Build on Windows should compile additional security flags

[ivberg]

This is related to similar errors using trace_processor_shell.exe under constrained security environment #635

Similar compiler flags are recommended to be used.

So we were looking to use trace_processor_shell.exe at Microsoft but the binary failed a set of security checks from binskim. These compile flags would be needed to use the binary.

1. Optional to fix (warning)

   [warning]1. BinSkim Warning BA2024 - File: file:///D:/a/_work/_temp/Microsoft.Performance.Toolkit.Plugins.PerfettoPlugin-1.5.5.ptix/plugin/trace_processor_shell.exe.

   Signature: bb153f488d6c6f10d936daa45314e203f796b8a444582e5b04226f08aec44667 Tool: BinSkim: Rule: BA2024 (EnableSpectreMitigations). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations 'trace_processor_shell.exe' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line: libcmt.lib,cxx,19.36.32533.0 (argv_mode.obj,commit_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_scalar.obj,delete_scalar_size.obj,denormal_control.obj,env_mode.obj,exe_main.obj,file_mode.obj,fltused.obj,gshandler.obj,gshandlereh.obj,gshandlereh4.obj,gshandlerseh.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_array.obj,new_mode.obj,new_scalar.obj,new_scalar_nothrow.obj,std_nothrow.obj,std_type_info_static.obj,thread_locale.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlsdyn.obj,tlssup.obj,tncleanup.obj,utility.obj,utility_desktop.obj) libcmt.lib,c,19.36.32533.0 (cpu_disp.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,pesect.obj,ucrt_detection.obj) libcpmt.lib,cxx,19.36.32533.0 (_tolower.obj,_toupper.obj,asan_noop.obj,cerr.obj,cond.obj,cthread.obj,iomanip.obj,ios.obj,iosptrs.obj,locale.obj,locale0.obj,mutex.obj,raisehan.obj,StlCompareStringA.obj,StlCompareStringW.obj,StlLCMapStringA.obj,StlLCMapStringW.obj,syserror.obj,syserror_import_lib.obj,thread0.obj,vector_algorithms.obj,winapisupp.obj,wlocale.obj,xdateord.obj,xgetwctype.obj,xlocale.obj,xlock.obj,xmbtowc.obj,xmtx.obj,xnotify.obj,xonce2.obj,xstol.obj,xstoll.obj,xstoul.obj,xstoull.obj,xstrcoll.obj,xstrxfrm.obj,xthrow.obj,xtime.obj,xtowlower.obj,xtowupper.obj,xwcscoll.obj,xwcsxfrm.obj,xwctomb.obj) libvcruntime.lib,cxx,19.36.32533.0 (chandler_noexcept.obj,ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,riscchandler.obj,risctrnsctrl.obj,softmemtag.obj,std_exception.obj,std_type_info.obj,throw.obj,undname.obj,winapi_downlevel.obj) libvcruntime.lib,c,19.36.32533.0 (jbcxrval.obj,jmpuwind.obj,strchr.obj,strrchr.obj,strstr.obj,wcschr.obj,wcsrchr.obj)

2. Optional to fix (warning) BinSkim Note BA2025 - File: file:///D:/a/_work/_temp/Microsoft.Performance.Toolkit.Plugins.PerfettoPlugin-1.5.5.ptix/plugin/trace_processor_shell.exe.
   Signature: 8984a9935d3a4a9192e6f2ebeec7d34a11009823593c8341a1c53d20cc46eb9d Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack 'trace_processor_shell.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.

[error]

3. Should fix BinSkim Error BA2008 - File: file:///D:/a/_work/_temp/Microsoft.Performance.Toolkit.Plugins.PerfettoPlugin-1.5.6.ptix/plugin/trace_processor_shell.exe.
   Signature: 1f235194c05841f2e4c479175283e6a8cfa2d94cda552a735cd9a19bf4cb9cd3 Tool: BinSkim: Rule: BA2008 (EnableControlFlowGuard). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2008EnableControlFlowGuard 'trace_processor_shell.exe' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.

[ivberg]

Please hold - this may be outdated. I forgot the full history here including some manual steps, and I think this is from the v38 version. #635 was fixed AFTER v38. Testing if v45 resolves the errors

[ivberg]

Ok - indeed Perfetto v45 fixes the error. I am leaving the new scan howto and warnings here in case someone wants to fix (optional).

