Enable shadow-stack

Updating shadowstack logic

Removing debugging files

Improving message strings

Updating tests

src/BinSkim.Rules/PERules/BA2025.EnableShadowStack.cs

@@ -0,0 +1,96 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System.Collections.Generic;
+using System.Composition;
+using System.Reflection.PortableExecutable;
+
+using Microsoft.CodeAnalysis.BinaryParsers;
+using Microsoft.CodeAnalysis.BinaryParsers.PortableExecutable;
+using Microsoft.CodeAnalysis.IL.Sdk;
+using Microsoft.CodeAnalysis.Sarif;
+using Microsoft.CodeAnalysis.Sarif.Driver;
+
+namespace Microsoft.CodeAnalysis.IL.Rules
+{
+    [Export(typeof(Skimmer<BinaryAnalyzerContext>)), Export(typeof(ReportingDescriptor)), Export(typeof(IOptionsProvider))]
+    public class EnableShadowStack : WindowsBinaryAndPdbSkimmerBase
+    {
+        private const int IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS = 20;
+        private const ushort IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT = 0x001;
+
+        /// <summary>
+        /// BA2025
+        /// </summary>
+        public override string Id => RuleIds.EnableShadowStack;
+
+        /// <summary>
+        /// Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature
+        /// that provides capabilities to defend against return-oriented programming (ROP) based
+        /// malware attacks.
+        /// </summary>
+        public override MultiformatMessageString FullDescription => new MultiformatMessageString
+        {
+            Text = RuleResources.BA2025_EnableShadowStack_Description
+        };
+
+        protected override IEnumerable<string> MessageResourceNames => new string[] {
+            nameof(RuleResources.BA2025_Pass),
+            nameof(RuleResources.BA2025_Warning),
+            nameof(RuleResources.NotApplicable_InvalidMetadata)
+        };
+
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        {
+            PE portableExecutable = target.PE;
+            AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;
+
+            reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly;
+            if (portableExecutable.IsILOnly) { return result; }
+
+            reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
+            if (portableExecutable.IsResourceOnly) { return result; }
+
+            reasonForNotAnalyzing = MetadataConditions.ImageIsNativeUniversalWindowsPlatformBinary;
+            if (portableExecutable.IsNativeUniversalWindowsPlatform) { return result; }
+
+            reasonForNotAnalyzing = null;
+            return AnalysisApplicability.ApplicableToSpecifiedTarget;
+        }
+
+        public override void AnalyzePortableExecutableAndPdb(BinaryAnalyzerContext context)
+        {
+            PEBinary target = context.PEBinary();
+            IEnumerable<DebugDirectoryEntry> debugDirectories = target.PE.DebugDirectories;
+
+            if (debugDirectories == null)
+            {
+                return;
+            }
+
+            foreach (DebugDirectoryEntry debugDirectory in debugDirectories)
+            {
+                if (debugDirectory.Type == (DebugDirectoryEntryType)IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS)
+                {
+                    PEMemoryBlock memory = target.PE.GetSectionData(debugDirectory.DataRelativeVirtualAddress);
+                    if ((memory.GetReader().ReadUInt16() & IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT) == IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT)
+                    {
+                        // '{0}' enables the Control-flow Enforcement Technology (CET) Shadow Stack mitigation.
+                        context.Logger.Log(this,
+                            RuleUtilities.BuildResult(ResultKind.Pass, context, null,
+                            nameof(RuleResources.BA2025_Pass),
+                            context.TargetUri.GetFileName()));
+                        return;
+                    }
+                }
+            }
+
+            // '{0}' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation.
+            // To resolve this issue, pass /CETCOMPAT on the linker command lines.
+            context.Logger.Log(this,
+                RuleUtilities.BuildResult(FailureLevel.Warning, context, null,
+                nameof(RuleResources.BA2025_Warning),
+                context.TargetUri.GetFileName()));
+        }
+    }
+}

src/BinSkim.Rules/RuleIds.cs

@@ -39,6 +39,7 @@ internal static class RuleIds
         public const string SignSecurely = "BA2022";
 
         public const string EnableSpectreMitigations = "BA2024";
+        public const string EnableShadowStack = "BA2025";
 
         // ELF Checks
         public const string EnablePositionIndependentExecutable = "BA3001";
@@ -48,6 +49,7 @@ internal static class RuleIds
 
         // Skipping some check namespace (BA3004-3009) for future checks
         public const string EnableReadOnlyRelocations = "BA3010";
+
         public const string EnableBindNow = "BA3011";
 
         // BA3012-3029 -- saved for future non-compiler/language specific checks.

src/BinSkim.Rules/RuleResources.resx

@@ -391,7 +391,7 @@ Modules triggering this check were:
     <value>The following modules were compiled with a toolset that supports /Qspectre but the deprecated /d2guardspecload argument was specified on the command-line instead: {0}</value>
   </data>
   <data name="BA3001_EnablePositionIndependentExecutable_Description" xml:space="preserve">
-    <value>A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap).  This makes ROP-style attacks more difficult. This can be enabled by passing '-f pie' to clang/gcc.</value>
+    <value>A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap). This makes ROP-style attacks more difficult. This can be enabled by passing '-f pie' to clang/gcc.</value>
   </data>
   <data name="BA3001_Error" xml:space="preserve">
     <value>PIE disabled on executable '{0}'.  This means the code section will always be loaded to the same address, even if ASLR is enabled in the Linux kernel.  To address this, ensure you are compiling with '-fpie' when using clang/gcc.</value>
@@ -499,4 +499,13 @@ Modules triggering this check were:
   <data name="BA4001_ReportCompilerData_Description" xml:space="preserve">
     <value>This rule emits CSV data to the console for every compiler/language/version combination that's observed in any PDB-linked compiland.</value>
   </data>
+  <data name="BA2025_EnableShadowStack_Description" xml:space="preserve">
+    <value>Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature that provides capabilities to defend against return-oriented programming (ROP) based malware attacks.</value>
+  </data>
+  <data name="BA2025_Warning" xml:space="preserve">
+    <value>'{0}' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.</value>
+  </data>
+  <data name="BA2025_Pass" xml:space="preserve">
+    <value>'{0}' enables the Control-flow Enforcement Technology (CET) Shadow Stack mitigation.</value>
+  </data>
 </root>

src/BinaryParsers/PEBinary/PortableExecutable/PE.cs

@@ -804,6 +804,11 @@ public bool IsWixBinary
             }
         }
 
+        public PEMemoryBlock GetSectionData(int dataRelativeVirtualAddress)
+        {
+            return peReader.GetSectionData(dataRelativeVirtualAddress);
+        }
+
         public ChecksumAlgorithmType ManagedPdbSourceFileChecksumAlgorithm(PdbFileType pdbFileType)
         {
             return pdbFileType == PdbFileType.Windows

src/Test.FunctionalTests.BinSkim.Rules/RuleTests.cs

@@ -1091,6 +1091,24 @@ public void BA2024_EnableSpectreMitigations_Fail()
             }
         }
 
+        [Fact]
+        public void BA2025_EnableShadowStack_Pass()
+        {
+            if (BinaryParsers.PlatformSpecificHelpers.RunningOnWindows())
+            {
+                this.VerifyPass(new EnableShadowStack(), useDefaultPolicy: true);
+            }
+        }
+
+        [Fact]
+        public void BA2025_EnableShadowStack_Fail()
+        {
+            if (BinaryParsers.PlatformSpecificHelpers.RunningOnWindows())
+            {
+                this.VerifyFail(new EnableShadowStack(), useDefaultPolicy: true);
+            }
+        }
+
         [Fact]
         public void BA3001_EnablePositionIndependentExecutable_Pass()
         {