We have blogged before about software security guidelines, but there is one we haven’t discussed. Several years ago Microsoft published the “Security Development Lifecycle (SDL) Banned Function Calls” list. These banned functions can be a good way to remove a significant number of potential code vulnerabilities from C and C++ code. They provide recommendations on better or safer functions to use with the caveat that even these “safer” function should be used with care.
You can use the banned.h file to identify and obtain deprecation warnings or, even better, use this as part of your source code analysis. Leveraging these warning as part of your source code analysis solution means you have better ways to filter and manage the solution as opposed to a dump of potentially thousands of warnings. Add that into your code review tool and you have some good discussion points for your peer code reviews.
Like any security guideline, the question becomes how useful are these? There is no question that these banned functions are debatable. The complaint that I hear the most is that “n” functions can be used safely so they should not be part of the list. But you can still get yourself in a whole heap of trouble with these functions as well. Take this example from Micheal Howard’s blog: Buffer Overflow in Apache 1.3.xx fixed on Bugtraq – the evils of strncpy and strncat!.
I believe there is merit in identifying these functions so you can ask yourself if you’re using them securely. For more information and training on the Microsoft SDL you can look at the course “Intro to the Microsoft Security Development Lifecycle” on our web page.
Is anyone out there using the Microsoft banned function list religiously?