Skip to content

Harden native Windows DLL compilation#4768

Merged
Kielek merged 4 commits intoopen-telemetry:mainfrom
martincostello:enable-native-control-flow-guard
Jan 14, 2026
Merged

Harden native Windows DLL compilation#4768
Kielek merged 4 commits intoopen-telemetry:mainfrom
martincostello:enable-native-control-flow-guard

Conversation

@martincostello
Copy link
Member

@martincostello martincostello commented Jan 14, 2026
edited by Kielek
Loading

Why

Harden native C/C++ DLLs by adopting Microsoft-recommended Defence-in-Depth compiler technologies.

For example, running BinSkim against the DLLs in the latest release report the following error:

opentelemetry-dotnet-instrumentation-nuget-packages\OpenTelemetry.AutoInstrumentation.Runtime.Native.1.13.0.nupkg\runtimes\win-x86\native\OpenTelemetry.AutoInstrumentation.Native.dll: error BA2008: 'OpenTelemetry.AutoInstrumentation.Native.dll' does not enable the control flow guard (CFG) mitigation.
To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.
For VC projects use ItemDefinitionGroup - ClCompile - ControlFlowGuard property with 'Guard' value, link CFG property will be set automatically.

What

Enable Code Flow Guard (CFG), Address Space Layout Randomization (ASLR) and Control-flow Enforcement Technology (CET) for native projects to harden the C/C++ DLLs for release builds.

Tests

Existing tests should pass.

Checklist

  • CHANGELOG.md is updated.
  • Documentation is updated.
  • New features are covered by tests.

@martincostello
Harden native DLLs
dcd3c0e 
Enable Code Flow Guard (CFG), Address Space Layout Randomization (ASLR) and Control-flow Enforcement Technology (CET) for native projects to harden the DLLs for release builds.
@martincostello
Update CHANGELOG
8d50a2b 
Add CHANGELOG entry.
@martincostello
Merge branch 'main' into enable-native-control-flow-guard
4cc8b09
@martincostello martincostello marked this pull request as ready for review January 14, 2026 13:39
@martincostello martincostello requested a review from a team as a code owner January 14, 2026 13:39
Copilot AI review requested due to automatic review settings January 14, 2026 13:39
Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens native C/C++ DLLs by enabling Microsoft-recommended security features (Control Flow Guard, Address Space Layout Randomization, and Control-flow Enforcement Technology) for release builds to address BinSkim security analysis findings.

Changes:

  • Enable Control Flow Guard (CFG) via LinkControlFlowGuard and ControlFlowGuard compiler settings
  • Enable Address Space Layout Randomization (ASLR) via DynamicBase linker setting
  • Enable Control-flow Enforcement Technology (CET) via CETCompat linker setting
  • Update CHANGELOG.md to document the security hardening

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
src/OpenTelemetry.AutoInstrumentation.Native/OpenTelemetry.AutoInstrumentation.Native.vcxproj Adds CFG, ASLR, and CET security settings to Release
src/OpenTelemetry.AutoInstrumentation.Native/OpenTelemetry.AutoInstrumentation.Native.DLL.vcxproj Adds CFG, ASLR, and CET security settings to Release
CHANGELOG.md Documents the addition of ASLR, CET and CFG for native profiler libraries on Windows

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@martincostello
Remove redundant option
327f9a6 
Redundant as `CETCompat=true`.
@martincostello
Copy link
Member Author

martincostello commented Jan 14, 2026

https://dotnet.microsoft.com is returning 403s for some reason.

Kielek
Kielek reviewed Jan 14, 2026
View reviewed changes
Copy link
Member

@Kielek Kielek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
What's about Linux/macOS? Should similar changes be applied there?

@martincostello
Copy link
Member Author

martincostello commented Jan 14, 2026

What's about Linux/macOS? Should similar changes be applied there?

As far as I'm aware, these are Windows/Microsoft compiler technologies.

There might be similar things available for other OS'/compiler toolchains (like ASLR), but I'd have to go away and research that.

@martincostello martincostello changed the title Harden native DLL compilation Harden native Windows DLL compilation Jan 14, 2026
@martincostello
Copy link
Member Author

martincostello commented Jan 14, 2026

I think I've found some information about how to enable equivalents for CMake for Linux and macOS, but I'll do that in a separate PR.

