From 790f02b481c8bbedc37b04a2c471f6b73f371b83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Strehovsk=C3=BD?= Date: Wed, 11 Sep 2024 11:42:37 +0200 Subject: [PATCH 1/3] Document native AOT security aspects --- docs/core/deploying/native-aot/security.md | 45 ++++++++++++++++++++++ docs/navigate/devops-testing/toc.yml | 2 + 2 files changed, 47 insertions(+) create mode 100644 docs/core/deploying/native-aot/security.md diff --git a/docs/core/deploying/native-aot/security.md b/docs/core/deploying/native-aot/security.md new file mode 100644 index 0000000000000..c567b3e8426b6 --- /dev/null +++ b/docs/core/deploying/native-aot/security.md @@ -0,0 +1,45 @@ +--- +title: Security +description: Learn about security features available with native AOT. +author: MichalStrehovsky +ms.author: michals +ms.date: 09/11/2024 +--- + +# Security features + +.NET offers many facilities to help address security concerns when building apps. Native AOT deployment builds on top of these facilities and provides several that can help harden your apps. + +## No runtime code generation + +Since native AOT generates all code at the time of publishing the app, no new executable code needs to be generated at run time. This allows running your apps in environments that disallow creation of new executable code pages at run time. All the code that the CPU executes can be digitally signed. + +## Restricted reflection surface + +When apps are published with native AOT, the compiler analyzes the usage of reflection within the app. Only the program elements that were deemed to be targets of reflection are available for reflection at run time. Places within the program that attempt to do unconstrained reflection get flagged using [trimming warnings](../trimming/fixing-warnings.md). Program elements that were not intended to be targets of reflection cannot be reflected on. This can prevent a class of issues where a malicious actor gets in control of what the program reflects on and invokes unintended code. + +## Control Flow Guard + +[Control Flow Guard](/windows/win32/secbp/control-flow-guard) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. + +To enable Control Flow Guard on you native AOT app set the `ControlFlowGuard` property in the published project. + +```xml + + + Guard + +``` + +## Control-flow Enforcement Technology Shadow Stack (.NET 9+) + +Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature. It provides capabilities to defend against return-oriented programming (ROP) based malware attacks. + +CET is enabled by default when publishing for Windows. To disable CET, set the `CetCompat` property in the published project. + +```xml + + + false + +``` diff --git a/docs/navigate/devops-testing/toc.yml b/docs/navigate/devops-testing/toc.yml index 714b769f477e4..22db686aac788 100644 --- a/docs/navigate/devops-testing/toc.yml +++ b/docs/navigate/devops-testing/toc.yml @@ -495,6 +495,8 @@ items: href: ../../core/deploying/native-aot/libraries.md - name: Cross-compilation href: ../../core/deploying/native-aot/cross-compile.md + - name: Security + href: ../../core/deploying/native-aot/security.md - name: Intro to AOT warnings href: ../../core/deploying/native-aot/fixing-warnings.md - name: Intrinsic APIs marked RequiresDynamicCode From 3c6cf3027509724495ccdfd8a191690353c45b63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Strehovsk=C3=BD?= Date: Thu, 12 Sep 2024 09:18:18 +0200 Subject: [PATCH 2/3] Update security.md --- docs/core/deploying/native-aot/security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/core/deploying/native-aot/security.md b/docs/core/deploying/native-aot/security.md index c567b3e8426b6..a211b649ae9b1 100644 --- a/docs/core/deploying/native-aot/security.md +++ b/docs/core/deploying/native-aot/security.md @@ -16,11 +16,11 @@ Since native AOT generates all code at the time of publishing the app, no new ex ## Restricted reflection surface -When apps are published with native AOT, the compiler analyzes the usage of reflection within the app. Only the program elements that were deemed to be targets of reflection are available for reflection at run time. Places within the program that attempt to do unconstrained reflection get flagged using [trimming warnings](../trimming/fixing-warnings.md). Program elements that were not intended to be targets of reflection cannot be reflected on. This can prevent a class of issues where a malicious actor gets in control of what the program reflects on and invokes unintended code. +When apps are published with native AOT, the compiler analyzes the usage of reflection within the app. Only the program elements that were deemed to be targets of reflection are available for reflection at run time. Places within the program that attempt to do unconstrained reflection get flagged using [trimming warnings](../trimming/fixing-warnings.md). Program elements that were not intended to be targets of reflection cannot be reflected on. This can prevent a class of issues where a malicious actor gets in control of what the program reflects on and invokes unintended code. This includes approaches that use `Assembly.LoadFrom` or `Reflection.Emit` - neither of those work with native AOT and their use gets flagged with a warning at build time. ## Control Flow Guard -[Control Flow Guard](/windows/win32/secbp/control-flow-guard) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. +[Control Flow Guard](/windows/win32/secbp/control-flow-guard) is a highly-optimized platform security feature on Windows that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. To enable Control Flow Guard on you native AOT app set the `ControlFlowGuard` property in the published project. From a12c778772e6cc4ad02e6e0007ab5f5582d83c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Strehovsk=C3=BD?= Date: Mon, 16 Sep 2024 08:13:39 +0200 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- docs/core/deploying/native-aot/security.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/core/deploying/native-aot/security.md b/docs/core/deploying/native-aot/security.md index a211b649ae9b1..683c907345d91 100644 --- a/docs/core/deploying/native-aot/security.md +++ b/docs/core/deploying/native-aot/security.md @@ -10,19 +10,19 @@ ms.date: 09/11/2024 .NET offers many facilities to help address security concerns when building apps. Native AOT deployment builds on top of these facilities and provides several that can help harden your apps. -## No runtime code generation +## No run-time code generation Since native AOT generates all code at the time of publishing the app, no new executable code needs to be generated at run time. This allows running your apps in environments that disallow creation of new executable code pages at run time. All the code that the CPU executes can be digitally signed. ## Restricted reflection surface -When apps are published with native AOT, the compiler analyzes the usage of reflection within the app. Only the program elements that were deemed to be targets of reflection are available for reflection at run time. Places within the program that attempt to do unconstrained reflection get flagged using [trimming warnings](../trimming/fixing-warnings.md). Program elements that were not intended to be targets of reflection cannot be reflected on. This can prevent a class of issues where a malicious actor gets in control of what the program reflects on and invokes unintended code. This includes approaches that use `Assembly.LoadFrom` or `Reflection.Emit` - neither of those work with native AOT and their use gets flagged with a warning at build time. +When apps are published with native AOT, the compiler analyzes the usage of reflection within the app. Only the program elements that were deemed to be targets of reflection are available for reflection at run time. Places within the program that attempt to do unconstrained reflection are flagged using [trimming warnings](../trimming/fixing-warnings.md). Program elements that weren't intended to be targets of reflection cannot be reflected on. This restriction can prevent a class of issues where a malicious actor gets in control of what the program reflects on and invokes unintended code. This restriction includes approaches that use `Assembly.LoadFrom` or `Reflection.Emit` - neither of those work with native AOT, and their use is flagged with a warning at build time. ## Control Flow Guard -[Control Flow Guard](/windows/win32/secbp/control-flow-guard) is a highly-optimized platform security feature on Windows that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. +[Control Flow Guard](/windows/win32/secbp/control-flow-guard) is a highly optimized platform security feature on Windows that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. -To enable Control Flow Guard on you native AOT app set the `ControlFlowGuard` property in the published project. +To enable Control Flow Guard on your native AOT app, set the `ControlFlowGuard` property in the published project. ```xml