-
Notifications
You must be signed in to change notification settings - Fork 157
/
Copy pathMixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll.sarif
1035 lines (1035 loc) · 74.3 KB
/
MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll.sarif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.6.json",
"version": "2.1.0",
"runs": [
{
"results": [
{
"ruleId": "BA2001",
"ruleIndex": 0,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2002",
"ruleIndex": 1,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2004",
"ruleIndex": 2,
"message": {
"id": "Warning_NativeWithInsecureStaticLibraryCompilands",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"Microsoft (R) Macro Assembler : masm : 14.29.30034.2 : MSVCRTD.lib [MD5] (amdsecgs.obj,guard_dispatch.obj,guard_xfg_dispatch.obj)\r\nMicrosoft (R) Optimizing Compiler : c : 19.29.30034.2 : MSVCRTD.lib [MD5] (cpu_disp.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,ucrt_detection.obj)\r\nMicrosoft (R) Optimizing Compiler : cxx : 19.29.30034.2 : MSVCMRTD.LIB [MD5] (managdeh.obj,msilexit.obj,mstartup.obj,pureMSILcode.obj)\r\nMicrosoft (R) Optimizing Compiler : cxx : 19.29.30034.2 : MSVCRTD.lib [MD5] (argv_mode.obj,default_local_stdio_options.obj,dll_dllmain.obj,dll_dllmain_stub.obj,gshandler.obj,initializers.obj,initsect.obj,tncleanup.obj,ucrt_stubs.obj,utility.obj,utility_desktop.obj)\r\n"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2004",
"ruleIndex": 2,
"level": "error",
"message": {
"id": "Error_NativeWithInsecureDirectCompilands",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"Microsoft (R) Optimizing Compiler : cxx : 19.29.30133.0 : [directly linked] [MD5] (CPlusPlusFile1.obj)\r\n"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2005",
"ruleIndex": 3,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2006",
"ruleIndex": 4,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"Microsoft (R) Optimizing Compiler:C:19.29.30034.2, Microsoft (R) Optimizing Compiler:Cxx:19.29.30034.2, Microsoft (R) Optimizing Compiler:Cxx:19.29.30133.0"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2007",
"ruleIndex": 5,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"3"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2009",
"ruleIndex": 6,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2010",
"ruleIndex": 7,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2011",
"ruleIndex": 8,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2012",
"ruleIndex": 9,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2013",
"ruleIndex": 10,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2014",
"ruleIndex": 11,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2019",
"ruleIndex": 12,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2021",
"ruleIndex": 13,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2024",
"ruleIndex": 14,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2025",
"ruleIndex": 15,
"message": {
"id": "Warning",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA2027",
"ruleIndex": 16,
"message": {
"id": "Warning",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA6002",
"ruleIndex": 17,
"message": {
"id": "Warning",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"Microsoft (R) Optimizing Compiler : cxx : 19.29.30133.0 : [directly linked] (.NETFramework,Version=v4.0.AssemblyAttributes.obj,CPlusPlusFile1.obj)\r\n"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA6004",
"ruleIndex": 18,
"kind": "pass",
"level": "none",
"message": {
"id": "Pass",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
},
{
"ruleId": "BA6005",
"ruleIndex": 19,
"message": {
"id": "Warning",
"arguments": [
"MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2019_CPlusPlus_DEBUG_FULL.dll",
"index": 0
}
}
}
]
}
],
"tool": {
"driver": {
"name": "testhost",
"version": "15.0.0.0",
"rules": [
{
"id": "BA2001",
"name": "LoadImageAboveFourGigabyteAddress",
"fullDescription": {
"text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security. ASLR compatibility mode reduces the number of locations to which ASLR may relocate the binary, reducing its effectiveness at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries."
},
"help": {
"text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security. ASLR compatibility mode reduces the number of locations to which ASLR may relocate the binary, reducing its effectiveness at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries."
},
"messageStrings": {
"Pass": {
"text": "'{0}' is a 64-bit image with a base address that is >= 4 gigabytes, increasing the effectiveness of Address Space Layout Randomization (which helps prevent attackers from executing security-sensitive code in well-known locations)."
