Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Banish Memcpy()

Posted by kdawson on from the good-riddance dept.

kyriacos notes that Microsoft will be adding memcpy() to its list of function calls banned under its secure development lifecycle. This reader asks, "I was wondering how advanced C/C++ programmers view this move. Do you find this having a negative impact on the flexibility of the language, and do you think it will restrict the creativity of the programmer?"

10 of 486 comments (clear)

  1. No mention of memmove... by pthisis · · Score: 5, Informative

    Do you find this having a negative impact on the flexibility of the language, and do you think it will restrict the creativity of the programmer?"

    You can replace memcpy entirely with memmove (the latter is slightly slower and handles overlaps), and nothing in the article suggests that memmove is banned.

    But, no, it shouldn't hurt creativity--they're introducing a memcpy_s, which is the same aside from taking a size parameter for the destination. That's something that is generally easy to track in new code (obviously this secure developement lifecycle is not backwards compatible).

    --
    rage, rage against the dying of the light
  2. What an idiotic idea. by Anonymous Coward · · Score: 5, Informative

    Someone already explained this better than I could.

  3. Re:Python is done by Rycross · · Score: 4, Informative

    No its not. This is only banned under Microsoft's Security Development Lifecycle, which means you only care about this if you're following those set of development guidelines. Its still in the language. And you can always use memcopy_s:

    Developers who want to be SDL compliant will instead have to replace memcpy() functions with memcpy_s, a newer command that takes an additional parameter delineating the size of the destination buffer.

  4. Re:Isn't security the programmer's responsibility? by Anonymous Coward · · Score: 5, Informative

    you didnt read.

    MSFT is banning it from their development process, not the language, use it as much as you like.

  5. Re:No - there are plenty of safer alternatives by Anonymous Coward · · Score: 5, Informative

    I'd say it's a good move - passing the size of the destination buffer is usually not that complicated.

    Are you high? It already takes a size argument. If this were about strcpy(3), then you'd have a point, but I do not think memcpy(3) means what you think it means.

    I'm not saying you can't get yourself into trouble with inappropriate use of memcpy(3), but buffer overruns aren't the go-to threat every time.

    NAME
    memcpy - copy memory area

    SYNOPSIS
    #include <string.h>

    void *memcpy(void *dest, const void *src, size_t n);

    DESCRIPTION
    The memcpy() function copies n bytes from memory area src to memory area dest. The memory
    areas should not overlap. Use memmove(3) if the memory areas do overlap.

  6. Re:No - there are plenty of safer alternatives by Chris+Burke · · Score: 5, Informative

    Just like removing printf, scanf, and most other copy/string functions. There are safe versions of memcpy that work just fine and are just as easy to use...

    There's nothing unsafe about printf (since compilers started doing format type checking), as long as you don't use user input as the format string. To print user input, you use printf("%s", user_input).

    strcpy() is unsafe because you don't know how many bytes you are going to be copying. strncpy() is completely safe as long as you aren't brain dead and set the 'n' to the size of the destination buffer (as opposed to strlen(src) which would be brain dead) and then slap an '\0' into the last index of the dest. sprintf, same deal, just use snprintf and tell it the max bytes it can print.

    So what's unsafe about memcpy()? You explicitly specify the number of bytes to copy. If that number of bytes is greater than the known size of the destination buffer, then you've got a problem that simply adding a second 'size of dest' paramater to the copy won't fix because you already screwed the pooch on figuring that out now didn't you?

    Yes memcpy() doesn't work if src and dest overlap. When that's happening, you typically know about it (you've got some clever in-situ array modification going on) and can use memmove(). memmove(), on the other hand, is equally unsafe if you can't properly specify the number of bytes to copy.

    Bottom line: There's no such thing as a "safe" copy in C when we're assuming the programmer can't figure out the destination buffer size.

    --

    The enemies of Democracy are
  7. Re:No - there are plenty of safer alternatives by FlyingBishop · · Score: 5, Informative

    That's physically impossible, even given infinite time. Read up on the halting problem.

    However, programming a framework in which we may rule out certain things, for example a process jumping over and altering the OS, is perfectly possible. It just has to be verified through reasoning, rather than testing. The unit testing methodology is really the problem here. You cannot unit test everything.

    Don't get me wrong, testing is a good start, but it's no proof of security, and a proof of security, while very hard, is possible. Kudos to Microsoft.

    And to expand on the GP for those that didn't RTFA, they replaced Memcpy with a memcpy that forced you to state the size of the destination buffer, which is a constant time operation, and a much needed one. So this only forces C coders to make their code a little more clear.

    And when you're being intentionally unclear to the computer in addition to the reader, your code has no place in a secure production setting.

  8. Re:They should go one better... by Creepy · · Score: 4, Informative

    The problem is memcpy returns a void *. If this is dynamically cast, it needs to be checked at runtime and may even be set to a value the programmer never intended (say unsigned 16 bit values instead of unsigned 8 bit characters). It may be an issue with updating the code - say the code was originally written for 8 bit ASCII and got updated to, say UTF-16 (16 bit). A dynamically cast void* doesn't care what the size is, it just shoves the values in the buffer. This may work fine in basic testing even, because you never overflow the buffer with 1-2 characters, and maybe even gets past a QA team, but once you go past 1/2, you've got a buffer overrun.

    As I understand it, __restrict wouldn't work in a C++ program using dynamic_cast because it doesn't know the size at compile time (sorry, I'm not sure what is done in C as I haven't kept up with the language, so I have to use a C++ example). My guess is memcpy_s does runtime bounds checking (it isn't specified on the memcpy_s page, maybe the security ref - too busy to read it though).

  9. Re:No - there are plenty of safer alternatives by George+Reilly · · Score: 4, Informative

    There's nothing unsafe about printf (since compilers started doing format type checking), as long as you don't use user input as the format string. To print user input, you use printf("%s", user_input).

    %n writes to the stack. It's disabled by default in VS2005 onwards. More at http://weblogs.asp.net/george_v_reilly/archive/2007/02/06/printf-n.aspx and http://julianor.tripod.com/bc/formatstring-1.2.pdf

    --
    /George V. Reilly
  10. Re:How to easily ... by cool_story_bro · · Score: 5, Informative

    He didn't say "how to make your code safe." He said "how to make your code comply with the safety standards." Rarely are the two the same. It's perfectly possible to safely use memcpy(), just like it's perfectly possible to abuse about a billion other system calls.

    --
    You must wait a little bit before using this resource; please try again later.