@Kielek Kielek mentioned this pull request Jan 14, 2026
Closed
@Kielek Kielek merged commit c1667cc into open-telemetry:main Jan 14, 2026
50 of 51 checks passed
@martincostello martincostello mentioned this pull request Jan 14, 2026
Merged
3 tasks
@martincostello martincostello deleted the enable-native-control-flow-guard branch January 14, 2026 15:47
@martincostello
Copy link
Member Author

martincostello commented Jan 14, 2026
edited
Loading

BinSkim output before and after changes.

v1.13.0

> .\binskim.exe analyze .\zero-code\*.dll --recurse true --kind "Fail"
Analyzing...
THREADS: 20
C:\Users\marti\Downloads\zero-code-prod\opentelemetry-dotnet-instrumentation-windows\win-x64\OpenTelemetry.AutoInstrumentation.Native.dll: error BA2008: 'OpenTelemetry.AutoInstrumentation.Native.dll' does not enable the control flow guard (CFG) mitigation.
To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.
For VC projects use ItemDefinitionGroup - ClCompile - ControlFlowGuard property with 'Guard' value, link CFG property will be set automatically.
C:\Users\marti\Downloads\zero-code-prod\opentelemetry-dotnet-instrumentation-windows\win-x64\OpenTelemetry.AutoInstrumentation.Native.dll : error ERR997.ExceptionLoadingPdb : 'OpenTelemetry.AutoInstrumentation.Native.dll' was not evaluated because its PDB could not be loaded (E_PDB_NOT_FOUND).
C:\Users\marti\Downloads\zero-code-prod\opentelemetry-dotnet-instrumentation-windows\win-x86\OpenTelemetry.AutoInstrumentation.Native.dll: error BA2008: 'OpenTelemetry.AutoInstrumentation.Native.dll' does not enable the control flow guard (CFG) mitigation.
To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.
For VC projects use ItemDefinitionGroup - ClCompile - ControlFlowGuard property with 'Guard' value, link CFG property will be set automatically.
C:\Users\marti\Downloads\zero-code-prod\opentelemetry-dotnet-instrumentation-windows\win-x86\OpenTelemetry.AutoInstrumentation.Native.dll : error ERR997.ExceptionLoadingPdb : 'OpenTelemetry.AutoInstrumentation.Native.dll' was not evaluated because its PDB could not be loaded (E_PDB_NOT_FOUND).

Done. 471 files scanned.

One or more rules was disabled for an analysis target, as it was determined not to be applicable to it (this is a common condition). Include 'NotApplicable' on an explicit '--kind' command-line argument (e.g., '--kind "Fail;NotApplicable"') for more information.

Analysis did not complete due to one or more unrecoverable execution conditions.
Unexpected fatal runtime condition(s) observed: ExceptionLoadingPdb

c1667cc

> .\binskim.exe analyze .\zero-code\*.dll --recurse true --kind "Fail"
Analyzing...
THREADS: 20
C:\Users\marti\Downloads\zero-code\bin-windows-2022\win-x64\OpenTelemetry.AutoInstrumentation.Native.dll : error ERR997.ExceptionLoadingPdb : 'OpenTelemetry.AutoInstrumentation.Native.dll' was not evaluated because its PDB could not be loaded (E_PDB_NOT_FOUND).
C:\Users\marti\Downloads\zero-code\bin-windows-2022\win-x86\OpenTelemetry.AutoInstrumentation.Native.dll : error ERR997.ExceptionLoadingPdb : 'OpenTelemetry.AutoInstrumentation.Native.dll' was not evaluated because its PDB could not be loaded (E_PDB_NOT_FOUND).

Done. 265 files scanned.

One or more rules was disabled for an analysis target, as it was determined not to be applicable to it (this is a common condition). Include 'NotApplicable' on an explicit '--kind' command-line argument (e.g., '--kind "Fail;NotApplicable"') for more information.

Analysis did not complete due to one or more unrecoverable execution conditions.
Unexpected fatal runtime condition(s) observed: ExceptionLoadingPdb

@martincostello martincostello mentioned this pull request Jan 15, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Kielek Kielek Kielek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@martincostello @Kielek

Comments