[NativeAOT] BinSkim - EnableControlFlowGuard

[jkotas]

Running BinSkim on NativeAOT binaries produces EnableControlFlowGuard warning

Also need to verify that the ASM shims have CFG support

[kant2002]

Is this issue and dotnet/runtimelab#1523 related?

[jkotas]

Yep

[agocke]

It's not clear to me that we've fully satisfied this (i.e., BinSkim no longer warns). We should confirm and fix if not.

[jkotas]

I have verfified that the CFG warning from BinSkim is fixed when ControlFlowGuard property is set to Guard. It comes with non-trivial binary size cost, and so we do not set it by default. The Visual Studio C/C++ toolchain has same defaults.

For reference, here are the remaining binskim warnings - tested with binshim v.2.0.0-rc1:

• warning BA2024: 'hello.exe' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.

• warning BA2025: 'hello.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.

• warning BA2026: 'hello.exe' is a Windows PE that wasn't compiled with recommended Security Development Lifecycle (SDL) checks. As a result some critical compile-time and runtime checks may be disabled, increasing the possibility of an exploitable runtime issue. To resolve this problem, pass '/sdl' on the cl.exe command-line, set the 'SDL checks' property in the 'C/C++ -> General' Configuration property page, or explicitly set the 'SDLCheck' property in the project file (nested within a 'CLCompile' element) to 'true'.

• warning BA2027: The PDB for 'hello.exe' does not contain SourceLink information, compromising frictionless source-driven debugging and increasing latency of security response. Enable SourceLink by configuring necessary project properties and adding a package reference for your source control provider. See https://aka.ms/sourcelink for more information.

• warning BA6006: 'hello.exe' was compiled without Link Time Code Generation (/LTCG). Enabling LTCG can improve optimizations and performance.

BA2024, BA2025, BA2026 are not specific to native AOT. They are present for standard CoreCLR runtime binaries as well. Once/if we fix those for CoreCLR, they should get fixed for native AOT as well.

BA2027 is tracked by #81415.

BA2028 is native AOT specific limitation. We are shiping .lib files that is not compatible with LTCG, we would need to ship sources for the runtime to enable LTCG. This was discussed in various contexts, but we do not have tracking issue yet. Opened #83611.