RegQueryValueEx – how not to write a function document

I’ve said before that I think some of our problems with unsecure development can be addressed by making documentation better.

[Tech writers, please note - I don't mean this to imply that you are responsible for all of these ills, but I do think that a little more effort and care would prevent developers from making stupid and possibly dangerous mistakes that your documentation was originally designed to prevent.]

Take a look at the documentation of RegQueryValueEx – but before you go there, imagine you’re a developer, and your job is to query a value whose size you don’t know.

So, blah, blah, blah, “lpData … can be NULL if the data is not required” – okay, let’s set lpData to NULL.

Blah blah, more blah, “lpcbData … When the function returns, this variable contains the size of the data copied to lpData … if the buffer specified by lpData parameter is not large enough to hold the data, the function returns ERROR_MORE_DATA and stores the required buffer size in the variable pointed to by lpcbData”.

We have the answer we’re looking for, so we stop reading and go write some code. Just for a check, we look at Return Values:

If the function succeeds, the return value is ERROR_SUCCESS.

If the function fails, the return value is a system error code.

If the lpData buffer is too small to receive the data, the function returns ERROR_MORE_DATA.

Sounds like we have our answer – pass lpData as NULL, and expect ERROR_MORE_DATA to be returned, then we can use the value.

We go back to the documentation.

Oh – we stopped reading too soon.

“If lpData is NULL, and lpcbData is non-NULL, the function returns ERROR_SUCCESS and stores the size of the data, in bytes, in the variable pointed to by lpcbData.”

Woah – that’s counter-intuitive and unexpected.

[Read the paragraph after that for another couple of counter-intuitive and surprising behaviours.]

How would you write this behaviour as a program?

Well, if you were writing a maintainable program, you’d do something like this:

if (lpcbData == NULL)
    return ERROR_SUCCESS;
if (hKey is in HKEY_PERFORMANCE_DATA)
{
    *lpcbData = random value;
    return ERROR_MORE_DATA;
}
if ( lpData == NULL )
{
    *lpcbData = size of data;
    return ERROR_SUCCESS;
}
if (size of data < *lpcbData)
{
    *lpcbData = size of data;
    return ERROR_MORE_DATA;
}
*lpcbData = size of data;
… read data into lpData …
return ERROR_SUCCESS;

But that’s the exact opposite of the way in which the documentation is written. Our code goes from most specific to least specific, with the general situation at the end; the documentation starts with the general situation and ends with some specifics. As a result, if you’re a programmer who proceeds a little like a computer program, you’re going to make a mistake with this kind of documentation, and if you recognise that mistake, you’re going to make another mistake when you’re fixing it, etc, etc.

Trouble is, I’m not sure how you could rewrite the documentation so that it would read pleasantly, but still answer the problem of programmers reading the documentation with a scenario in their minds.

Spelled your search word wrong? Let me hinder you.

I’m reading a blog posting by StepTo, and I see he’s describing Austria as Germany’s doggleganger.


“Doggleganger? He means doppelganger, surely.”


So, just to make sure that I’m not about to make a stupid mistake – after all, he’s using a German word in an article about Germany, written while he’s in Germany – I go and ogle for the spelling he uses.


Google is so helpful…


Certificate Manager does not require administrator access.

When you manage your personal certificates in Windows, the tool to use is Certificate Manager – you can access it either by running “certmgr.msc” to access your own personal certificate store, or by running MMC, the Microsoft Management Console, and choosing File | Add / Remove Snap-in to add the Certificates snap-in. You’ll then need to choose whether you’re going to access your personal certificate store, or the local computer store, or the store for a service. As you can see from that description, running “certmgr.msc” is the easiest way to get to your personal certificate store.


In Windows Vista, things are pretty much the same – there is still no direct “user interface” way to open your certificate store (that I am aware of – let me know if you’ve found one).


One thing that is different is that everywhere the Windows Help and Support Center mentions the Certificate Manager, it takes pains to assure you that you can’t do this unless you log on as an administrator.


As you can imagine, since every user is allowed to have his or her very own personal certificate store, entirely at his or her whim to control, Certificate Manager must be able to do everything from a restricted user account – the only thing that cannot be done from a restricted user account is to access certificate stores belonging to other user accounts.


Windows Vista is new – some of its help is clearly going to be expanded on and expounded later – for right now, if you can, it’s worth enabling the “Online Help” to pick up changes to topics as soon as they get made.

Developers still don’t get it.

I’m perplexed by a statement made by one of the commentors on a recent Michael Howard blog posting.


Why would you NOT run [Visual Studio] as an administrator at all times?

