Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Binskim warnings #8026

Closed
19 tasks done
Tracked by #8018
AdamYoblick opened this issue Oct 10, 2024 · 1 comment
Closed
19 tasks done
Tracked by #8018

Fix Binskim warnings #8026

AdamYoblick opened this issue Oct 10, 2024 · 1 comment
Assignees
@AdamYoblick
Labels
needs investigation Could be an issue - needs investigation

Comments

@AdamYoblick
Copy link
Member

AdamYoblick commented Oct 10, 2024
edited
Loading

From https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=10364240&view=logs&j=f76d17c2-cc39-53e2-73c4-6a088ce9243c&t=44d70ddb-337c-5f28-f138-528c7e2b8c7c&l=85

The warnings are as follows:

  • 1. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/Microsoft.PythonTools.Debugger.Helper.x64.dll.
    Signature: 6d9449ed46c5f9c4fe704a22af8a8f7509cfdd497b3987260051126206496dd0
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'Microsoft.PythonTools.Debugger.Helper.x64.dll' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 2. BinSkim Note BA2026 - File: file:///D:/a/_work/1/b/raw/binaries/Microsoft.PythonTools.Debugger.Helper.x64.dll.
    Signature: 5dd1d3c7391f9854e967e1d7b2efc7a49c19e54a27e29beb878f65c85933b7fc
    Tool: BinSkim: Rule: BA2026 (EnableMicrosoftCompilerSdlSwitch). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2026EnableMicrosoftCompilerSdlSwitch
    'Microsoft.PythonTools.Debugger.Helper.x64.dll' is a Windows PE that wasn't compiled with recommended Security Development Lifecycle (SDL) checks. As a result some critical compile-time and runtime checks may be disabled, increasing the possibility of an exploitable runtime issue. To resolve this problem, pass '/sdl' on the cl.exe command-line, set the 'SDL checks' property in the 'C/C++ -> General' Configuration property page, or explicitly set the 'SDLCheck' property in the project file (nested within a 'CLCompile' element) to 'true'.
  • 3. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/Microsoft.PythonTools.Debugger.Helper.x86.dll.
    Signature: 6d28ffeb789847669cf25735a2cef0a703592c66fe7f83207e16cf9c313594d4
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'Microsoft.PythonTools.Debugger.Helper.x86.dll' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 4. BinSkim Note BA2026 - File: file:///D:/a/_work/1/b/raw/binaries/Microsoft.PythonTools.Debugger.Helper.x86.dll.
    Signature: 506626234b1d844955e428b80e0b75c6b8e214334ee4395d473653e6b8fde24e
    Tool: BinSkim: Rule: BA2026 (EnableMicrosoftCompilerSdlSwitch). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2026EnableMicrosoftCompilerSdlSwitch
    'Microsoft.PythonTools.Debugger.Helper.x86.dll' is a Windows PE that wasn't compiled with recommended Security Development Lifecycle (SDL) checks. As a result some critical compile-time and runtime checks may be disabled, increasing the possibility of an exploitable runtime issue. To resolve this problem, pass '/sdl' on the cl.exe command-line, set the 'SDL checks' property in the 'C/C++ -> General' Configuration property page, or explicitly set the 'SDLCheck' property in the project file (nested within a 'CLCompile' element) to 'true'.
  • 5. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/PyDebugAttach.dll.
    Signature: c9948eb22ab285b7b440652237f969befe34d75bf41aa1f092f6f393778564c9
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'PyDebugAttach.dll' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 6. BinSkim Note BA2026 - File: file:///D:/a/_work/1/b/raw/binaries/PyDebugAttach.dll.
    Signature: 636c253a6ea6daf241000a8ad8d4a2f5799125e6f31707624917a5f3e7d84ea4
    Tool: BinSkim: Rule: BA2026 (EnableMicrosoftCompilerSdlSwitch). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2026EnableMicrosoftCompilerSdlSwitch
    'PyDebugAttach.dll' is a Windows PE that wasn't compiled with recommended Security Development Lifecycle (SDL) checks. As a result some critical compile-time and runtime checks may be disabled, increasing the possibility of an exploitable runtime issue. To resolve this problem, pass '/sdl' on the cl.exe command-line, set the 'SDL checks' property in the 'C/C++ -> General' Configuration property page, or explicitly set the 'SDLCheck' property in the project file (nested within a 'CLCompile' element) to 'true'.