},
"Error": {
"text": "'{0}' is a 64-bit image with a preferred base address below the 4GB boundary. Having a preferred base address below this boundary triggers a compatibility mode in Address Space Layout Randomization (ASLR) on recent versions of Windows that reduces the number of locations to which ASLR may relocate the binary. This reduces the effectiveness of ASLR at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2001LoadImageAboveFourGigabyteAddress",
"properties": {
"equivalentBinScopeRuleReadableName": "FourGbCheck"
}
},
{
"id": "BA2002",
"name": "DoNotIncorporateVulnerableDependencies",
"fullDescription": {
"text": "Binaries should not take dependencies on code with known security vulnerabilities."
},
"help": {
"text": "Binaries should not take dependencies on code with known security vulnerabilities."
},
"messageStrings": {
"Pass": {
"text": "'{0}' does not incorporate any known vulnerable dependencies, as configured by current policy."
},
"Error": {
"text": "'{0}' was built with a version of {1} which is subject to the following issues: {2}. To resolve this, {3}. The source files that triggered this were: {4}"
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2002DoNotIncorporateVulnerableDependencies",
"properties": {
"equivalentBinScopeRuleReadableName": "ATLVersionCheck"
}
},
{
"id": "BA2004",
"name": "EnableSecureSourceCodeHashing",
"fullDescription": {
"text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '<ChecksumAlgorithm>' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing."
},
"help": {
"text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '<ChecksumAlgorithm>' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing."
},
"messageStrings": {
"Pass": {
"text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm."
},
"Warning_NativeWithInsecureStaticLibraryCompilands": {
"text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm. Insecure checksum algorithms are subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}"
},
"Error_Managed": {
"text": "'{0}' is a managed binary compiled with an insecure ({1}) source code hashing algorithm. {1} is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project <ChecksumAlgorithm> property with 'SHA256' to enable secure source code hashing."
},
"Error_NativeWithInsecureDirectCompilands": {
"text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm. Insecure checksum algorithms are subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}"
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2004EnableSecureSourceCodeHashing"
},
{
"id": "BA2005",
"name": "DoNotShipVulnerableBinaries",
"fullDescription": {
"text": "Do not ship obsolete libraries for which there are known security vulnerabilities."
},
"help": {
"text": "Do not ship obsolete libraries for which there are known security vulnerabilities."
},
"messageStrings": {
"Pass": {
"text": "'{0}' is not known to be an obsolete binary that is vulnerable to one or more security problems."
},
"Error": {
"text": "'{0}' appears to be an obsolete library (version {1}) for which there are known security vulnerabilities. To resolve this issue, obtain a version of {0} that is newer than version {2}. If this binary is not in fact {0}, ignore this warning."
},
"Error_CouldNotParseVersion": {
"text": "Version information for '{0}' could not be parsed. The binary therefore could not be verified not to be an obsolete binary that is known to be vulnerable to one or more security problems."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2005DoNotShipVulnerableBinaries",
"properties": {
"equivalentBinScopeRuleReadableName": "BinaryVersionsCheck"
}
},
{
"id": "BA2006",
"name": "BuildWithSecureTools",
"fullDescription": {
"text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features. Among other things, these features provide address space layout randomization, help prevent arbitrary code execution, and enable code generation that can help prevent speculative execution side-channel attacks."
},
"help": {
"text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features. Among other things, these features provide address space layout randomization, help prevent arbitrary code execution, and enable code generation that can help prevent speculative execution side-channel attacks."
},
"messageStrings": {
"Error": {
"text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}"
},
"Error_BadModule": {
"text": "built with {0} compiler version {1} (Front end version {2})"
},
"Pass": {
"text": "All linked modules of '{0}' satisfy configured policy (observed compilers: {1})."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2006BuildWithSecureTools",
"properties": {
"equivalentBinScopeRuleReadableName": "CompilerVersionCheck"
}
},
{
"id": "BA2007",
"name": "EnableCriticalCompilerWarnings",
"fullDescription": {
"text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks. Enabling at least warning level 3 enables important static analysis in the compiler that can identify bugs with a potential to provoke memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted."