Using https://github.com/google/perfetto/releases/download/v45.0/windows-amd64.zip unzipped to say Downloads\windows-amd64\windows-amd64

cd microsoft.codeanalysis.binskim.1.9.5\tools\netcoreapp3.1\win-x64

BinSkim.exe analyze --config default --recurse --verbose --sarif-output-version OneZeroZero --sympath windows-amd64\windows-amd64 windows-amd64\windows-amd64\trace_processor_shell.exe

1. trace_processor_shell.exe: warning BA2004: 'trace_processor_shell.exe' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: Microsoft (R) Macro Assembler : masm : 14.15.26706.0 : libcmt.lib (amdsecgs.obj,chkstk.obj,guard_dispatch.obj) Microsoft (R) Macro Assembler : masm : 14.15.26706.0 : libvcruntime.lib (handlers.obj,memchr.obj,memcmp.obj,memcpy.obj,memset.obj,notify.obj) Microsoft (R) Optimizing Compiler : c : 19.15.26706.0 : libcmt.lib (cpu_disp.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,pesect.obj,ucrt_detection.obj) Microsoft (R) Optimizing Compiler : c : 19.15.26706.0 : libcpmt.lib (_tolower.obj,_toupper.obj,cthread.obj,xgetwctype.obj,xmbtowc.obj,xmtx.obj,xnotify.obj,xstol.obj,xstoll.obj,xstoul.obj,xstoull.obj,xstrcoll.obj,xstrxfrm.obj,xtime.obj,xtowlower.obj,xtowupper.obj,xwcscoll.obj,xwcsxfrm.obj,xwctomb.obj) Microsoft (R) Optimizing Compiler : c : 19.15.26706.0 : libvcruntime.lib (jbcxrval.obj,jmpuwind.obj,strchr.obj,strrchr.obj,strstr.obj,wcschr.obj,wcsrchr.obj) Microsoft (R) Optimizing Compiler : cxx : 19.15.26706.0 : libcmt.lib (argv_mode.obj,commit_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_array_size.obj,delete_scalar.obj,delete_scalar_size.obj,denormal_control.obj,ehvecctr.obj,ehvecdtr.obj,env_mode.obj,exe_main.obj,file_mode.obj,gshandler.obj,gshandlereh.obj,gshandlerseh.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_array.obj,new_mode.obj,new_scalar.obj,new_scalar_nothrow.obj,std_nothrow.obj,std_type_info_static.obj,thread_locale.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlssup.obj,tncleanup.obj,utility.obj,utility_desktop.obj) Microsoft (R) Optimizing Compiler : cxx : 19.15.26706.0 : libconcrt.lib (CacheLocalScheduleGroup.obj,Chores.obj,Context.obj,ContextBase.obj,event.obj,Exceptions.obj,ExecutionResource.obj,ExternalContextBase.obj,FairScheduleGroup.obj,FreeThreadProxy.obj,FreeVirtualProcessorRoot.obj,HillClimbing.obj,InternalContextBase.obj,location.obj,Platform.obj,RealizedChore.obj,ResourceManager.obj,rtlocks.obj,ScheduleGroupBase.obj,SchedulerBase.obj,SchedulerPolicyBase.obj,SchedulerProxy.obj,SchedulingNode.obj,SchedulingRing.obj,SearchAlgorithms.obj,staticinits.obj,SubAllocator.obj,TaskCollection.obj,TaskCollectionBase.obj,ThreadProxy.obj,ThreadProxyFactoryManager.obj,ThreadScheduler.obj,ThreadVirtualProcessor.obj,Trace.obj,Transmogrificator.obj,TransmogrifiedPrimary.obj,UMSBackgroundPoller.obj,UMSFreeThreadProxy.obj,UMSFreeVirtualProcessorRoot.obj,UMSSchedulerProxy.obj,UMSSchedulingContext.obj,UMSThreadInternalContext.obj,UMSThreadProxy.obj,UMSThreadScheduler.obj,UMSThreadVirtualProcessor.obj,UMSWrapper.obj,utils.obj,VirtualProcessor.obj,VirtualProcessorRoot.obj,WinRTWrapper.obj,WorkQueue.obj) Microsoft (R) Optimizing Compiler : cxx : 19.15.26706.0 : libcpmt.lib (cerr.obj,cond.obj,excptptr.obj,iomanip.obj,ios.obj,iosptrs.obj,locale.obj,locale0.obj,mutex.obj,ppltasks.obj,raisehan.obj,StlCompareStringA.obj,StlCompareStringW.obj,StlLCMapStringA.obj,StlLCMapStringW.obj,syserror.obj,thread0.obj,vector_algorithms.obj,winapinls.obj,winapisupp.obj,wlocale.obj,xdateord.obj,xlocale.obj,xlock.obj,xonce.obj,xthrow.obj) Microsoft (R) Optimizing Compiler : cxx : 19.15.26706.0 : libvcruntime.lib (ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,riscchandler.obj,risctrnsctrl.obj,rtti.obj,std_exception.obj,std_type_info.obj,throw.obj,uncaught_exception.obj,undname.obj,winapi_downlevel.obj)

2. trace_processor_shell.exe: warning BA2024: 'trace_processor_shell.exe' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line: libcmt.lib,cxx,19.15.26706.0 (argv_mode.obj,commit_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_array_size.obj,delete_scalar.obj,delete_scalar_size.obj,denormal_control.obj,ehvecctr.obj,ehvecdtr.obj,env_mode.obj,exe_main.obj,file_mode.obj,fltused.obj,gshandler.obj,gshandlereh.obj,gshandlerseh.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_array.obj,new_mode.obj,new_scalar.obj,new_scalar_nothrow.obj,std_nothrow.obj,std_type_info_static.obj,thread_locale.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlssup.obj,tncleanup.obj,utility.obj,utility_desktop.obj) libcmt.lib,c,19.15.26706.0 (cpu_disp.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,pesect.obj,ucrt_detection.obj) libcpmt.lib,cxx,19.15.26706.0 (cerr.obj,cond.obj,excptptr.obj,iomanip.obj,ios.obj,iosptrs.obj,locale.obj,locale0.obj,mutex.obj,ppltasks.obj,raisehan.obj,StlCompareStringA.obj,StlCompareStringW.obj,StlLCMapStringA.obj,StlLCMapStringW.obj,syserror.obj,thread0.obj,vector_algorithms.obj,winapinls.obj,winapisupp.obj,wlocale.obj,xdateord.obj,xlocale.obj,xlock.obj,xonce.obj,xthrow.obj) libcpmt.lib,c,19.15.26706.0 (_tolower.obj,_toupper.obj,cthread.obj,xgetwctype.obj,xmbtowc.obj,xmtx.obj,xnotify.obj,xstol.obj,xstoll.obj,xstoul.obj,xstoull.obj,xstrcoll.obj,xstrxfrm.obj,xtime.obj,xtowlower.obj,xtowupper.obj,xwcscoll.obj,xwcsxfrm.obj,xwctomb.obj) libconcrt.lib,cxx,19.15.26706.0 (CacheLocalScheduleGroup.obj,Chores.obj,Context.obj,ContextBase.obj,event.obj,Exceptions.obj,ExecutionResource.obj,ExternalContextBase.obj,FairScheduleGroup.obj,FreeThreadProxy.obj,FreeVirtualProcessorRoot.obj,HillClimbing.obj,InternalContextBase.obj,location.obj,Platform.obj,RealizedChore.obj,ResourceManager.obj,rtlocks.obj,ScheduleGroupBase.obj,SchedulerBase.obj,SchedulerPolicyBase.obj,SchedulerProxy.obj,SchedulingNode.obj,SchedulingRing.obj,SearchAlgorithms.obj,staticinits.obj,SubAllocator.obj,TaskCollection.obj,TaskCollectionBase.obj,ThreadProxy.obj,ThreadProxyFactoryManager.obj,ThreadScheduler.obj,ThreadVirtualProcessor.obj,Trace.obj,Transmogrificator.obj,TransmogrifiedPrimary.obj,UMSBackgroundPoller.obj,UMSFreeThreadProxy.obj,UMSFreeVirtualProcessorRoot.obj,UMSSchedulerProxy.obj,UMSSchedulingContext.obj,UMSThreadInternalContext.obj,UMSThreadProxy.obj,UMSThreadScheduler.obj,UMSThreadVirtualProcessor.obj,UMSWrapper.obj,utils.obj,VirtualProcessor.obj,VirtualProcessorRoot.obj,WinRTWrapper.obj,WorkQueue.obj) libvcruntime.lib,cxx,19.15.26706.0 (ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,riscchandler.obj,risctrnsctrl.obj,rtti.obj,std_exception.obj,std_type_info.obj,throw.obj,uncaught_exception.obj,undname.obj,winapi_downlevel.obj) libvcruntime.lib,c,19.15.26706.0 (jbcxrval.obj,jmpuwind.obj,strchr.obj,strrchr.obj,strstr.obj,wcschr.obj,wcsrchr.obj)

3. trace_processor_shell.exe: warning BA2025: 'trace_processor_shell.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.

[LalitMaganti]

Thanks for filing, 2 and 3 make sense but I'm a bit confused by 1: wasn't this implemented already in https://github.com/google/perfetto/commit/2a4f01d2fc828bfb7a80926586c22d8b004aa1e9?

[ivberg]

I agree. I am confused by (1) as well since https://github.com/google/perfetto/commit/2a4f01d2fc828bfb7a80926586c22d8b004aa1e9 code looks like it does add "/ZH:SHA_256". My best guess is some sub-lib compiled into the .exe didn't have that on or something like that??

[LalitMaganti]

That would be very strange, we build all our deps from source and I'm pretty sure that the command lines you see there are used for all of our deps as well (unless there's some special dep I'm not thinking about).