The march of progress continues, and I keep pheeling safer and safer!
It turns out that something about my recent CSQ rules post triggered IE7’s automatic phishing philter. I know of no good reason that it would pick up that post (and only that post!) other than a couple of words in the title of the article it links to (about CONTAINING_RECORD), which I’m not going to repeat here phor phear of being philtered.
Anyway, apologies if you got a nasty warning phrom my site this weekend.
The Month of Kernel Bugs blog just posted their first Windows hole. They’ve hit several other major OSes already. This one looks like it’s related to Win32k. They claim arbitrary code execution, which makes it a local administrator privilege escalation.
The best part is that it was apparently reported two years ago.
Microsoft’s compilers are available in a number of different packages – the WDK, the Platform SDK, the various Visual Studio 2005 editions, and so on. Yesterday, someone asked me if all of these editions provided the same level of code optimizations for C/C++ code.
I went searching around the Internet and found some information to the contrary, so I decided to bounce it off of Keven Frei from Microsoft. Kevin was kind enough to get back to me the next day, and confirmed that all of the compiler editions include the same optimizing abilities, with the exception of profile-guided optimization (which is only available in full Visual Studio 2005 products, not Express Edition).
So, with that, I’m sticking to my guns that Visual C++ Express Edition is one of the best values in development tools, particularly when combined with the Platform SDK.
I just ran across this document that explains the changes present in Vista’s driver verifier. Verifier is one of the Best Things Ever.
Thanks to Dan Mihai from Microsoft for pointing this out on the newsgroups.
A long time ago, I promised an entry on why there is no ExInterlockedRemoveEntryList function. If you search the NTDEV archives (or if you got to hear Peter Viscarola from OSR discuss it at one of the Driver DevCons a while back), you know that Microsoft left the function out intentionally due to its potential for misuse.
To understand why this is, consider one of the nice properties of a doubly-linked list: constant-time removal of an item from the middle, if you already know the item’s address. The list entries look something like this:
typedef struct _LIST_ENTRY
{
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
}
LIST_ENTRY, *PLIST_ENTRY;
To do a remove operation, you would simply point the next item (Flink) to the previous item (Blink) and vice-versa. No need to walk a long list of items. There’s even a macro to do this for you: RemoveEntryList.
This process is subject to an obvious race condition and another less obvious one. The obvious race is that two different threads could try to mutate the list simultaneously. The naïve solution is to wrap the removal in locks:
LockList(); // Spin lock, mutex, whatever... RemoveEntryList(item); UnlockList();
That does indeed prevent two threads from making simultaneous updates, but it misses another important problem: What if the entry you’re trying to remove is no longer on the list? What if another thread has just finished removing the same item, right before your call to LockList above? You certainly have no idea if the item’s neighbors are still valid after the item has been removed from the list, so you could easily trash the list.
The only safe way to do this is to ensure that the item is still a part of the list at the time you remove it. And the only safe way to do that is to walk the list from a point that you know will always be on the list, namely, from the head.
There are, of course, situations in which you can be sure, due to other semantics of the program in question, that your item really is still on the list. In those cases, the pattern above is safe.
But in other situations, you have to walk the entire list. This can be expensive, and has to be done under the protection of whatever lock you’re using. For a list with thousands of entries on it, you would want to avoid this whenever possible, and you should probably try to set up whatever extra bookkeeping you need to take advantage of O(1) removal. But, you don’t get that bookkeeping automatically, so that’s why there’s no ExInterlockedRemoveEntryList.
David Powell from the provided me with some insight about the possibility of downlevel support for WSK, now that TDI is being deprecated. He tells me that the WSK team has been getting lots of requests for Windows XP/2003 support lately, and that it’s high on our list of things to do as soon as we get Vista out
the door.
As for Windows 2000 support, my impression is that it is pretty unlikely. If this really matters to you, I’d encourage you to follow the link in my previous post to send the WSK team feedback. Such feedback has been effective before.