},
"help": {
"text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks. Enabling at least warning level 3 enables important static analysis in the compiler that can identify bugs with a potential to provoke memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted."
},
"messageStrings": {
"Pass": {
"text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code."
},
"Error_WarningsDisabled": {
"text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}"
},
"Error_InsufficientWarningLevel": {
"text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}"
},
"Error_UnknownModuleLanguage": {
"text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}"
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2007EnableCriticalCompilerWarnings",
"properties": {
"equivalentBinScopeRuleReadableName": "CompilerWarningsCheck"
}
},
{
"id": "BA2009",
"name": "EnableAddressSpaceLayoutRandomization",
"fullDescription": {
"text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. Configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later."
},
"help": {
"text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. Configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later."
},
"messageStrings": {
"Pass": {
"text": "'{0}' is properly compiled to enable Address Space Layout Randomization, reducing an attacker's ability to exploit code in well-known locations."
},
"Error_NotDynamicBase": {
"text": "'{0}' is not marked as DYNAMICBASE. This means that the binary is not eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. To resolve this issue, configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later."
},
"Error_RelocsStripped": {
"text": "'{0}' is marked as DYNAMICBASE but relocation data has been stripped from the image, preventing address space layout randomization. "
},
"Error_WinCENoRelocationSection": {
"text": "'{0}' is a Windows CE image but does not contain any relocation data, preventing Address Space Layout Randomization."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2009EnableAddressSpaceLayoutRandomization",
"properties": {
"equivalentBinScopeRuleReadableName": "DBCheck"
}
},
{
"id": "BA2010",
"name": "DoNotMarkImportsSectionAsExecutable",
"fullDescription": {
"text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. Because the loader will always mark the imports section as writable, it is therefore important to mark this section as non-executable. To resolve this issue, ensure that your program does not mark the imports section executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the \".rdata\" segment into an executable section."
},
"help": {
"text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. Because the loader will always mark the imports section as writable, it is therefore important to mark this section as non-executable. To resolve this issue, ensure that your program does not mark the imports section executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the \".rdata\" segment into an executable section."
},
"messageStrings": {
"Pass": {
"text": "'{0}' does not have an imports section that is marked as executable, helping to prevent the exploitation of code vulnerabilities."
},
"Error": {
"text": "'{0}' has the imports section marked executable. Because the loader will always mark the imports section as writable, it is important to mark this section as non-executable, so that an attacker cannot place shellcode here. To resolve this issue, ensure that your program does not mark the imports section as executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the \".rdata\" segment into an executable section."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2010DoNotMarkImportsSectionAsExecutable",
"properties": {
"equivalentBinScopeRuleReadableName": "ExecutableImportsCheck"
}
},
{
"id": "BA2011",
"name": "EnableStackProtection",
"fullDescription": {
"text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that all modules compiled into the binary are compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line."
},
"help": {
"text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that all modules compiled into the binary are compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line."
},
"messageStrings": {
"Pass": {
"text": "'{0}' is a C or C++ binary built with the stack protector buffer security feature enabled for all modules, making it more difficult for an attacker to exploit stack buffer overflow memory corruption vulnerabilities. "
},
"Error": {
"text": "'{0}' is a C or C++ binary built with the stack protector buffer security feature disabled in one or more modules. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that your code is compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line. The affected modules were: {1}"
},
"Error_UnknownModuleLanguage": {
"text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the stack protector buffer security features. The language could not be identified for the following modules: {1}."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2011EnableStackProtection",
"properties": {
"equivalentBinScopeRuleReadableName": "GSCheck"
}
},
{
"id": "BA2012",
"name": "DoNotModifyStackProtectionCookie",
"fullDescription": {
"text": "Application code should not interfere with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the \"security cookie\", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement."
},
"help": {
"text": "Application code should not interfere with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the \"security cookie\", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement."
},
"messageStrings": {
"Pass": {
"text": "'{0}' is a C or C++ binary built with the buffer security feature that properly preserves the stack protecter cookie. This has the effect of enabling a significant increase in entropy provided by the operating system over that produced by the C runtime start-up code."