As a developer, I spend enough time on my own work. I don’t need to be spending ONE second switching profiles, typing passwords, or wondering when something fails whether it is a security issue or not.

I know many developers, and not a single person I know develops as non-admin. Since VS2005 needs to run as Admin, I’d be willing to bet that 99% of the Visual Studio team does the same thing too.

(and yes, I own (and read) Writing Secure Code, and I do keep a low-privilege account to test my apps, so I’m not *totally* ignorant about security issues)


Wow.


This emphasises a few things I’ve said on numerous occasions in the past:


  1. Developers are prima donnas (you may have heard me use a different description, beginning with an “a”, and ending in “rseholes”). I can say this because I am a developer, and I’ve spent a lot of my career in the company of developers. “I am not willing to spend ONE second … wondering when something fails whether it is a security issue or not”. Heads up, Bucky – it’s your job, very specifically, your job, to spend a lot of time wondering how something will fail, and whether or not it’s because of a security issue. If not the developer, then who? Tech support? What you get wrong in Development comes back a thousand fold to Tech Support.
  2. Owning and reading “Writing Secure Code” is only the start. You actually have to get it. You have to live it and breathe it – and keep abreast of new issues that aren’t covered in the book.
  3. Testing security in to the product never works. It’s too late by then, because the insecurity is already there, and it’s good at hiding. All testing does is demonstrate that your testing was unable to find the holes.
  4. Most code is never run by anyone other than the developer, until it gets to a few thousand users – as such, it always runs as administrator under its test environment, so it never fails until it reaches the user.
  5. Developers are not administrators. Most of them don’t even know what group policy is, let alone how to spell it. Even in a managed domain, developers’ machines are segregated into their own OU, so that the developers can pretty much do whatever they want with “their” machines. As a result, unit tests are never run on machines that mimic production environments, even for in-house applications.
  6. You can teach as much as you like, but some people just aren’t that interested in learning.

Rather than asking for reasons why a developer shouldn’t be an administrator, development team managers should be asking why a developer ever should be an administrator. Have an administrator account, perhaps, but almost all of a developer’s work should be done as a local user, unless that developer is producing an administration tool designed only to be run by administrators.


[Nods go out to Susan Bradley and Dana Epps, who brought this article to my attention in the first place.]

Security through marketing

Social Engineering isn’t just a bad guy tool – it’s an important part of the Security Engineer’s arsenal.


Consider user reaction to the following statements:


  1. We are going to enable strict auditing of all file access, so that we can see exactly what you do when you screw up.
  2. We are going to enable strict auditing of all file access on this server, so that when someone else screws up, they can’t possibly associate you with the blame.

I get a lot more acceptance with statement 2 than with statement 1.


What about the following different statements:


  1. We are going to apply encryption software to your laptop – this will make it slower, and harder to log on to. You will have to remember a second password just to turn your computer on.
  2. We are going to apply encryption software to your laptop – that way, if you lose it or it gets stolen, you won’t get fired and/or jailed for exposing our customer data to the world.

The first says “I’m going to make your life hell”, the second says “I’m going to make your life better”. Both describe the same process. Particularly, consider that this policy must apply to Officers of the company, because they carry some of the secretest data around with them all the time, and they’re most likely to successfully demand that policy not be applied to them.


By making it clear to the recipient of your message that they will get a benefit, as early as possible, any subsequent down-sides to your message will be better received.


As a measure of the success of this process – and of others planting this sort of message in newsletters and internal web sites – we have not had a single company officer ask for exclusion from the policy of laptop encryption. As a result, our customers’ data is very strongly secured, even if a laptop does go missing.

Windows Vista UAC – pain point or protection?

Symantec just wants us to make the right decisions, by taking over decision making.


So why did Windows Vista’s UAC “[bug] the heck out of me–to the point where I tuned it out and, eventually, turned it off”?


First, a quick mention of what Vista’s UAC is – it stands for “User Account Control”, and refers to a really neat security feature. When you log on as an administrator to Windows Vista, the token that you use for all your operations actually has the administrator portion disabled – denied. This means that you are effectively the same as a restricted, or normal, user. How wonderful is that from a security point of view?


If you accidentally or deliberately do something that would cause an administrative action to happen, your application is interrupted by being ‘faded out’ – the desktop goes a darker shade, and a window pops up prompting you to approve the administrative action. If you’re an administrator, all you have to do is click “Continue” (or “Cancel” if you don’t approve). If you’re a restricted user, all you have to do is enter an administrator’s user name and password.