  • 7. BinSkim Warning BA2024 - File: file:///D:/a/_work/1/b/raw/binaries/PyDebugAttachX86.dll.
    Signature: 5e46dcfad9e20e164b2e5b507d09e2a03611421845414709d14754812f2dc46b
    Tool: BinSkim: Rule: BA2024 (EnableSpectreMitigations). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations
    'PyDebugAttachX86.dll' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.
    The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
    dllmain.obj,cxx,19.39.33523.0 (dllmain.obj)
    stdafx.obj,cxx,19.39.33523.0 (stdafx.obj)
    PyDebugAttach.obj,cxx,19.39.33523.0 (PyDebugAttach.obj)
    libcpmt.lib,cxx,19.39.33218.0 (_tolower.obj,_toupper.obj,asan_noop.obj,fiopen.obj,ios.obj,iosptrs.obj,locale.obj,locale0.obj,StlCompareStringA.obj,StlCompareStringW.obj,StlLCMapStringA.obj,StlLCMapStringW.obj,syserror.obj,syserror_import_lib.obj,vector_algorithms.obj,wlocale.obj,xdateord.obj,xgetwctype.obj,xlocale.obj,xlock.obj,xmbtowc.obj,xmtx.obj,xstol.obj,xstoll.obj,xstoul.obj,xstoull.obj,xstrcoll.obj,xstrxfrm.obj,xthrow.obj,xtowlower.obj,xtowupper.obj,xwcscoll.obj,xwcsxfrm.obj,xwctomb.obj)
    LIBCMT.lib,c,19.39.33218.0 (checkcfg.obj,cpu_disp.obj,dyn_tls_init.obj,ehprolg3.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,pesect.obj,secchk.obj,ucrt_detection.obj)
    LIBCMT.lib,cxx,19.39.33218.0 (argv_mode.obj,chandler4_noexcept.obj,default_local_stdio_options.obj,default_precision.obj,delete_array.obj,delete_scalar.obj,delete_scalar_size.obj,dll_dllmain.obj,fltused.obj,initializers.obj,initsect.obj,new_array.obj,new_scalar.obj,std_type_info_static.obj,throw_bad_alloc.obj,tncleanup.obj,utility.obj,utility_desktop.obj,x86_exception_filter.obj)
    libvcruntime.lib,c,19.39.33218.0 (chandler4.obj,jbcxrval.obj,memcmp.obj,wcschr.obj)
    libvcruntime.lib,cxx,19.39.33218.0 (ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,std_exception.obj,std_type_info.obj,throw.obj,trnsctrl.obj,undname.obj,unexpected.obj,winapi_downlevel.obj)
  • 8. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/PyDebugAttachX86.dll.
    Signature: eee36eb53076daa485168a9cce06cddc851915468ed86d7e37547e475a80a23e
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'PyDebugAttachX86.dll' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 9. BinSkim Note BA2026 - File: file:///D:/a/_work/1/b/raw/binaries/PyDebugAttachX86.dll.
    Signature: e86c2a4de2c8dffbae57c794c867c39e35d393e46e79b1880c9b58712bf972e3
    Tool: BinSkim: Rule: BA2026 (EnableMicrosoftCompilerSdlSwitch). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2026EnableMicrosoftCompilerSdlSwitch
    'PyDebugAttachX86.dll' is a Windows PE that wasn't compiled with recommended Security Development Lifecycle (SDL) checks. As a result some critical compile-time and runtime checks may be disabled, increasing the possibility of an exploitable runtime issue. To resolve this problem, pass '/sdl' on the cl.exe command-line, set the 'SDL checks' property in the 'C/C++ -> General' Configuration property page, or explicitly set the 'SDLCheck' property in the project file (nested within a 'CLCompile' element) to 'true'.
  • 10. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/VsPyProf.dll.
    Signature: 687d27deeee914ec5ef12161017126d6ea7afd775cb53fba1adc7de08c99b4ef
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'VsPyProf.dll' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 11. BinSkim Note BA2026 - File: file:///D:/a/_work/1/b/raw/binaries/VsPyProf.dll.
    Signature: 5791dc6a871faef1a6117a1d06fc0f50907563e67c0632109eb5374330eb2ff0
    Tool: BinSkim: Rule: BA2026 (EnableMicrosoftCompilerSdlSwitch). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2026EnableMicrosoftCompilerSdlSwitch
    'VsPyProf.dll' is a Windows PE that wasn't compiled with recommended Security Development Lifecycle (SDL) checks. As a result some critical compile-time and runtime checks may be disabled, increasing the possibility of an exploitable runtime issue. To resolve this problem, pass '/sdl' on the cl.exe command-line, set the 'SDL checks' property in the 'C/C++ -> General' Configuration property page, or explicitly set the 'SDLCheck' property in the project file (nested within a 'CLCompile' element) to 'true'.
