http://www.theregister.co.uk/2009/05/15/microsoft_banishes_memcpy/ By Dan Goodin in San Francisco The Register 15th May 2009 Memcpy() and brethren, your days are numbered. At least in development shops that aspire to secure coding. Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C language. Effective later this year, Microsoft will add memcpy(), CopyMemory(), and RtlCopyMemory() to its list of function calls banned under its secure development lifecycle. Memcpy has long served as a basic staple of C-based languages, providing a simple way to copy the contents from one chunk of memory to another. Its drawback comes when the source to be copied contains more bytes than its destination, creating overflows that present attackers with opportunities to remotely execute code in the underlying application. "That's definitely one of those notoriously dangerous C commands," said Johannes Ullrich, CTO of the SANS Institute, who teaches secure coding classes to developers. He likened memcpy() to other risky functions such as strcpy() and strcat(), which have Microsoft has already banned after exacting untold misery over the years. [...] -- LayerOne 2009, Information Security for the discerning professional. May 23-24 2009 @ The Anaheim Marriott in Anaheim, California Visit http://layerone.info for more informationReceived on Fri May 15 2009 - 02:39:31 PDT
This archive was generated by hypermail 2.2.0 : Fri May 15 2009 - 02:44:14 PDT