This is a whole lot better than I used to have to do – using “Run As” from the command prompt or a right-click menu as I run the application, or in a few cases, actually logging off and back on as administrator to do the administrative action, and then logging off and back on as myself, a normal or restricted user.


So, where is this bad?


It’s bad if you execute several administrative actions in sequence – or if something does it for you – and these actions aren’t packaged up into a single executable.


So, okay, in that case I usually revert to my elevated command prompt, for sequences of actions that I initiate.


Where it comes up as a really bad thing is if you’ve got a non-elevated application that automatically carries out a number of other elevated tasks and applications on your behalf, meaning that you get bugged over and over and over for UAC prompts.


[I obviously don't run nearly enough bad software, because I love UAC. I think it's great, because it means I don't have to be administrator all the time, and I'm made aware of when I'm about to be dangerous.]


So, what Symantec’s VP of consumer proctuds, Rowan Trollope, says bothers him is that he is running applications that keep calling out to other applications, all of which should be marked as elevated, or should be better integrated among themselves, or shouldn’t be doing administrative tasks in the first place.


What application does he run the most, do you think?


What do you run, that causes you insufferable UAC prompts?

GUI lets me disable it, how do I enable it?

Playing with Vista a little more this evening, and I clear some disk space to do some shrinking and expanding of partitions. The “Disk Cleanup” tool has a tempting 1.5GB that I can release by disabling Hibernate – which I’ve done, simply to free up a little space temporarily.


Okay, now that I’ve done the thing that used all that space, I want to re-add Hibernation as an option. Disk Cleanup of course isn’t offering this any more, because I’ve already reclaimed the space. Power options aren’t giving me the ability to re-enable Hibernate, either. I’m going nuts trying to find this, and the help file is no help.


 The KB is the only place to offer a ray of sunshine, with article KB 920730, “How to disable and renable hibernation on a computer that is running Windows Vista”.


The secret is to open a command prompt as Administrator (why can’t I right-click on that Command Prompt shortcut in my Start bar and Run As Administrator from there?), and then issue the command “powercfg -hibernate on” (“powercfg -h on” will work as well).


Of course, if you don’t open the command prompt as Administrator, it won’t actually prompt for elevation, it’ll simply tell you “You do not have permission to enable or disable the Hibernate feature.”


It’s little things like this that suggest a lack of completeness on this OS – not just that the GUI doesn’t exist, but that you have to open an elevated Command Prompt (not the easiest thing in the world) in order to enable hibernation on a laptop computer.


Don’t get me wrong – Vista is not, as I’ve heard some people say, “the next Windows ME” – and I would definitely urge early adopters to get into it now, for some really cool features (BitLocker is a must have on a laptop). But Vista does have a few sharp corners in it still.

This week’s Microsoft patches – my take.

MS07-001 – Brazilian Portuguese grammar checker. My first thought is “this announcement is in English – I wonder if it’s been translated into Brazilian Portuguese yet?” If you have installed a Spanish language or Portuguese language version of Office, or installed those language’s grammar tools into a multi-language version, then you need the patch. Otherwise, you’ll open an Office document, and find your computer isn’t yours any more.


MS07-002 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution:


If you have Excel installed – yes, even on a Mac, and even if you’re using MS Works – install this update. There’s nearly a half-dozen ways to exploit you with this one. [Office 2007 and Works 2006 are not vulnerable to this]


MS07-003 – Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution:


Three vulnerabilities in Outlook – the first of which means that if I send you a calendar entry, and you open it in Outlook, your account is now mine. Apply this if you use Outlook for email (or for any other transport medium that allows iCal calendar entries). [Office 2007 is not vulnerable to this]


MS07-004 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution:


VML? Again? Jesper and I told you how to block a previous VML remote code execution issue (by disabling the ActiveX control VGX.DLL) back in September 2006 (and a minor correction later) – if you don’t use VML, you may want to just disable the VML control again, and leave it off. Otherwise, apply the patch ASAP, because you can’t really tell when you’re going to hit a web page that does use VML for evil.

Do security professionals need to lose weight?

I’m wondering this as I look around the general field of security professionals that I know – I’m a little on the chubby side myself, I know, but think of Jesper and Steve, they’re pretty skinny guys. On average, I’d say that security professionals are not necessarily guaranteed to be overweight.


So why is it that I spend a few minutes every day deleting spam “blog comments” from someone trying to advertise phentermine to my readers?


Spam offers no redeeming features, and only persists because people believe that it may possibly offer them a profit at the expense of causing millions of others to lose a little of the use of something they’ve paid for. Anywhere else, that’s called theft. Oh, and if there was an offence of “trespass against time”, that’d be good too.