Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign upEnable strict HANDLE checking for all Windows Rust programs #56055
Comments
csmoe
added
the
O-windows
label
Nov 19, 2018
jonas-schievink
added
A-security
C-enhancement
labels
Jan 27, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
cpeterso commentedNov 19, 2018
To help protect against bugs in unsafe or third-party code, the Rust compiler should emit code to enable strict
HANDLEchecking for all Windows Rust programs. The process will receive a fatal error if it manipulates aHANDLEthat is not valid, such as using an uninitializedHANDLEor callingCloseHandletwice.See MSDN for
SetProcessMitigationPolicyandPROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY:https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy
Strict
HANDLEchecking might cause compatibility problems for Rust programs that depends on third-party libraries that misuseHANDLEs. As a general rule, strictHANDLEchecking cannot be turned off once it is turned on, so there would be no backdoor to allow sloppy third-party code to run without raising aHANDLEexception. If that compatibility constraint is too severe, strictHANDLEchecking could be limited to debug builds or disabled with an opt-out compiler flag.Here is how Firefox enables strict
HANDLEchecking for its sandbox processes:https://searchfox.org/mozilla-central/rev/5117a4c4e29fcf80a627fecf899a62f117368abf/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc#120-131