FEATURE: Add BA3031.EnableClangSafeStack #663
Conversation
| @@ -951,7 +951,7 @@ | |||
| }, | |||
| { | |||
| "id": "BA2026", | |||
| "name": "EnableAdditionalSdlSecurityChecks", | |||
| "name": "EnableMicrosoftCompilerSdlSwitch", | |||
There was a problem hiding this comment.
Nice. Thanks for fixing this.
| @@ -1416,6 +1416,24 @@ public void BA3030_UseCheckedFunctionsWithGCC_NotApplicable() | |||
| this.VerifyApplicability(new UseCheckedFunctionsWithGcc(), new HashSet<string>()); | |||
| } | |||
|
|
|||
| [Fact] | |||
| public void BA3031_EnableSafeStackWithClang_Pass() | |||
There was a problem hiding this comment.
Awesome, do we have build script examples to include for these?
docs/FunctionalTestBuildScripts.md
Outdated
| @@ -4,6 +4,52 @@ This file records scripts used to compile the test files, in alphabetical order. | |||
| Base scenario is a simple hello world program built with different parameters for testing purpose. | |||
| Test files are located in [BaselineTestData](https://github.com/microsoft/binskim/tree/main/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData) and [FunctionalTestData](https://github.com/microsoft/binskim/tree/main/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData). | |||
|
|
|||
| ## ARM64_CETShadowStack_NotApplicable.exe | |||
There was a problem hiding this comment.
this is just a re-order alphabetically #Closed
| A simple C++ hellow world program, cross compiled using CMake with the `cl.exe` compiler and `Ninja` generator. | ||
| `CMakePresets.json` should be configured with a `configurePresets` as below: | ||
|
|
||
| ```json |
docs/BinSkimRules.md
Outdated
| @@ -226,6 +226,28 @@ No checked functions are present/used when compiling '{0}', and it was compiled | |||
|
|
|||
| --- | |||
|
|
|||
| ## Rule `BA3031.EnableSafeStackWithClang` | |||
src/BinSkim.Rules/RuleIds.cs
Outdated
| @@ -61,6 +61,7 @@ internal static class RuleIds | |||
| // BA3012-3029 -- saved for future non-compiler/language specific checks. | |||
| // Compiler/Language specific checks follow. | |||
| public const string UseCheckedFunctionsWithGcc = "BA3030"; | |||
|
|
||
| if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable) | ||
| { | ||
| reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrObject; |
There was a problem hiding this comment.
fixed to ElfIsCoreNoneOrRelocatable
|
|
||
| if (!target.Compilers.Any(c => c.Compiler == ElfCompilerType.Clang && c.Version.Major >= 7)) | ||
| { | ||
| reasonForNotAnalyzing = MetadataConditions.ElfNotBuiltWithClangV7OrLater; |
There was a problem hiding this comment.
the comment is replaced by later discussions to fire a special error that says you should enable SafeStack, you might need to update your version of Clang to do this.
| IEnumerable<ISymbolEntry> symbols = | ||
| ElfUtility.GetAllSymbols(elf).Where(sym => sym.Type == SymbolType.File); | ||
|
|
||
| if (symbols.Any(s => symbolSafeStack.Contains(s.Name))) |
There was a problem hiding this comment.
Foreach over the symbols, to avoid a 2x traversal in the pathological case. Fire a pass result and exit if you meet the first condition. Otherwise fall out and fire the error result. #Resolved
There was a problem hiding this comment.
Changed to not use Linq and just use foreach.
(It may not result in 2x traversal though)
| { | ||
| reasonForNotAnalyzing = MetadataConditions.ElfNotBuiltWithClangV7OrLater; | ||
| return AnalysisApplicability.NotApplicableToSpecifiedTarget; | ||
| } |
There was a problem hiding this comment.
Remove this. #Resolved
There was a problem hiding this comment.
Removed the version check only, we still need to Clang check, if people just use Gcc we will skip this image as NotApplicable.
| nameof(RuleResources.BA3031_Pass), | ||
| context.TargetUri.GetFileName())); | ||
| } | ||
| else |
There was a problem hiding this comment.
There was a problem hiding this comment.
agree with this approach, fixed.
shaopeng-gh
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| foreach (ISymbolEntry symbol in symbols) | ||
| { | ||
| if (symbol.Type == SymbolType.File && symbolSafeStack.Contains(symbol.Name)) | ||
| { | ||
| context.Logger.Log(this, | ||
| RuleUtilities.BuildResult(ResultKind.Pass, context, null, | ||
| nameof(RuleResources.BA3031_Pass), | ||
| context.TargetUri.GetFileName())); | ||
| return; | ||
| } | ||
| } |
Check notice
Code scanning / CodeQL
Missed opportunity to use Where
| @@ -1,133 +0,0 @@ | |||
| { | |||
There was a problem hiding this comment.
this is just to remove not needed checked in temp file.
This new rule applies to Clang only since GCC does not support it.
More info:
https://clang.llvm.org/docs/SafeStack.html
#634
Also fixed: