Harden native Windows DLL compilation#4768
Conversation
Enable Code Flow Guard (CFG), Address Space Layout Randomization (ASLR) and Control-flow Enforcement Technology (CET) for native projects to harden the DLLs for release builds.
Add CHANGELOG entry.
There was a problem hiding this comment.
Pull request overview
This PR hardens native C/C++ DLLs by enabling Microsoft-recommended security features (Control Flow Guard, Address Space Layout Randomization, and Control-flow Enforcement Technology) for release builds to address BinSkim security analysis findings.
Changes:
- Enable Control Flow Guard (CFG) via
LinkControlFlowGuardandControlFlowGuardcompiler settings - Enable Address Space Layout Randomization (ASLR) via
DynamicBaselinker setting - Enable Control-flow Enforcement Technology (CET) via
CETCompatlinker setting - Update CHANGELOG.md to document the security hardening
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| src/OpenTelemetry.AutoInstrumentation.Native/OpenTelemetry.AutoInstrumentation.Native.vcxproj | Adds CFG, ASLR, and CET security settings to Release |
| src/OpenTelemetry.AutoInstrumentation.Native/OpenTelemetry.AutoInstrumentation.Native.DLL.vcxproj | Adds CFG, ASLR, and CET security settings to Release |
| CHANGELOG.md | Documents the addition of ASLR, CET and CFG for native profiler libraries on Windows |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
...penTelemetry.AutoInstrumentation.Native/OpenTelemetry.AutoInstrumentation.Native.DLL.vcxproj
Outdated
Show resolved
Hide resolved
src/OpenTelemetry.AutoInstrumentation.Native/OpenTelemetry.AutoInstrumentation.Native.vcxproj
Outdated
Show resolved
Hide resolved
src/OpenTelemetry.AutoInstrumentation.Native/OpenTelemetry.AutoInstrumentation.Native.vcxproj
Outdated
Show resolved
Hide resolved
...penTelemetry.AutoInstrumentation.Native/OpenTelemetry.AutoInstrumentation.Native.DLL.vcxproj
Outdated
Show resolved
Hide resolved
Redundant as `CETCompat=true`.
|
|
Kielek
left a comment
There was a problem hiding this comment.
LGTM.
What's about Linux/macOS? Should similar changes be applied there?
As far as I'm aware, these are Windows/Microsoft compiler technologies. There might be similar things available for other OS'/compiler toolchains (like ASLR), but I'd have to go away and research that. |
|
I think I've found some information about how to enable equivalents for CMake for Linux and macOS, but I'll do that in a separate PR. |
|
BinSkim output before and after changes. v1.13.0c1667cc |
Why
Harden native C/C++ DLLs by adopting Microsoft-recommended Defence-in-Depth compiler technologies.
For example, running BinSkim against the DLLs in the latest release report the following error:
What
Enable Code Flow Guard (CFG), Address Space Layout Randomization (ASLR) and Control-flow Enforcement Technology (CET) for native projects to harden the C/C++ DLLs for release builds.
Tests
Existing tests should pass.
Checklist
CHANGELOG.mdis updated.Documentation is updated.New features are covered by tests.