Analyzing Source Code

A key question in the wake of the illegal posting of the source code for Windows is whether public visibility of the code will result in more security vulnerabilities. Reading source code is difficult, even when developers include comments and use variables with descriptive names. Identifying potential vulnerabilities in code written by a professional development team is yet more difficult because errors are likely to be less obvious.

Even developers at Microsoft, who spent several months examining the source code for Windows 2003 as part of its Trustworthy Computing initiative, did not find all the vulnerabilities. For example, external developers at eEye, working without the advantage of source code access, found the recent problem with the Window’s ASN.1 libraries.

The following snippet of code was posted by Microsoft at its Microsoft Developer Network site as part of a series of articles for developers. The author, Michael Howard, included the code and asked readers whether they could find the vulnerability. The answer shows how difficult it can be to analyze another developer’s code.