Partager via


CRT Security Enhancements (Windows Embedded CE 6.0)

1/5/2010

The C Run Time (CRT) library is an API set defined by the C Programming Language with extensions by Microsoft. Many of the functions in the original CRT library did not include error checking measures. For example, the strcpy function allows a programmer to copy a string that is larger than the destination buffer. The programmer must verify that the destination buffer is of adequate size. Similar issues in other functions can result in security issues in code.

In Windows Embedded CE 6.0, significant enhancements have been made to make the CRT library more secure. If a newer, more secure version of a function exists, the older, less secure version is marked as deprecated and the new version has the _s (secure) suffix. For example, the CRT library includes a more secure version of the strcpy function named strcpy_s.

It should be noted that in this context, "deprecated" means that a function's use is not recommended; it does not indicate that the function is scheduled to be removed from the CRT.

It should also be noted that the secure functions do not prevent or correct security errors; rather, they catch errors when they occur. They perform additional checks for error conditions, and in the case of an error, they invoke an error handler.

For example, the strcpy_s function takes the size of the buffer as a parameter, so it can determine if a buffer overrun will occur. If you use strcpy_s to copy eleven characters into a ten-character buffer, that is an error on your part; strcpy_s cannot correct your mistake, but it can detect your error and inform you by invoking the invalid parameter handler.

Eliminating deprecation warnings

There are several ways to eliminate deprecation warnings for the older, less secure functions.

  • Disable the deprecation warnings
    To disable the deprecation warnings, define _CRT_SECURE_NO_DEPRECATE or use the warning pragma. Either will disable deprecation warnings. However, if you simply disable the warnings, the security issues that caused the warnings still exist.

  • Use the new CRT security features
    In C++, the easiest way to do that is to use Secure Template Overloads, which in many cases will eliminate deprecation warnings by replacing calls to deprecated functions with calls to the new secure versions of those functions.
    For example, consider this deprecated call to strcpy,

    char szBuf[10]; strcpy(szBuf, "test"); // warning: deprecated 
    

    Defining _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES as 1 will eliminate the warning by changing the strcpy call to strcpy_s, which prevents buffer overruns. For more information, see the product documentation for Visual Studio 2005.
    For those deprecated functions without secure template overloads, consider manually updating your code to use the secure versions.

Security Enhancements

Some of the security enhancements are:

  • Parameter Validation
    Parameters passed to CRT functions are validated, in both secure functions and in many preexisting versions of functions. These validations include:
    • Checking for NULL values passed to the functions,
    • Checking enumerated values for validity,
    • Checking that integral values are in valid ranges.
  • Invalid Parameter Handling
    There is an invalid parameter handler which is accessible to the developer. When an invalid parameter is encountered, instead of asserting and exiting the application, the CRT provides a way to check these problems with the _set_invalid_parameter_handler function.
  • Sized Buffers
    The secure functions require that the buffer size be passed to any function that writes to a buffer. The secure versions validate that the buffer is large enough before writing to it, helping to avoid dangerous buffer overrun errors which could allow malicious code to execute. These functions will usually return an errno type of error code and invoke the invalid parameter handler if the size of the buffer is too small. Functions which read from input buffers, such as gets, have secure versions that require you to specify a maximum size.
  • Null termination
    Some functions which left potentially non-terminated strings have secure versions which ensure that strings are properly null terminated.
  • Enhanced error reporting
    The secure functions return error codes with more error information than was available with the preexisting functions. The secure functions and many of the preexisting functions now set errno and often return an errno code type as well, to provide better error reporting.
  • Filesystem security
    Secure file I/O APIs support secure file access in the default case.
  • Format string syntax checking
    Invalid strings are now detected, for example using incorrect type field characters in printf format strings.
  • Additional security enhancements are described in the documentation for each function.

See Also

Reference

Security-Enhanced CRT Functions for Windows Embedded CE

Other Resources

What's New in the C Run-Time Library