},
"Pass_NoLoadConfig": {
"text": "'{0}' is C or C++binary that does not contain a load config table, which indicates either that it was compiled and linked with a version of the compiler that precedes stack protection features or is a binary (such as an ngen'ed assembly) that is not subject to relevant security issues."
},
"Error": {
"text": "'{0}' is a C or C++ binary that interferes with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the \"security cookie\", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the magic statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement. NOTE: the modified cookie value detected was: {1}"
},
"Error_CouldNotLocateCookie": {
"text": "'{0}' is a C or C++binary that enables the stack protection feature but the security cookie could not be located. The binary may be corrupted."
},
"Warning_InvalidSecurityCookieOffset": {
"text": "'{0}' appears to be a packed C or C++ binary that reports a security cookie offset that exceeds the size of the packed file. Use of the stack protector (/GS) feature therefore could not be verified. The file was possibly packed by: {1}."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2012DoNotModifyStackProtectionCookie",
"properties": {
"equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck"
}
},
{
"id": "BA2013",
"name": "InitializeStackProtection",
"fullDescription": {
"text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point."
},
"help": {
"text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point."
},
"messageStrings": {
"Pass": {
"text": "'{0}' is a C or C++ binary built with the buffer security feature that properly initializes the stack protecter. This has the effect of increasing the effectiveness of the feature and reducing spurious detections."
},
"Pass_NoCode": {
"text": "'{0}' is a C or C++ binary that is not required to initialize the stack protection, as it does not contain executable code."
},
"NotApplicable_FeatureNotEnabled": {
"text": "'{0}' is a C or C++ binary that does not enable the stack protection buffer security feature. It is therefore not required to initialize the stack protector."
},
"Error": {
"text": "'{0}' is a C or C++ binary that does not initialize the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2013InitializeStackProtection",
"properties": {
"equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck"
}
},
{
"id": "BA2014",
"name": "DoNotDisableStackProtectionForFunctions",
"fullDescription": {
"text": "Application code should not disable stack protection for individual functions. The stack protector (/GS) is a security feature of the Windows native compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, can compromise the security of code. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether."
},
"help": {
"text": "Application code should not disable stack protection for individual functions. The stack protector (/GS) is a security feature of the Windows native compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, can compromise the security of code. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether."
},
"messageStrings": {
"Pass": {
"text": "'{0}' is a C or C++ binary built with the stack protector buffer security feature enabled which does not disable protection for any individual functions (via __declspec(safebuffers), making it more difficult for an attacker to exploit stack buffer overflow memory corruption vulnerabilities."
},
"Error": {
"text": "'{0}' is a C or C++ binary built with function(s) ({1}) that disable the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, is disallowed by SDL policy. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2014DoNotDisableStackProtectionForFunctions",
"properties": {
"equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck"
}
},
{
"id": "BA2019",
"name": "DoNotMarkWritableSectionsAsShared",
"fullDescription": {
"text": "Code or data sections should not be marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.)."
},
"help": {
"text": "Code or data sections should not be marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.)."
},
"messageStrings": {
"Pass": {
"text": "'{0}' contains no data or code sections marked as both shared and writable, helping to prevent the exploitation of code vulnerabilities."
},
"Error": {
"text": "'{0}' contains one or more code or data sections ({1}) which are marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.)."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2019DoNotMarkWritableSectionsAsShared",
"properties": {
"equivalentBinScopeRuleReadableName": "SharedSectionCheck"
}
},
{
"id": "BA2021",
"name": "DoNotMarkWritableSectionsAsExecutable",
"fullDescription": {
"text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Be sure to disable incremental linking in release builds, as this feature creates a writable and executable section named '.textbss' in order to function."
},
"help": {
"text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Be sure to disable incremental linking in release builds, as this feature creates a writable and executable section named '.textbss' in order to function."
},
"messageStrings": {
"Pass": {
"text": "'{0}' contains no data or code sections marked as both shared and executable, helping to prevent the exploitation of code vulnerabilities."
