Show Me the Code!

Open-source supporters have long enjoyed having access to source code. Some time ago, Microsoft countered the open-source movement in a minor way by providing limited access to its own product source code. To date, the company has let only select entities view its source code. Typically, those entities have been universities, technology companies, and governments that are willing to sign tight licensing agreements.

Last week, Microsoft announced that it will further expand its Shared Source Initiative program by offering more access to those who provide technical support to users through various types of online communities. One way the company will do so is by letting Microsoft Most Valued Professionals (MVPs) view more source code.

In the past, MVPs have had access to source code for Windows CE .NET, ASP.NET, Visual Studio .NET, and Passport Manager. Now, they'll be offered a new shared source license for source code related to Windows Server 2003, Windows XP, Windows 2000 Server, and future OSs.

Those MVPs invited to participate will receive a smart card that will let them access 50 percent to 90 percent of the total OS code stored on a secured server hosted by Microsoft. The remainder of the code is off limits either because it's too sensitive (e.g., product activation code) or because Microsoft has licensed it from third parties and can't directly release it.

I suspect that MVP access to source code won't do much for Windows platform security. I'm not sure how many security researchers participate in Microsoft's MVP program, but I suspect that you could count them on one hand. The company should give the best security researchers access to its code for the benefit of users everywhere, but don't hold your breath waiting for that to happen.

For those of you fluent in working with program source code, whether you're a developer or perform source code audits to help tighten security, another resource might assist your endeavors. Last week, Microsoft published a new white paper, "Expert Tips for Finding Security Defects in Your Code," written by company program manager Michael Howard. It's available at the URL below. Howard and David LeBlanc coauthored the book "Writing Secure Code" (Microsoft Press).

The new white paper helps identify "patterns and best practices that all developers can follow when tracking down potential security loopholes." Howard said he uses a set of questions to determine how much time he'll need to spend reviewing code. The more "yes" answers to the questions, the more time Howard spends looking at the source code for problems. The questions are:

- Does the code run by default?

- Does the code run with elevated privileges?

- Is the code listening on a network interface?

- Is the network interface unauthenticated?

- Is the code written in C/C++?

- Does the code have a prior history of vulnerability?

- Is this component under close scrutiny by security researchers?

- Does the code handle sensitive or private data?

- Is the code reusable (for example, a DLL, C++ class header, library, or assembly)?

- Based on the threat model, is this component in a high-risk environment or subject to many high-risk threats?

If you're a developer or source code auditor, I think you'll find the paper worth reading. Even if you're not a developer or don't perform source code audits, you might find the paper interesting. Howard helped start Microsoft's Secure Windows Initiative, so Microsoft probably uses his methods and ideas to audit its code.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.