Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RULE REQUEST] Enforce CET shadow stack compatibility #277

Open
michaelcfanning opened this issue Apr 26, 2020 · 1 comment · Fixed by #376
Open

[RULE REQUEST] Enforce CET shadow stack compatibility #277

michaelcfanning opened this issue Apr 26, 2020 · 1 comment · Fixed by #376
Labels
rule-request

Comments

@michaelcfanning
Copy link
Member

michaelcfanning commented Apr 26, 2020
edited by eddynaka
Loading

Rule Proposal: Enforce CET shadow stack compatibility to defend against return-oriented programming (ROP) based malware attacks.

Rule metadata

  • Id: BA2025
  • Name: EnableControlEnforcementTechnologyShadowStack
  • Failure level: Warning

Rule descriptions

  • Short: TBD
  • Full: TBD

Platform & applicability

  • Platform: Windows
  • Applicable to: native with PDBs (required for this analysis)
  • Not applicable to: *nix binaries

User-facing strings

  • Fail: '{0}' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • Pass: '{0}' enables the Control-flow Enforcement Technology (CET) Shadow Stack mitigation.

Links/Additional Information

Notes on implementation

  • Linker option is only available starting in Visual Studio 2019 version 16.7. Rule should therefore examine the linker version details to ensure the toolchain that compiled the binary supports the flag. If the toolchain is too old, the rule CanAnalyze should return MetadataConditions.ImageCompiledWithOutdatedTools. BA2008.EnableControlFlowGuard has an example of this pattern.
  • It is occasionally helpful to provide a rule property that controls the version parameterization (this is mostly helpful to overcome issues in toolchain versioning). It's not clear this rule requires this kind of configurability. BA2008.EnableControlFlowGuard has an example of providing a knob for minimal linker version that can be used as a model, however.
  • User-facing output should summarize key details from /CETCOMPAT linker option. description and additional security mitigation guidance.
  • Rule metadata should capture relevant expanded information and links to external guidance.
  • Note that this PE bit is ignored in cases where feature is unsupported by Windows or runtime hardware. This mitigation is an opt-in Windows feature, allowing some flexibility in requiring compiling with /CETCOMPAT (allowing app developers to opt into actual usage).

How to resolve

/CETCOMPAT
@jkotas jkotas mentioned this issue Apr 26, 2021
Open
@eddynaka eddynaka changed the title Windows PE rule proposal: enforce CET shadow stack compatibility [RULE REQUEST] Enforce CET shadow stack compatibility Apr 26, 2021
@eddynaka eddynaka mentioned this issue May 14, 2021
Merged
@michaelcfanning
Copy link
Member Author

Need to fill out docs, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
rule-request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable shadow-stack microsoft/binskim
2 participants
@michaelcfanning @eddynaka