  • 12. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/VsPyProfX86.dll.
    Signature: d57cd0d633dcbfdc664772ee0f91ccb74154829c02994ab43f0d699515b6e242
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'VsPyProfX86.dll' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 13. BinSkim Note BA2026 - File: file:///D:/a/_work/1/b/raw/binaries/VsPyProfX86.dll.
    Signature: 31abfbe4d94d3e281eeb4df595c48f2d9566339448882a260d8c168c96de3da7
    Tool: BinSkim: Rule: BA2026 (EnableMicrosoftCompilerSdlSwitch). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2026EnableMicrosoftCompilerSdlSwitch
    'VsPyProfX86.dll' is a Windows PE that wasn't compiled with recommended Security Development Lifecycle (SDL) checks. As a result some critical compile-time and runtime checks may be disabled, increasing the possibility of an exploitable runtime issue. To resolve this problem, pass '/sdl' on the cl.exe command-line, set the 'SDL checks' property in the 'C/C++ -> General' Configuration property page, or explicitly set the 'SDLCheck' property in the project file (nested within a 'CLCompile' element) to 'true'.
  • 14. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/debugpy/_vendored/pydevd/pydevd_attach_to_process/attach_amd64.dll.
    Signature: a31667c6636a90e78360117f7d053a1ea44c1bbb91ee2ff6603c573de74f6731
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'attach_amd64.dll' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 15. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/debugpy/_vendored/pydevd/pydevd_attach_to_process/attach_x86.dll.
    Signature: a538457a973a4c9279ebf3231df1f144f947d013ef92bef81b8fa23c8d5313c1
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'attach_x86.dll' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 16. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/debugpy/_vendored/pydevd/pydevd_attach_to_process/inject_dll_amd64.exe.
    Signature: c1f1edd6ec4abc29d96116f7a72c9fc2342ec72fc17f7a3e8b3651e322e2d074
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'inject_dll_amd64.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 17. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/debugpy/_vendored/pydevd/pydevd_attach_to_process/inject_dll_x86.exe.
    Signature: 9de5dac9d48f50e39f8de8dc5e3dde275eebf597da8f82730a9cf2774ac15a12
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'inject_dll_x86.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 18. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/debugpy/_vendored/pydevd/pydevd_attach_to_process/run_code_on_dllmain_amd64.dll.
    Signature: 1bd5f7f7d7654f077020c7c429797c1d6ce245c44cb176b5cc5152f88ca02cac
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'run_code_on_dllmain_amd64.dll' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
  • 19. BinSkim Note BA2025 - File: file:///D:/a/_work/1/b/raw/binaries/debugpy/_vendored/pydevd/pydevd_attach_to_process/run_code_on_dllmain_x86.dll.
    Signature: 0beaadeacead52342166c198c5b27194169be2633acf72d6f516cbd2e6f42717
    Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
    'run_code_on_dllmain_x86.dll' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
@AdamYoblick AdamYoblick mentioned this issue Oct 10, 2024
Closed
3 tasks
@AdamYoblick AdamYoblick changed the title Binskim warnings Fix Binskim warnings Oct 10, 2024
@AdamYoblick AdamYoblick added needs investigation Could be an issue - needs investigation and removed needs repro labels Oct 10, 2024
@AdamYoblick
Copy link
Member Author

For numbers 14-19 above, these binaries come from debugpy. I will move them to the debugpy compliance task since they have to happen there.

This was referenced Oct 16, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdamYoblick AdamYoblick

Labels
needs investigation Could be an issue - needs investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AdamYoblick @StellaHuang95