Writing Secure Code

Hi all;

Since I received the book from Peter G. Viscarola at a Security Class he
taught at the Microsoft Campus I will ask these questions. Also since this
is a very good group to ask this too also.

(1) Looking at A Process for Determining Appriopriate Privelege Level
chapter section, I wondered. Why not have the Microsoft compilers and
Linkers do this for us and place the information in the objs and then in
either the DLL or exe. This then could help close up some security holes.

Sincerely;
Mike Jones

Let me add some more to this:

On page 129: in Writing Secure Code we have the following:

A Process for Determining Appriopriate Privilege

(a) Find out each resource the application uses: Have the compiler help
with this.
(b) Find out each privileged API the application calls. Again compiler
(c) Evaluate the account under which the application is required to run.
This is the OS job with the loader uses the info gotten from the linker.
(d) Determine which SIDs and privileges are required to perform the
application tasks. This is the OS job again.
(e) Adjust the token to meet the requirements in the previous step. Again
the OS job.

Note that you have allow the program itself to change the token within its
own code. What I am suggesting is a way for applications to more easily
have the Privileges lowered with the help of the compiler, linker and
possibly additional resources tools from within a development environment.

Again wondering. Note I will try to to learn more and hopefully will have
more on this topic.

Sincerely;
Mike Jones

P.S. Thanks for OSR

“Michael Jones” wrote in message
news:xxxxx@ntdev…
> Hi all;
>
> Since I received the book from Peter G. Viscarola at a Security Class he
> taught at the Microsoft Campus I will ask these questions. Also since
this
> is a very good group to ask this too also.
>
> (1) Looking at A Process for Determining Appriopriate Privelege Level
> chapter section, I wondered. Why not have the Microsoft compilers and
> Linkers do this for us and place the information in the objs and then in
> either the DLL or exe. This then could help close up some security holes.
>
> Sincerely;
> Mike Jones
>
>
>
>
>