Synopses & Reviews
Get the definitive guide to writing more-secure code for Windows Vista—from the authors of the award-winning Writing Secure Code, Michael Howard and David LeBlanc. This reference is ideal for developers who understand the fundamentals of Windows programming and APIs. It complements Writing Secure Code, examining the delta between Windows XP and Windows Vista security. You get first-hand insights into design decisions, lessons learned from Windows Vista development, and practical advice for solving real-world security issues.
Discover how to:
- Develop applications to run without administrator privileges
- Apply best practices for using integrity controls
- Help protect your applications with ASLR, NX, and SafeSEH
- Evaluate authentication, authorization, and cryptography enhancements in Windows Vista
- Write services that restrict privileges and tokens—and sidestep common problems
- Learn how Windows Internet Explorer 7 defenses and new security features affect your development efforts
PLUS—Get Microsoft Visual C#, Visual C++, and C code samples on the Web
About the Author
Michael Howard, CISSP, is a leading security expert. He is a senior security program manager at Microsoft® and the coauthor of The Software Security Development Lifecycle. Michael has worked on Windows security since 1992 and now focuses on secure design, programming, and testing techniques. He is the consulting editor for the Secure Software Development Series of books by Microsoft Press.
David LeBlanc, Ph.D., is a founding member of the Trustworthy Computing Initiative at Microsoft®. He has been developing solutions for computing security issues since 1992 and has created award-winning tools for assessing network security and uncovering security vulnerabilities. David is a senior developer in the Microsoft Office Trustworthy Computing group.
Table of Contents
Foreword; Acknowledgments; Secure Windows Initiative and SDL teams; Introduction; Target Audience; How does this Book Relate to Writing Secure Code?; How to Read This Book; Getting Started with the Code in this Book; What's on the Companion Web Site?; System Requirements; Microsoft Press Support; Chapter 1: Code Quality; 1.1 The Windows Vista Quality Gates; 1.2 All C/C++ String Buffers Annotated with SAL; 1.3 Banned APIs Are Removed from the Codebase; 1.4 Banned Cryptography Removed from the Codebase; 1.5 Static Analysis Used to Find and Fix Bugs; 1.6 Unmanaged C/C++ Compiled with /GS and Linked with /SafeSEH, /DynamicBase, and /NXCompat; 1.7 Call to Action; 1.8 References; Chapter 2: User Account Control, Tokens, and Integrity Levels; 2.1 User Account Control in Depth; 2.2 User Interface Considerations; 2.3 Virtualization; 2.4 Integrity Levels; 2.5 Debugging Application Compatibility Issues in Windows Vista; 2.6 The Importance of Code Signing; 2.7 Privileges New to Windows Vista; 2.8 Call to Action; 2.9 References; Chapter 3: Buffer Overrun Defenses; 3.1 ASLR; 3.2 Stack Randomization; 3.3 Heap Defenses; 3.4 NX; 3.5 /GS; 3.6 SafeSEH; 3.7 Summary; 3.8 Call to Action; 3.9 References; Chapter 4: Networking Defenses; 4.1 IPv6 Overview; 4.2 Network List Manager; 4.3 The Windows Vista RSS Platform; 4.4 Winsock Secure Socket Extensions; 4.5 Windows Firewall with Advanced Security; 4.6 Call to Action; 4.7 References; Chapter 5: Creating Secure and Resilient Services; 5.1 Services Overview; 5.2 Service Accounts; 5.3 Reducing Privileges; 5.4 Controlling Network Access; 5.5 Communicating with the Desktop; 5.6 Lessons from the School of Hard Knocks; 5.7 Call to Action; 5.8 References; Chapter 6: Internet Explorer 7 Defenses; 6.1 Pervasive Defenses; 6.2 cURL and the IUri Interface; 6.3 Lock Your ActiveX Control; 6.4 Other Things You Should Know About Internet Explorer 7; 6.5 Call to Action; 6.6 References; Chapter 7: Cryptographic Enhancements; 7.1 Kernel Mode and User Mode Support; 7.2 Crypto-Agility; 7.3 New Algorithms in CNG; 7.4 Using CNG; 7.5 CNG and FIPS; 7.6 Improved Auditing; 7.7 Something Missing from CNG; 7.8 SSL/TLS Improvements; 7.9 Root Certificates in Windows Vista; 7.10 Deprecated Crypto Features in Windows Vista; 7.11 Call to Action; 7.12 References; Chapter 8: Authentication and Authorization; 8.1 Windows CardSpace and Information Cards; 8.2 Graphical Identification and Authorization (GINA) Changes; 8.3 Owner SID Changes; 8.4 Call to Action; 8.5 References; Chapter 9: Miscellaneous Defenses and Security-Related Technologies; 9.1 Adding Parental Controls Support to Your Application; 9.2 Windows Defender APIs; 9.3 New Credential User Interface API; 9.4 Use the Security Event Log; 9.5 Pointer Encoding; 9.6 Kernel Mode Debugging Issues; 9.7 Programming the Trusted Platform Module (TPM); 9.8 Windows SideBar and Gadget Security Considerations; 9.9 References;