search

microsoft / go

The Microsoft build of the Go toolset
BSD 3-Clause "New" or "Revised" License
273 stars 26 forks source link

Enable BIND_NOW in ELF binaries (BinSkim) #851

Open dagood opened 1 year ago

dagood commented 1 year ago

https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow

Example: https://devdiv.visualstudio.com/DevDiv/_queries/edit/1727438

This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,-z,now' to enable this.

Related: https://go-review.googlesource.com/c/go/+/312509

dagood commented 1 year ago

This rule (BA3011) seems to be a minimally altered copy of the rule BA3010 that we are already ignoring, https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-ba3010enablereadonlyrelocations:

This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,-z,relro' to enable this.

  <!-- Go doesn't enable relro by default: https://github.com/microsoft/go/issues/104 -->
  <Properties Key="BA3010.EnableReadOnlyRelocations.Options" Type="PropertiesDictionary">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
qmuntal commented 7 months ago

Go 1.23 will support BIND_NOW, both for Go an cgo relocations: https://go-review.googlesource.com/c/go/+/571416/4.