-
Notifications
You must be signed in to change notification settings - Fork 162
/
Copy pathBAXXXX.RuleFriendlyName.cs
139 lines (119 loc) · 6.03 KB
/
BAXXXX.RuleFriendlyName.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
/// <summary>
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using System.Composition;
using System.Reflection.PortableExecutable;
using Microsoft.CodeAnalysis.BinaryParsers;
using Microsoft.CodeAnalysis.BinaryParsers.PortableExecutable;
using Microsoft.CodeAnalysis.IL.Sdk;
using Microsoft.CodeAnalysis.Sarif;
using Microsoft.CodeAnalysis.Sarif.Driver;
namespace Microsoft.CodeAnalysis.IL.Rules
{
// Delete the following attribute if this rule doesn't require special
// configuration capabilities. Delete this code comment in all cases.
//
// You should extend this class from WindowsBinaryAndPdbSkimmerBase
// instead of PEBinarySkimmerBase if you require PDB parsing in
// your check. Extend ELFBinarySkimmerBase for *nix binary checks.
//
[Export(typeof(IOptionsProvider))]
[Export(typeof(ReportingDescriptor))]
[Export(typeof(Skimmer<BinaryAnalyzerContext>))]
public class RULEFRIENDLYNAME : PEBinarySkimmerBase, IOptionsProvider /* Delete this if no special configuration required */
{
/// <summary>
/// BAXXXX
/// </summary>
public override string Id => RuleIds.RULEFRIENDLYNAME;
/// <summary>
/// Recapitulate the full text of the rule description returned below
/// here as a summary comment.
/// </summary>
public override MultiformatMessageString FullDescription =>
new MultiformatMessageString { Text = RuleResources.BAXXXX_RULEFRIENDLYNAME_Description };
protected override IEnumerable<string> MessageResourceNames => new string[] {
nameof(RuleResources.BAXXXX_Pass),
nameof(RuleResources.BAXXXX_Error)
};
public IEnumerable<IOption> GetOptions()
{
return new List<IOption>
{
MinimumRequiredLinkerVersion
}.ToImmutableArray();
}
private const string AnalyzerName = RuleIds.RULEFRIENDLYNAMEId + "." + nameof(RULEFRIENDLYNAME);
public static PerLanguageOption<Version> MinimumRequiredLinkerVersion { get; } =
new PerLanguageOption<Version>(
AnalyzerName, nameof(MinimumRequiredLinkerVersion), defaultValue: () => new Version("14.0"));
public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
{
PE portableExecutable = target.PE;
AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;
// Review the range of metadata conditions and return NotApplicableToSpecifiedTarget
// from this method for all cases where a binary is detected that is not valid to scan.
//
reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
if (portableExecutable.IsResourceOnly) { return result; }
// Here's an example of parameterizing a rule from input XML. In this example,
// we enforce that the linker is of a minimal version, otherwise the scan will
// not occur (because the toolset producing the binary is not sufficiently
// current to enable the security mitigation).
//
Version minimumRequiredLinkerVersion = policy.GetProperty(MinimumRequiredLinkerVersion);
if (portableExecutable.LinkerVersion < minimumRequiredLinkerVersion)
{
reasonForNotAnalyzing = string.Format(
MetadataConditions.ImageCompiledWithOutdatedTools,
portableExecutable.LinkerVersion,
minimumRequiredLinkerVersion);
return result;
}
// If we get to this location, we've determined the binary is valid to analyze.
// We clear the 'reasonForNotAnalyzing' output variable and return
// ApplicableToSpecifiedTarget.
//
reasonForNotAnalyzing = null;
return AnalysisApplicability.ApplicableToSpecifiedTarget;
}
public override void Analyze(BinaryAnalyzerContext context)
{
PEBinary target = context.PEBinary();
PE pe = target.PE;
// Analysis may return one or more failures, each of which uses a format
// string stored in the MessageResourceNames array above to produce a result.
// By convention, we recapitulate that format string when we return the
// associated result, to document the specific failure or pass condition.
if (!this.IsSecure(target))
{
// '{0}' is not secure for some reaons.
// To resolve this issue, pass /beEvenMoreSecure on both the compiler
// and linker command lines. Binaries also require the
// /beSecure option in order to enable the enhanced setting.
context.Logger.Log(this,
RuleUtilities.BuildResult(FailureLevel.Error, context, null,
nameof(RuleResources.BAXXXX_Error),
context.TargetUri.GetFileName()));
return;
}
// '{0}' enables /beEvenMoreSecure on both the compiler and linker
// command-lines, preventing a broad range of conditions that
// bad actors can use to engage in their malignant, unfortunately
// often-profitable foolishness.
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultKind.Pass, context, null,
nameof(RuleResources.BAXXXX_Pass),
context.TargetUri.GetFileName()));
}
// Not considered a meaningful method name. Be sure to do a better job.
private bool IsSecure(PEBinary _)
{
// Add relevant PE-level examination
return false;
}
}
}