Build on Windows should compile additional security flags #816
Comments
|
Please hold - this may be outdated. I forgot the full history here including some manual steps, and I think this is from the v38 version. #635 was fixed AFTER v38. Testing if v45 resolves the errors |
|
Ok - indeed Perfetto v45 fixes the error. I am leaving the new scan howto and warnings here in case someone wants to fix (optional). Using https://github.com/google/perfetto/releases/download/v45.0/windows-amd64.zip unzipped to say Downloads\windows-amd64\windows-amd64 cd microsoft.codeanalysis.binskim.1.9.5\tools\netcoreapp3.1\win-x64
trace_processor_shell.exe: warning BA2004: 'trace_processor_shell.exe' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: trace_processor_shell.exe: warning BA2024: 'trace_processor_shell.exe' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. trace_processor_shell.exe: warning BA2025: 'trace_processor_shell.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines. |
|
Thanks for filing, 2 and 3 make sense but I'm a bit confused by 1: wasn't this implemented already in 2a4f01d? |
|
I agree. I am confused by (1) as well since 2a4f01d code looks like it does add "/ZH:SHA_256". My best guess is some sub-lib compiled into the .exe didn't have that on or something like that?? |
|
That would be very strange, we build all our deps from source and I'm pretty sure that the command lines you see there are used for all of our deps as well (unless there's some special dep I'm not thinking about). |
This is related to similar errors using trace_processor_shell.exe under constrained security environment #635
Similar compiler flags are recommended to be used.
So we were looking to use trace_processor_shell.exe at Microsoft but the binary failed a set of security checks from binskim. These compile flags would be needed to use the binary.
Optional to fix (warning)
##[warning]1. BinSkim Warning BA2024 - File: file:///D:/a/_work/_temp/Microsoft.Performance.Toolkit.Plugins.PerfettoPlugin-1.5.5.ptix/plugin/trace_processor_shell.exe.
Signature: bb153f488d6c6f10d936daa45314e203f796b8a444582e5b04226f08aec44667
Tool: BinSkim: Rule: BA2024 (EnableSpectreMitigations). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations
'trace_processor_shell.exe' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.
The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
libcmt.lib,cxx,19.36.32533.0 (argv_mode.obj,commit_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_scalar.obj,delete_scalar_size.obj,denormal_control.obj,env_mode.obj,exe_main.obj,file_mode.obj,fltused.obj,gshandler.obj,gshandlereh.obj,gshandlereh4.obj,gshandlerseh.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_array.obj,new_mode.obj,new_scalar.obj,new_scalar_nothrow.obj,std_nothrow.obj,std_type_info_static.obj,thread_locale.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlsdyn.obj,tlssup.obj,tncleanup.obj,utility.obj,utility_desktop.obj)
libcmt.lib,c,19.36.32533.0 (cpu_disp.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,pesect.obj,ucrt_detection.obj)
libcpmt.lib,cxx,19.36.32533.0 (_tolower.obj,_toupper.obj,asan_noop.obj,cerr.obj,cond.obj,cthread.obj,iomanip.obj,ios.obj,iosptrs.obj,locale.obj,locale0.obj,mutex.obj,raisehan.obj,StlCompareStringA.obj,StlCompareStringW.obj,StlLCMapStringA.obj,StlLCMapStringW.obj,syserror.obj,syserror_import_lib.obj,thread0.obj,vector_algorithms.obj,winapisupp.obj,wlocale.obj,xdateord.obj,xgetwctype.obj,xlocale.obj,xlock.obj,xmbtowc.obj,xmtx.obj,xnotify.obj,xonce2.obj,xstol.obj,xstoll.obj,xstoul.obj,xstoull.obj,xstrcoll.obj,xstrxfrm.obj,xthrow.obj,xtime.obj,xtowlower.obj,xtowupper.obj,xwcscoll.obj,xwcsxfrm.obj,xwctomb.obj)
libvcruntime.lib,cxx,19.36.32533.0 (chandler_noexcept.obj,ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,riscchandler.obj,risctrnsctrl.obj,softmemtag.obj,std_exception.obj,std_type_info.obj,throw.obj,undname.obj,winapi_downlevel.obj)
libvcruntime.lib,c,19.36.32533.0 (jbcxrval.obj,jmpuwind.obj,strchr.obj,strrchr.obj,strstr.obj,wcschr.obj,wcsrchr.obj)
Optional to fix (warning)
BinSkim Note BA2025 - File: file:///D:/a/_work/_temp/Microsoft.Performance.Toolkit.Plugins.PerfettoPlugin-1.5.5.ptix/plugin/trace_processor_shell.exe.
Signature: 8984a9935d3a4a9192e6f2ebeec7d34a11009823593c8341a1c53d20cc46eb9d
Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
'trace_processor_shell.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
##[error]
3. Should fix
BinSkim Error BA2008 - File: file:///D:/a/_work/_temp/Microsoft.Performance.Toolkit.Plugins.PerfettoPlugin-1.5.6.ptix/plugin/trace_processor_shell.exe.
Signature: 1f235194c05841f2e4c479175283e6a8cfa2d94cda552a735cd9a19bf4cb9cd3
Tool: BinSkim: Rule: BA2008 (EnableControlFlowGuard). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2008EnableControlFlowGuard
'trace_processor_shell.exe' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.
The text was updated successfully, but these errors were encountered: