Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exclude ARM Binaries from BA2025 analysis #650

Merged
merged 8 commits into from
Jun 13, 2022
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions src/BinSkim.Rules/PERules/BA2025.EnableShadowStack.cs
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,12 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.Proper
return notApplicable;
}

if (portableExecutable.Machine == Machine.Arm || portableExecutable.Machine == Machine.ArmThumb2)
{
reasonForNotAnalyzing = MetadataConditions.ImageIsArmBinary;
return notApplicable;
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only logic update for this change. Specifically, excluding ARM binaries from BA2025 analysis in a similar fashion as ARM64 binaries.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice code comment! Absolutely the info I was looking for. :)


reasonForNotAnalyzing = null;
return AnalysisApplicability.ApplicableToSpecifiedTarget;
}
Expand Down
1 change: 1 addition & 0 deletions src/BinSkim.Sdk/MetadataConditions.cs
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ public static class MetadataConditions
public static readonly string ImageIsNotExe = SdkResources.MetadataCondition_ImageIsNotExe;
public static readonly string ImageIsNotMachO = SdkResources.MetadataCondition_ImageIsNotMachO;
public static readonly string CouldNotLoadPdb = SdkResources.MetadataCondition_CouldNotLoadPdb;
public static readonly string ImageIsArmBinary = SdkResources.MetadataCondition_ImageIsArmBinary;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

public static readonly string ImageIsArmBinary = SdkResources.MetadataCondition_ImageIsArmBinary;

Add a MetadataConditions entry for ARMBinaries. This is separate as changing the previous user facing string could confuse customers by changing details in the results.

public static readonly string ImageIsDebugOnly = SdkResources.MetadataCondition_ImageIsDebugOnly;
public static readonly string ImageIsNotSigned = SdkResources.MetadataCondition_ImageIsNotSigned;
public static readonly string ImageIsWixBinary = SdkResources.MetadataCondition_ImageIsWixBinary;
Expand Down
11 changes: 10 additions & 1 deletion src/BinSkim.Sdk/SdkResources.Designer.cs

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions src/BinSkim.Sdk/SdkResources.resx
Original file line number Diff line number Diff line change
Expand Up @@ -243,4 +243,7 @@
<data name="MetadataCondition_ImageIsArm64BitBinary" xml:space="preserve">
<value>image is an ARM64 binary</value>
</data>
<data name="MetadataCondition_ImageIsArmBinary" xml:space="preserve">
<value>image is an ARM binary</value>
</data>
</root>
1 change: 1 addition & 0 deletions src/ReleaseHistory.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
* Bump ELFSharp from 2.14.0 to 2.15.0. [#631](https://github.com/microsoft/binskim/pull/631)
* FEATURE: Enable BinSkim for MacOS. [#576](https://github.com/microsoft/binskim/pull/576)
* Bump Sarif.Sdk by updating submodule from [4e9f606 to fc9a9df](https://github.com/microsoft/sarif-sdk/compare/4e9f606bb0e88428866e253352cdc70dc68f98cb...fc9a9dfb865096b5aaa9fa3651854670940f7459). [#638](https://github.com/microsoft/binskim/pull/638)
* BUGFIX: Fix `BA2025.EnableShadowStack` warning for ARM Binaries which cannot use `/CETCOMPAT`. [#650 ](https://github.com/microsoft/binskim/pull/650)

## **v1.9.4** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.9.4)

Expand Down
Binary file not shown.
Binary file not shown.
70 changes: 66 additions & 4 deletions src/Test.FunctionalTests.BinSkim.Rules/RuleTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,30 @@ private void VerifyThrows<ExceptionType>(
}
}

private void VerifyApplicabililty(
BinarySkimmer skimmer,
HashSet<string> applicabilityConditions,
string expectedReasonForNotAnalyzing,
AnalysisApplicability expectedApplicability = AnalysisApplicability.NotApplicableToSpecifiedTarget,
bool useDefaultPolicy = false)
{

string ruleName = skimmer.GetType().Name;
string testFilesDirectory = GetTestDirectoryFor(ruleName);
testFilesDirectory = Path.Combine(Environment.CurrentDirectory, "FunctionalTestData", testFilesDirectory);
testFilesDirectory = Path.Combine(testFilesDirectory, "NotApplicable");

HashSet<string> targets = this.GetTestFilesMatchingConditions(applicabilityConditions);

VerifyApplicabilityResults(
skimmer,
targets,
useDefaultPolicy,
expectedApplicability,
ruleName,
expectedReasonForNotAnalyzing);
}

private void VerifyApplicability(
BinarySkimmer skimmer,
HashSet<string> applicabilityConditions,
Expand All @@ -261,8 +285,6 @@ private void VerifyApplicability(
testFilesDirectory = Path.Combine(Environment.CurrentDirectory, "FunctionalTestData", testFilesDirectory);
testFilesDirectory = Path.Combine(testFilesDirectory, "NotApplicable");

var context = new BinaryAnalyzerContext();

HashSet<string> targets = this.GetTestFilesMatchingConditions(applicabilityConditions);

if (Directory.Exists(testFilesDirectory))
Expand All @@ -276,6 +298,26 @@ private void VerifyApplicability(
}
}

VerifyApplicabilityResults(
skimmer,
targets,
useDefaultPolicy,
expectedApplicability,
ruleName,
expectedReasonForNotAnalyzing);
}

private void VerifyApplicabilityResults(
BinarySkimmer skimmer,
HashSet<string> targets,
bool useDefaultPolicy,
AnalysisApplicability expectedApplicability,
string ruleName,
string expectedReasonForNotAnalyzing)
{
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created method for shared code.


var context = new BinaryAnalyzerContext();
Copy link
Collaborator

@shaopeng-gh shaopeng-gh Jun 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

first line empty can be removed. #Closed


var logger = new TestMessageLogger();
context.Logger = logger;

Expand Down Expand Up @@ -460,6 +502,17 @@ private HashSet<string> GetTestFilesMatchingConditions(HashSet<string> metadataC
result.Add(Path.Combine(testFilesDirectory, "DotnetNative_x86_VS2019_UniversalApp.exe"));
}

if (metadataConditions.Contains(MetadataConditions.ImageIsArmBinary))
{
result.Add(Path.Combine(testFilesDirectory, "ARM_CETShadowStack_NotApplicable.exe"));
Copy link
Collaborator

@shaopeng-gh shaopeng-gh Jun 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ARM_CETShadowStack_NotApplicable.exe

nice, how did you generate this file, please add the step in md file
\docs\FunctionalTestBuildScripts.md #Closed

}

if (metadataConditions.Contains(MetadataConditions.ImageIsArm64BitBinary))
{
result.Add(Path.Combine(testFilesDirectory, "ARM64_CETShadowStack_NotApplicable.exe"));
result.Add(Path.Combine(testFilesDirectory, "ARM64_dotnet_CETShadowStack_NotApplicable.exe"));
}

return result;
}

Expand Down Expand Up @@ -1166,10 +1219,19 @@ public void BA2025_EnableShadowStack_Fail()
[Fact]
public void BA2025_EnableShadowStack_NotApplicable()
{
this.VerifyApplicability(
HashSet<string> notApplicableArm64 = new HashSet<string>() { MetadataConditions.ImageIsArm64BitBinary };

this.VerifyApplicabililty(
skimmer: new EnableShadowStack(),
applicabilityConditions: null,
applicabilityConditions: notApplicableArm64,
expectedReasonForNotAnalyzing: MetadataConditions.ImageIsArm64BitBinary);

HashSet<string> notApplicableArm = new HashSet<string>() { MetadataConditions.ImageIsArmBinary };

this.VerifyApplicabililty(
skimmer: new EnableShadowStack(),
applicabilityConditions: notApplicableArm64,
expectedReasonForNotAnalyzing: MetadataConditions.ImageIsArmBinary);
}

[Fact]
Expand Down