From 9f57317b0f5efc75b36c8d9d21f442f249374905 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Strehovsk=C3=BD?= Date: Wed, 18 Sep 2024 19:05:40 +0900 Subject: [PATCH] Document native AOT security aspects (#42585) --- docs/core/deploying/native-aot/security.md | 45 ++++++++++++++++++++++ docs/navigate/devops-testing/toc.yml | 2 + 2 files changed, 47 insertions(+) create mode 100644 docs/core/deploying/native-aot/security.md diff --git a/docs/core/deploying/native-aot/security.md b/docs/core/deploying/native-aot/security.md new file mode 100644 index 0000000000000..683c907345d91 --- /dev/null +++ b/docs/core/deploying/native-aot/security.md @@ -0,0 +1,45 @@ +--- +title: Security +description: Learn about security features available with native AOT. +author: MichalStrehovsky +ms.author: michals +ms.date: 09/11/2024 +--- + +# Security features + +.NET offers many facilities to help address security concerns when building apps. Native AOT deployment builds on top of these facilities and provides several that can help harden your apps. + +## No run-time code generation + +Since native AOT generates all code at the time of publishing the app, no new executable code needs to be generated at run time. This allows running your apps in environments that disallow creation of new executable code pages at run time. All the code that the CPU executes can be digitally signed. + +## Restricted reflection surface + +When apps are published with native AOT, the compiler analyzes the usage of reflection within the app. Only the program elements that were deemed to be targets of reflection are available for reflection at run time. Places within the program that attempt to do unconstrained reflection are flagged using [trimming warnings](../trimming/fixing-warnings.md). Program elements that weren't intended to be targets of reflection cannot be reflected on. This restriction can prevent a class of issues where a malicious actor gets in control of what the program reflects on and invokes unintended code. This restriction includes approaches that use `Assembly.LoadFrom` or `Reflection.Emit` - neither of those work with native AOT, and their use is flagged with a warning at build time. + +## Control Flow Guard + +[Control Flow Guard](/windows/win32/secbp/control-flow-guard) is a highly optimized platform security feature on Windows that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. + +To enable Control Flow Guard on your native AOT app, set the `ControlFlowGuard` property in the published project. + +```xml + + + Guard + +``` + +## Control-flow Enforcement Technology Shadow Stack (.NET 9+) + +Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature. It provides capabilities to defend against return-oriented programming (ROP) based malware attacks. + +CET is enabled by default when publishing for Windows. To disable CET, set the `CetCompat` property in the published project. + +```xml + + + false + +``` diff --git a/docs/navigate/devops-testing/toc.yml b/docs/navigate/devops-testing/toc.yml index 714b769f477e4..22db686aac788 100644 --- a/docs/navigate/devops-testing/toc.yml +++ b/docs/navigate/devops-testing/toc.yml @@ -495,6 +495,8 @@ items: href: ../../core/deploying/native-aot/libraries.md - name: Cross-compilation href: ../../core/deploying/native-aot/cross-compile.md + - name: Security + href: ../../core/deploying/native-aot/security.md - name: Intro to AOT warnings href: ../../core/deploying/native-aot/fixing-warnings.md - name: Intrinsic APIs marked RequiresDynamicCode