},
"Error": {
"text": "'{0}' contains PE section(s) ({1}) that are both writable and executable. Writable and executable memory segments make it easier for an attacker to exploit memory corruption vulnerabilities, because it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Enabling incremental linking via the /INCREMENTAL argument (the default for Microsoft Visual Studio debug build) can also result in a writable and executable section named 'textbss'. For this case, disable incremental linking (or analyze an alternate build configuration that disables this feature) to resolve the problem."
},
"Error_UnexpectedSectionAligment": {
"text": "'{0}' has a section alignment ({1}) that is smaller than its page size ({2})."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2021DoNotMarkWritableSectionsAsExecutable",
"properties": {
"equivalentBinScopeRuleReadableName": "WXCheck"
}
},
{
"id": "BA2024",
"name": "EnableSpectreMitigations",
"fullDescription": {
"text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre cl.exe command-line argument or <SpectreMitigation>Spectre</SpectreMitigation> build property). Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve this issue, provide the /Qspectre switch on the compiler command-line (or specify <SpectreMitigation>Spectre</SpectreMitigation> in build properties), or pass /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre. This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. You may need to install the 'C++ spectre-mitigated libs' component from the Visual Studio installer if you observe violations against C runtime libraries such as libcmt.lib, libvcruntime.lib, etc."
},
"help": {
"text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre cl.exe command-line argument or <SpectreMitigation>Spectre</SpectreMitigation> build property). Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve this issue, provide the /Qspectre switch on the compiler command-line (or specify <SpectreMitigation>Spectre</SpectreMitigation> in build properties), or pass /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre. This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. You may need to install the 'C++ spectre-mitigated libs' component from the Visual Studio installer if you observe violations against C runtime libraries such as libcmt.lib, libvcruntime.lib, etc."
},
"messageStrings": {
"Warning": {
"text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or specify <SpectreMitigation>Spectre</SpectreMitigation> in build properties), or pass /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre. This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}"
},
"WarningMissingCommandLine": {
"text": "{0}' was compiled with one or more modules with a toolset that supports /Qspectre but a compiland `RawCommandLine` value is missing and the rule is therefore not able to determine if `/Qspectre` is specified. The likely cause is that the code was linked to a static library with no debug information. It is not known whether code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities was enabled. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, ensure that the compiler command line is present (provide the /Z7 switch) and provide the /Qspectre switch on the compiler command-line (or specify <SpectreMitigation>Spectre</SpectreMitigation> in build properties), or pass /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre. This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request."
},
"Warning_SpectreMitigationUnknownNoCommandLine": {
"text": "The following modules were compiled with a toolset that supports /Qspectre but a compiland `RawCommandLine` value is missing and the rule is therefore not able to determine if `/Qspectre` is specified. The likely cause is that the code was linked to a static library with no debug information: {0}"
},
"Warning_OptimizationsDisabled": {
"text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}"
},
"Warning_SpectreMitigationNotEnabled": {
"text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}"
},
"Warning_SpectreMitigationExplicitlyDisabled": {
"text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}"
},
"Pass": {
"text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations"
},
{
"id": "BA2025",
"name": "EnableShadowStack",
"fullDescription": {
"text": "Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature that provides capabilities to defend against return-oriented programming (ROP) based malware attacks. Note: older versions of .NET are not compatible with CET/shadow stack technology. If your native process loads older managed assemblies (.NET 6 or earlier), unhandled exceptions in those components may not be handled properly and may cause your process to crash."
},
"help": {
"text": "Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature that provides capabilities to defend against return-oriented programming (ROP) based malware attacks. Note: older versions of .NET are not compatible with CET/shadow stack technology. If your native process loads older managed assemblies (.NET 6 or earlier), unhandled exceptions in those components may not be handled properly and may cause your process to crash."
},
"messageStrings": {
"Pass": {
"text": "'{0}' enables the Control-flow Enforcement Technology (CET) Shadow Stack mitigation."
