Michael Howard, is the principal cybersecurity architect and the man instrumental in building the Secure Development Lifecycle (SDL) at Microsoft, presented at the April educational HackFormers meeting, that was held on April 13, 2012 at the Microsoft Technology Center from 11:30 – 1:00 p.m. It began with a round of introductions and some hot pizza for lunch, following which Mano ‘dash4rk’ Paul, gave an overview of the HackFormers organization by introducing its mission (which is to Teach Security, Teach Christ; Teach Security In Christ) and its mode of operation. Finally Mano suggested that people could get involved in the organization’s core mission, by praying for and participating by giving their time, tithes (sponsorships) and talents. Mano then introduced and invited Michael to give his talk.
Michael presented on the topic “Banned APIs and Sin Within.” The main premise of Michael’s talk was just as the inclusion of methods within a single banned API renders your code vulnerability to attack, by the adversary, a single sin renders our soul vulnerable to attack, by Satan and the wages of sin is death, but God’s gift is eternal life to all who believe in Jesus Christ.
A quick write up of the presentation is given below (for the benefit of those who missed the meeting).
Michael started by introducing the topic and himself. I have heard Michael speak in various settings at various conferences and he usually starts out by saying – “Hi, I am Michael and I have worked for Microsoft for ‘x’ number of years, always in Security” but for the first time, I heard Michael boldly introduce himself, in a professional setting – “Hi, I am Michael and I am a Christian (imperfect in every possible way!) and I have worked for Microsoft for 20 years, always in security”, before talking about the plethora of books that he has authored, in service to the information security and technology community.
Michael then said that he does not like to draw analogies but instead he will instead use quotes from the Bible to compare and contrast software security, because establishing the fact that “The BIBLE is correct, your code is not!”
Then, Michael went on to illustrate that the Internet is not a very benign place by illustrating “What if cars operated in an environment like the Internet?” and introduced the Security Development Lifecycle (SDL).
One of the requirements within the SDL is the addressing of insecure (or banned) APIs from the code.
So, what are Banned APIs? These are APIs that can render the code vulnerable to attack (mostly memory corruption APIs). An example of such APIs is given below.
Michael, then talked about 4 major vulnerabilities (including the Zotob and the Sasser Worm). The four that he covered were:
PnP MS05-039 (Zotob)
PCT SChannel MS04-011
NNTP MS05-030
LSASS MS04-011 (Sasser)
He then gave the following two techniques of “finding” banned APIs in code
1. #include <banned.h>
2. C4996 warnings
and suggested that safer alternatives such as std::string, strsafe.h, and strcpy_s are used and cautioned not to use C++ asa glorified C!
Michael also informed that it is possible to auto-replace banned functions, especially in legacy code.
Michael then stated that removal of Banned API takes a leap of faith that “regressions” to insecure state don’t occur.
Michael, then moved on to posing the following question (pop quiz) and drew the parallel between Sin and Insecure Code, before contrasting that while not all insecure code is the same, “All sin is the Same. There is no “Security Bulletin” scale for sin. We all have sinned and fallen short of God’s glory (Romans 3:23).
And how do we deal with Sin and with Insecure Code – by Removing them – which takes a Leap of Faith. Praise the Lord, who forgive ALL your sins (Psalm 103:3).
In conclusion, Michael summarized, to remove banned API and Sin, we must Admit (that we sin in life and in code), Do something about it (replace banned APIs with a safer alternative; admit the Lord Jesus Christ into your heart) and Don’t repeat by putting in place the things that will help prevent Sin and banned APIs (Study the book of Romans in the Bible for more information; Submit to the Lord and use banned.h in all you C/C++ code).
The floor was then opened to a time of question and answers.