Windows Application Compatibility Toolkit is available from the "Application Compatibility" page at the TechNet web site.
Configuring Security Policy describes guidelines and tools for adjusting .NET Framework security policies.
Using Windows user accounts that belong to the Administrators group exposes developers and--by extension--customers to security risks. See Running as a Member of the Users Group for more information.
User Account Control (UAC) is a feature of Windows Vista in which user accounts have limited privileges. For more information, see How User Account Control (UAC) Affects Your Application.