What is Security Development Lifecycle Checks option in Visual Studio?

About

Asked 18/8, 2013 at 23:26 Answered 19/8, 2013 at 8:9

I am using Visual Studio 2013 Preview, although I'm sure I've seen it in earlier versions. When creating a new project using the wizard, I select C++, Win32 Console Application, and there is an option to enable Security Development Lifecycle Checks on my project. Could someone explain exactly what this option does to my code/project?

Valentijn answered 18/8, 2013 at 23:26 Comment(0)

The /sdl switch is described here. It turns some warnings into errors, which does not affect your code. Furthermore, it applies the /GS check more aggresively.

Don't expect too much from it. The Microsoft SDL is really a workaround for 1980's style C programming. Even it you use 20th century C++, you don't need it. E.g. operator+(std::string, std::string) is both safe and portable. Microsoft's SDL solution here in contrast is not portable, nor is it safe - the idea behind /GS is to find errors with C string handling at runtime and abort the program, limiting the consequences but not making it safe.

Phosphine answered 19/8, 2013 at 8:9 Comment(8)

Strings is not the only cause of memory errors. /sdl can help you identify use of unitialized variables, among other things. – Gannie 3/3, 2016 at 15:12

@JørgenFogh: You're describing the C4700 warning, for which you don't need /sdl. It's a Level-1 warning; you need to turn off all warnings before C4700 disappears. If your developers are doing that, you've got problems which SDL won't solve either. – Phosphine 3/3, 2016 at 15:24

I remember reading somewhere that the warnings become more detailed, because /sdl switches on a more detailed static analysis. I can't remember where I read it though. – Gannie 3/3, 2016 at 16:6

If you find a source, feel free to add another answer. – Phosphine 3/3, 2016 at 16:13

The MSDN article about the switch /sdl says it does modify how the code compile leading to runtime differences, the comment below is a copy and paste from MSDN. – Variolous 22/11, 2016 at 18:6

Performs limited pointer sanitization. In expressions that do not involve dereferences and in types that have no user-defined destructor, pointer references are set to a non-valid address after a call to delete. This helps to prevent the reuse of stale pointer references. Performs class member initialization. Automatically initializes all class members to zero on object instantiation (before the constructor runs). This helps prevent the use of uninitialized data associated with class members that the constructor does not explicitly initialize. – Variolous 22/11, 2016 at 18:6

@Motes: You should've written it as a separate answer. This is way more helpful than a (derisive) answer this comment is placed for. Additionally the link given there is bad. It should be this. – Fonseca 9/5, 2018 at 16:56

@Fonseca I hate the way Microsoft obsoletes links on a regular basis. I had to go to web.archive.org/web/20150703000343/http://blogs.microsoft.com/… to see the link given in the answer. – Stridulate 5/12, 2018 at 16:49

The Microsoft Security Development Lifecycle is a software development process used and proposed by Microsoft to reduce software maintenance costs and increase reliability of software concerning software security related bugs.

These may helpful:

http://download.microsoft.com/download/B/5/A/B5A89F4C-D591-4AAB-BF45-D818D80527B6/SDLServices2011.pdf

http://msdn.microsoft.com/en-us/library/windows/desktop/84aed186-1d75-4366-8e61-8d258746bopq.aspx

Pushkin answered 18/8, 2013 at 23:34 Comment(1)

That's a lot of material. What does checking the option actually DO to my code? – Valentijn 18/8, 2013 at 23:40

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags