Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build on Windows should compile additional security flags #816

Open
ivberg opened this issue Jun 10, 2024 · 5 comments
Open

Build on Windows should compile additional security flags #816

ivberg opened this issue Jun 10, 2024 · 5 comments

Comments

@ivberg
Copy link

ivberg commented Jun 10, 2024

This is related to similar errors using trace_processor_shell.exe under constrained security environment #635

Similar compiler flags are recommended to be used.

So we were looking to use trace_processor_shell.exe at Microsoft but the binary failed a set of security checks from binskim. These compile flags would be needed to use the binary.

  1. Optional to fix (warning)
    ##[warning]1. BinSkim Warning BA2024 - File: file:///D:/a/_work/_temp/Microsoft.Performance.Toolkit.Plugins.PerfettoPlugin-1.5.5.ptix/plugin/trace_processor_shell.exe.
    Signature: bb153f488d6c6f10d936daa45314e203f796b8a444582e5b04226f08aec44667
    Tool: BinSkim: Rule: BA2024 (EnableSpectreMitigations). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations
    'trace_processor_shell.exe' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.
    The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
    libcmt.lib,cxx,19.36.32533.0 (argv_mode.obj,commit_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_scalar.obj,delete_scalar_size.obj,denormal_control.obj,env_mode.obj,exe_main.obj,file_mode.obj,fltused.obj,gshandler.obj,gshandlereh.obj,gshandlereh4.obj,gshandlerseh.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_array.obj,new_mode.obj,new_scalar.obj,new_scalar_nothrow.obj,std_nothrow.obj,std_type_info_static.obj,thread_locale.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlsdyn.obj,tlssup.obj,tncleanup.obj,utility.obj,utility_desktop.obj)
    libcmt.lib,c,19.36.32533.0 (cpu_disp.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,pesect.obj,ucrt_detection.obj)
    libcpmt.lib,cxx,19.36.32533.0 (_tolower.obj,_toupper.obj,asan_noop.obj,cerr.obj,cond.obj,cthread.obj,iomanip.obj,ios.obj,iosptrs.obj,locale.obj,locale0.obj,mutex.obj,raisehan.obj,StlCompareStringA.obj,StlCompareStringW.obj,StlLCMapStringA.obj,StlLCMapStringW.obj,syserror.obj,syserror_import_lib.obj,thread0.obj,vector_algorithms.obj,winapisupp.obj,wlocale.obj,xdateord.obj,xgetwctype.obj,xlocale.obj,xlock.obj,xmbtowc.obj,xmtx.obj,xnotify.obj,xonce2.obj,xstol.obj,xstoll.obj,xstoul.obj,xstoull.obj,xstrcoll.obj,xstrxfrm.obj,xthrow.obj,xtime.obj,xtowlower.obj,xtowupper.obj,xwcscoll.obj,xwcsxfrm.obj,xwctomb.obj)
    libvcruntime.lib,cxx,19.36.32533.0 (chandler_noexcept.obj,ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,riscchandler.obj,risctrnsctrl.obj,softmemtag.obj,std_exception.obj,std_type_info.obj,throw.obj,undname.obj,winapi_downlevel.obj)
    libvcruntime.lib,c,19.36.32533.0 (jbcxrval.obj,jmpuwind.obj,strchr.obj,strrchr.obj,strstr.obj,wcschr.obj,wcsrchr.obj)

  2. Optional to fix (warning)
    BinSkim Note BA2025 - File: file:///D:/a/_work/_temp/Microsoft.Performance.Toolkit.Plugins.PerfettoPlugin-1.5.5.ptix/plugin/trace_processor_shell.exe.
    Signature: 8984a9935d3a4a9192e6f2ebeec7d34a11009823593c8341a1c53d20cc46eb9d
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'trace_processor_shell.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.

##[error]
3. Should fix
BinSkim Error BA2008 - File: file:///D:/a/_work/_temp/Microsoft.Performance.Toolkit.Plugins.PerfettoPlugin-1.5.6.ptix/plugin/trace_processor_shell.exe.
Signature: 1f235194c05841f2e4c479175283e6a8cfa2d94cda552a735cd9a19bf4cb9cd3
Tool: BinSkim: Rule: BA2008 (EnableControlFlowGuard). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2008EnableControlFlowGuard
'trace_processor_shell.exe' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.

@ivberg
Copy link
Author

ivberg commented Jun 10, 2024

Please hold - this may be outdated. I forgot the full history here including some manual steps, and I think this is from the v38 version. #635 was fixed AFTER v38. Testing if v45 resolves the errors

@ivberg
Copy link
Author

ivberg commented Jun 10, 2024

Ok - indeed Perfetto v45 fixes the error. I am leaving the new scan howto and warnings here in case someone wants to fix (optional).

