Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Petition to enable current security mitigations on all of the binaries. #157

Open
jrmoore opened this issue Aug 13, 2024 · 0 comments
Open

Petition to enable current security mitigations on all of the binaries. #157

jrmoore opened this issue Aug 13, 2024 · 0 comments
Labels
enhancement

Comments

@jrmoore
Copy link

jrmoore commented Aug 13, 2024

The program is composed of several binaries as of 3.7.4 build 5725:

  • UninstallTool.exe, the GUI.
  • UninstallToolHelper.exe, going by its name, some helper.
  • CisUtMonitor.sys, filter driver involved in tracing.
  • UTShellExt.dll, shell extension.
  • UninstallTool.cpl, Control Panel applet?

Only the filter driver is built with permanent DEP, high entropy ASLR and Control Flow Guard. The main GUI, which runs elevated, only has DEP enabled, the helper binary not even. Because it is only a matter of using appropriate code generation and linker options I'd like to ask for them to be enabled, I feel uneasy running elevated processes like this in this day and age.

DEP: This one should be on by default, had to be switched off manually, makes use of the NX bit.

  • Configuration Properties → Linker → Advanced → Data Execution Prevention (DEP).
  • Or adding the linker argument /NXCOMPAT

ASLR:

  • Configuration Properties → Linker → Advanced → Randomized Base Address.
  • Or adding the linker argument /DYNAMICBASE.

There is an extra linker argument for 64-bit (high entropy) ASLR that doesn't have equivalent Visual Studio GUI toggle and must be added at Configuration Properties → Linker → Command Line: /HIGHENTROPYVA. It seems that option was set for the GUI binary, but because ASLR itself wasn't turned on, it makes no difference.

Control Flow Guard:

  • Configuration Properties → C/C++ → Code Generation → Control Flow Guard.
  • Or adding the compiler argument /guard:cf, the compiler also passes that option to the linker, but if you are building manually and linking at a different stage, add it to the linker argument list as well.

There are a couple of extras for this, EH continuation metadata (also in the Code Generation section, /guard:ehcont) and CET Shadow Stack (at Linker → Advanced, /CETCOMPAT is the linker argument). The latter just marks the image as supporting CET for processors that can do it, doesn't add anything else and because it is just a flag in the header makes no difference on processors that can't.

Please consider enabling those options, they don't require code changes and makes the binaries more resilient.

More details on each of them:

PS. Older than CFG, but should also be present is what's named "Security Check" at Code Generation (/GS), uses canaries.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrmoore @kleuter