Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[NativeAOT] Enable CET support #101942

Open
jkotas opened this issue May 6, 2024 · 7 comments · May be fixed by #102680
Open

[NativeAOT] Enable CET support #101942

jkotas opened this issue May 6, 2024 · 7 comments · May be fixed by #102680
Assignees
@VSadov
Labels
arch-x64 area-NativeAOT-coreclr os-windows
Projects
Core-Runtime .net 9
Milestone
9.0.0

Comments

@jkotas
Copy link
Member

jkotas commented May 6, 2024

CET is one of the low-level security mitigations.

It is supported on CoreCLR, but not on native AOT. We need to port the support from CoreCLR to native AOT (and test it that it works).

(Context #101891 (comment))
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label May 6, 2024
@VSadov
Copy link
Member

VSadov commented May 6, 2024
edited

Presumably this is not just suspension support (which is partially CET compatible, modulo return hijacking), but there is some Exception Handling work as well, right?
There are several places in CoreCLR where EH does something different for CET.

@jkotas
Copy link
Member Author

jkotas commented May 7, 2024

What are the places in EH that you have in mind?

(There may be some changes needed in EH, but they should be very minor.)

@VSadov
Copy link
Member

VSadov commented May 7, 2024

I just did a search for AreCetShadowStacksEnabled and saw a few uses in EH. Did not look in details what they do though.

@jkotas
Copy link
Member Author

jkotas commented May 7, 2024

I just did a search for AreCetShadowStacksEnabled and saw a few uses in EH. Did not look in details what they do though.

Those are related to the suspension support. The shadows stacks turn return address hijacks into STATUS_RETURN_ADDRESS_HIJACK_ATTEMPT SEH exceptions.

@VSadov
Copy link
Member

VSadov commented May 7, 2024

Those are related to the suspension support. The shadows stacks turn return address hijacks into STATUS_RETURN_ADDRESS_HIJACK_ATTEMPT SEH exceptions.

I see. I am trying to see how much is missing in NatveAOT.

I think we might want to fit this into 9.0. Especially since this is security related, it feels it fits the overall theme.

@agocke agocke added this to the 9.0.0 milestone May 13, 2024
@jeffschwMSFT jeffschwMSFT removed the untriaged New issue has not been triaged by the area owner label May 14, 2024
@janvorli
Copy link
Member

@VSadov I'll be happy to help with this if you need some clarifications around the CET stuff.

@mangod9 mangod9 added this to UserStories + Epics in Core-Runtime .net 9 May 17, 2024
@VSadov VSadov self-assigned this May 24, 2024
@VSadov VSadov mentioned this issue May 24, 2024
Merged
@VSadov
Copy link
Member

VSadov commented May 24, 2024

@janvorli - thanks. I started with support for STATUS_RETURN_ADDRESS_HIJACK_ATTEMPT, which should be testable without actual CET enabled.
At some point I will need to enable and test the end-to-end scenario. I may need some help with that.

@VSadov VSadov linked a pull request May 25, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VSadov VSadov

Labels
arch-x64 area-NativeAOT-coreclr os-windows
Projects
AppModel
Status: No status
Core-Runtime .net 9
UserStories + Epics
Milestone
9.0.0
Development

Successfully merging a pull request may close this issue.

[NativeAOT] Adding CET support VSadov/runtime
5 participants
@agocke @jkotas @VSadov @jeffschwMSFT @janvorli