Using https://github.com/google/perfetto/releases/download/v45.0/windows-amd64.zip unzipped to say Downloads\windows-amd64\windows-amd64

cd microsoft.codeanalysis.binskim.1.9.5\tools\netcoreapp3.1\win-x64

BinSkim.exe analyze --config default --recurse --verbose --sarif-output-version OneZeroZero --sympath windows-amd64\windows-amd64 windows-amd64\windows-amd64\trace_processor_shell.exe

trace_processor_shell.exe: warning BA2004: 'trace_processor_shell.exe' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:
Microsoft (R) Macro Assembler : masm : 14.15.26706.0 : libcmt.lib (amdsecgs.obj,chkstk.obj,guard_dispatch.obj)
Microsoft (R) Macro Assembler : masm : 14.15.26706.0 : libvcruntime.lib (handlers.obj,memchr.obj,memcmp.obj,memcpy.obj,memset.obj,notify.obj)
Microsoft (R) Optimizing Compiler : c : 19.15.26706.0 : libcmt.lib (cpu_disp.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,pesect.obj,ucrt_detection.obj)
Microsoft (R) Optimizing Compiler : c : 19.15.26706.0 : libcpmt.lib (_tolower.obj,_toupper.obj,cthread.obj,xgetwctype.obj,xmbtowc.obj,xmtx.obj,xnotify.obj,xstol.obj,xstoll.obj,xstoul.obj,xstoull.obj,xstrcoll.obj,xstrxfrm.obj,xtime.obj,xtowlower.obj,xtowupper.obj,xwcscoll.obj,xwcsxfrm.obj,xwctomb.obj)
Microsoft (R) Optimizing Compiler : c : 19.15.26706.0 : libvcruntime.lib (jbcxrval.obj,jmpuwind.obj,strchr.obj,strrchr.obj,strstr.obj,wcschr.obj,wcsrchr.obj)
Microsoft (R) Optimizing Compiler : cxx : 19.15.26706.0 : libcmt.lib (argv_mode.obj,commit_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_array_size.obj,delete_scalar.obj,delete_scalar_size.obj,denormal_control.obj,ehvecctr.obj,ehvecdtr.obj,env_mode.obj,exe_main.obj,file_mode.obj,gshandler.obj,gshandlereh.obj,gshandlerseh.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_array.obj,new_mode.obj,new_scalar.obj,new_scalar_nothrow.obj,std_nothrow.obj,std_type_info_static.obj,thread_locale.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlssup.obj,tncleanup.obj,utility.obj,utility_desktop.obj)
Microsoft (R) Optimizing Compiler : cxx : 19.15.26706.0 : libconcrt.lib (CacheLocalScheduleGroup.obj,Chores.obj,Context.obj,ContextBase.obj,event.obj,Exceptions.obj,ExecutionResource.obj,ExternalContextBase.obj,FairScheduleGroup.obj,FreeThreadProxy.obj,FreeVirtualProcessorRoot.obj,HillClimbing.obj,InternalContextBase.obj,location.obj,Platform.obj,RealizedChore.obj,ResourceManager.obj,rtlocks.obj,ScheduleGroupBase.obj,SchedulerBase.obj,SchedulerPolicyBase.obj,SchedulerProxy.obj,SchedulingNode.obj,SchedulingRing.obj,SearchAlgorithms.obj,staticinits.obj,SubAllocator.obj,TaskCollection.obj,TaskCollectionBase.obj,ThreadProxy.obj,ThreadProxyFactoryManager.obj,ThreadScheduler.obj,ThreadVirtualProcessor.obj,Trace.obj,Transmogrificator.obj,TransmogrifiedPrimary.obj,UMSBackgroundPoller.obj,UMSFreeThreadProxy.obj,UMSFreeVirtualProcessorRoot.obj,UMSSchedulerProxy.obj,UMSSchedulingContext.obj,UMSThreadInternalContext.obj,UMSThreadProxy.obj,UMSThreadScheduler.obj,UMSThreadVirtualProcessor.obj,UMSWrapper.obj,utils.obj,VirtualProcessor.obj,VirtualProcessorRoot.obj,WinRTWrapper.obj,WorkQueue.obj)
Microsoft (R) Optimizing Compiler : cxx : 19.15.26706.0 : libcpmt.lib (cerr.obj,cond.obj,excptptr.obj,iomanip.obj,ios.obj,iosptrs.obj,locale.obj,locale0.obj,mutex.obj,ppltasks.obj,raisehan.obj,StlCompareStringA.obj,StlCompareStringW.obj,StlLCMapStringA.obj,StlLCMapStringW.obj,syserror.obj,thread0.obj,vector_algorithms.obj,winapinls.obj,winapisupp.obj,wlocale.obj,xdateord.obj,xlocale.obj,xlock.obj,xonce.obj,xthrow.obj)
Microsoft (R) Optimizing Compiler : cxx : 19.15.26706.0 : libvcruntime.lib (ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,riscchandler.obj,risctrnsctrl.obj,rtti.obj,std_exception.obj,std_type_info.obj,throw.obj,uncaught_exception.obj,undname.obj,winapi_downlevel.obj)