After a great week at Microsoft’s Redmond campus, it’s back to the Real World™ to do some actual work. Everyone at Microsoft was really helpful, and I owe thanks to lots of people for their help in making our trip as successful as it was.
First off, the compatibility lab was great. The team that runs the lab did a wonderful job of having everything there and together, and our access to technical resources was amazing. Highly worthwhile, if you’re considering it for yourself.
We got to spend some time hanging out with Eric Sassman, who is the MVP lead for both Ken and me, and we also spent a really fascinating lunch with Doron Holan and Eliyas Yakub, who were kind enough to let me pick their brains on software team management. We finished off by getting into a discussion about non-blocking algorithms and data structures in the kernel. I plan on writing more on both topics soon.
And finally, we got to spend some quality time with some of the guys from Leviathan Security Group and Metasploit. Lots to discuss there as well, as soon as I get time to do some writing.
I had a great time getting to know a lot of new people and catching up with old friends, and I learned a ton. Can’t wait for the next Driver DevCon!
I’ve blogged a few times about how good of a value I think Visual C++ Express Edition is. Just last week, I was telling someone that there just aren’t that many compelling differences between Express and Standard (or really even Professional, for my taste), until you get to the Team System stuff (about which I know very little). In fact, he went with Standard just because of ATL, which has been removed from the Vista PSDK. (sigh…)
It turns out that Microsoft has finally added some differentiated features in the form of a new Visual Studio PowerToys pack. There are some great things in there: a source code outliner, support for inserting code snippets, indexed find (great idea!), and more. The only catch is that they don’t work on Express – you have to have Standard, Professional, or Team System.
This seems like a totally reasonable way to differentiate your build tools. My compliments to the product team. This beats the hell out of differentiating on important code security features.
While working with one of our drivers, Ken and I ran across an interesting stack fault that I’ve never seen or heard of on a pre-Vista OS. It turns out that the Vista network stack uses much more stack than previous OSes. Ken has all of the details.
My advice: if you have any sort of NDIS driver that goes above a basic miniport, you should be testing with Vista now. Install an IM driver or two, while you’re at it. NDIS-WDM drivers could have issues here as well.
Happy testing!
The first day of the Vista compatibility lab was… long. We got to the campus at about 9:00, and didn’t leave until 11:00 PM. This is the second time I’ve done something like this at Microsoft (the first was at Driver DevCon 2003, getting our network drivers running on NDIS6). It’s always a productive time – plenty of food, water, experts, books, and computers around so that there really are no impediments to getting real work done.
Vista is going to be an interesting challenge. The UAC stuff changed a lot in the last six months, and our software doesn’t quite interact perfectly with it yet. On the upside, the things that I thought were working – the drivers, for example – are indeed working. Other things are mostly clean-up work for code that was probably in need of clean-up anyway. There haven’t been many (any?) Vista-only changes that would break on downlevel OSes, which reinforces my claim that, if you are careful and code to the API in the documented way, you’re way less likely to break compatibility in the future.
Some of the experiences haven’t been quite so great, though; Ken found a seemingly very severe problem with IpHlpApi route addition, for example, and we’re seeing slightly different behavior from some other APIs in IpHlpApi as well – I fought with IpReleaseAddress for a while when it started returning a new (undocumented, of course) return code
And, of course, there are the major breaking changes – for example, GINA DLLs are gone, which may not mean much to 99% of software vendors out there, but if you happen to need a GINA replacement, you have to re-write that code completely and produce a credential provider instead.
In the annoyances
category, there are things like icons looking bad (the dark grey task bar is hell on colorful icons) and high-res support in various places. And, ideally, we want to fully embrace the UAC system rather than fighting with it, which raises some interesting product design questions.
We made way more progress than I thought we’d make on day 1, and we still have most of the week ahead of us, so I’m optimistic that we can actually finish what we came here for. So far, so good, at any rate.