},
"Warning": {
"text": "'{0}' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines. Note: older versions of .NET are not compatible with CET/shadow stack technology. If your native process loads older managed assemblies (.NET 6 or earlier), unhandled exceptions in those components may not be handled properly and may cause your process to crash."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack"
},
{
"id": "BA2027",
"name": "EnableSourceLink",
"fullDescription": {
"text": "SourceLink information should be present in the PDB. This applies to binaries built with the C# and MSVC compilers. When enabled, SourceLink information is added to the PDB. That information includes the repository URLs and commit IDs for all source files fed to the compiler. The PDB should also be uploaded to a symbol server so that it can be discovered by a debugger such as Visual Studio. Developers can then step into the matching source code. Frictionless source-driven debugging provides a good user experience for consumers and also accelerates security response in the event of supply-chain compromise. See https://aka.ms/sourcelink for more information."
},
"help": {
"text": "SourceLink information should be present in the PDB. This applies to binaries built with the C# and MSVC compilers. When enabled, SourceLink information is added to the PDB. That information includes the repository URLs and commit IDs for all source files fed to the compiler. The PDB should also be uploaded to a symbol server so that it can be discovered by a debugger such as Visual Studio. Developers can then step into the matching source code. Frictionless source-driven debugging provides a good user experience for consumers and also accelerates security response in the event of supply-chain compromise. See https://aka.ms/sourcelink for more information."
},
"messageStrings": {
"Pass": {
"text": "The PDB for '{0}' contains SourceLink information, maximizing engineering and security response efficiency when source code is required for debugging and other critical analysis."
},
"Warning": {
"text": "The PDB for '{0}' does not contain SourceLink information, compromising frictionless source-driven debugging and increasing latency of security response. Enable SourceLink by configuring necessary project properties and adding a package reference for your source control provider. See https://aka.ms/sourcelink for more information."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2027EnableSourceLink"
},
{
"id": "BA6002",
"name": "EliminateDuplicateStrings",
"fullDescription": {
"text": "The /GF compiler option, also known as Eliminate Duplicate Strings or String Pooling, will combine identical strings in a program to a single readonly copy. This can significantly reduce binary size for programs with many string resources."
},
"help": {
"text": "The /GF compiler option, also known as Eliminate Duplicate Strings or String Pooling, will combine identical strings in a program to a single readonly copy. This can significantly reduce binary size for programs with many string resources."
},
"messageStrings": {
"Pass": {
"text": "'{0}' was compiled with Eliminate Duplicate Strings (/GF) enabled."
},
"Warning": {
"text": "'{0}' was compiled without Eliminate Duplicate Strings (/GF) enabled, increasing binary size. The following modules do not specify that policy: {1}."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA6002EliminateDuplicateStrings"
},
{
"id": "BA6004",
"name": "EnableComdatFolding",
"fullDescription": {
"text": "COMDAT folding can significantly reduce binary size by combining functions which generate identical machine code into a single copy in the final binary."
},
"help": {
"text": "COMDAT folding can significantly reduce binary size by combining functions which generate identical machine code into a single copy in the final binary."
},
"messageStrings": {
"Pass": {
"text": "'{0}' was compiled with COMDAT folding (/OPT:ICF) enabled"
},
"Warning_EnabledForDebug": {
"text": "'{0}' appears to be a Debug build which was compiled with COMDAT folding (/OPT:ICF) enabled. That may make debugging more difficult."
},
"Warning_DisabledForRelease": {
"text": "'{0}' was compiled with COMDAT folding (/OPT:ICF) disabled, increasing binary size."
},
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}."
}
},
"helpUri": "/~https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA6004EnableComdatFolding"
},
{
"id": "BA6005",
"name": "EnableOptimizeReferences",
"fullDescription": {
"text": "Optimize References can significantly reduce binary size because it instructs the linker to remove unreferenced functions and data from the final binary."
},
"help": {
"text": "Optimize References can significantly reduce binary size because it instructs the linker to remove unreferenced functions and data from the final binary."
},
"messageStrings": {
"Pass": {
"text": "'{0}' was compiled with Optimize References (/OPT:REF) enabled"
},
"Warning": {
"text": "'{0}' was compiled with Optimize References (/OPT:REF) disabled, increasing binary size."