trace_processor_shell.exe: warning BA2024: 'trace_processor_shell.exe' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.
The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
libcmt.lib,cxx,19.15.26706.0 (argv_mode.obj,commit_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_array_size.obj,delete_scalar.obj,delete_scalar_size.obj,denormal_control.obj,ehvecctr.obj,ehvecdtr.obj,env_mode.obj,exe_main.obj,file_mode.obj,fltused.obj,gshandler.obj,gshandlereh.obj,gshandlerseh.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_array.obj,new_mode.obj,new_scalar.obj,new_scalar_nothrow.obj,std_nothrow.obj,std_type_info_static.obj,thread_locale.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlssup.obj,tncleanup.obj,utility.obj,utility_desktop.obj)
libcmt.lib,c,19.15.26706.0 (cpu_disp.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,pesect.obj,ucrt_detection.obj)
libcpmt.lib,cxx,19.15.26706.0 (cerr.obj,cond.obj,excptptr.obj,iomanip.obj,ios.obj,iosptrs.obj,locale.obj,locale0.obj,mutex.obj,ppltasks.obj,raisehan.obj,StlCompareStringA.obj,StlCompareStringW.obj,StlLCMapStringA.obj,StlLCMapStringW.obj,syserror.obj,thread0.obj,vector_algorithms.obj,winapinls.obj,winapisupp.obj,wlocale.obj,xdateord.obj,xlocale.obj,xlock.obj,xonce.obj,xthrow.obj)
libcpmt.lib,c,19.15.26706.0 (_tolower.obj,_toupper.obj,cthread.obj,xgetwctype.obj,xmbtowc.obj,xmtx.obj,xnotify.obj,xstol.obj,xstoll.obj,xstoul.obj,xstoull.obj,xstrcoll.obj,xstrxfrm.obj,xtime.obj,xtowlower.obj,xtowupper.obj,xwcscoll.obj,xwcsxfrm.obj,xwctomb.obj)
libconcrt.lib,cxx,19.15.26706.0 (CacheLocalScheduleGroup.obj,Chores.obj,Context.obj,ContextBase.obj,event.obj,Exceptions.obj,ExecutionResource.obj,ExternalContextBase.obj,FairScheduleGroup.obj,FreeThreadProxy.obj,FreeVirtualProcessorRoot.obj,HillClimbing.obj,InternalContextBase.obj,location.obj,Platform.obj,RealizedChore.obj,ResourceManager.obj,rtlocks.obj,ScheduleGroupBase.obj,SchedulerBase.obj,SchedulerPolicyBase.obj,SchedulerProxy.obj,SchedulingNode.obj,SchedulingRing.obj,SearchAlgorithms.obj,staticinits.obj,SubAllocator.obj,TaskCollection.obj,TaskCollectionBase.obj,ThreadProxy.obj,ThreadProxyFactoryManager.obj,ThreadScheduler.obj,ThreadVirtualProcessor.obj,Trace.obj,Transmogrificator.obj,TransmogrifiedPrimary.obj,UMSBackgroundPoller.obj,UMSFreeThreadProxy.obj,UMSFreeVirtualProcessorRoot.obj,UMSSchedulerProxy.obj,UMSSchedulingContext.obj,UMSThreadInternalContext.obj,UMSThreadProxy.obj,UMSThreadScheduler.obj,UMSThreadVirtualProcessor.obj,UMSWrapper.obj,utils.obj,VirtualProcessor.obj,VirtualProcessorRoot.obj,WinRTWrapper.obj,WorkQueue.obj)
libvcruntime.lib,cxx,19.15.26706.0 (ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,riscchandler.obj,risctrnsctrl.obj,rtti.obj,std_exception.obj,std_type_info.obj,throw.obj,uncaught_exception.obj,undname.obj,winapi_downlevel.obj)
libvcruntime.lib,c,19.15.26706.0 (jbcxrval.obj,jmpuwind.obj,strchr.obj,strrchr.obj,strstr.obj,wcschr.obj,wcsrchr.obj)

trace_processor_shell.exe: warning BA2025: 'trace_processor_shell.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.

@LalitMaganti
Copy link
Collaborator

Thanks for filing, 2 and 3 make sense but I'm a bit confused by 1: wasn't this implemented already in 2a4f01d?

@ivberg
Copy link
Author

ivberg commented Jun 10, 2024

I agree. I am confused by (1) as well since 2a4f01d code looks like it does add "/ZH:SHA_256". My best guess is some sub-lib compiled into the .exe didn't have that on or something like that??

@LalitMaganti
Copy link
Collaborator

That would be very strange, we build all our deps from source and I'm pretty sure that the command lines you see there are used for all of our deps as well (unless there's some special dep I'm not thinking about).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants