Exclude ARM Binaries from BA2025 analysis (#650)

* Exclude ARM Binaries from BA2025 analysis * Cleanup ResultsTests.cs * Update ReleaseHistory.md * Remove stray whitespace * Cleanup validation method * Added cross compile instructions for generating ARM and ARM64 test binaries. * Removed blank line * Updated release history per PR feedback.
microsoft · Jun 13, 2022 · dcafdde · dcafdde
1 parent d107b63
commit dcafdde
Show file tree

Hide file tree

Showing 9 changed files with 119 additions and 5 deletions.
diff --git a/docs/FunctionalTestBuildScripts.md b/docs/FunctionalTestBuildScripts.md
@@ -47,3 +47,40 @@ Also create two user functions `userfn_use_safebuffers_1()` and `userfn_use_safe
 A simple `Windows Kernel Mode Driver` program, created with `Visual Studio 2019` that generates a .exe and associated .pdb file. Code to reproduce:  
 Use `NTSTATUS GsDriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)` as entry point and do not decorated with `__declspec(safebuffers)`.
 No user functions decorated with `__declspec(safebuffers)`.
+
+## ARM64_CETShadowStack_NotApplicable.exe
+A simple C++ hellow world program, cross compiled using CMake using the `cl.exe` compiler and `Ninja` generator.
+`CMakePresets.json` should be configured with a `configurePresets` as below:
+```
+{
+    "name": "arm64-release",
+    "displayName": "ARM64 Release", 
+    "inherits": "windows-base",
+    "architecture": {
+        "value": "arm64",
+        "strategy": "external"
+    },
+    "cacheVariables": {
+        "CMAKE_BUILD_TYPE": "RelWithDebInfo"
+    }
+},
+```
+
+## ARM_CETShadowStack_NotApplicable.exe
+
+A simple C++ hellow world program, cross compiled using CMake with the `cl.exe` compiler and `Ninja` generator.
+`CMakePresets.json` should be configured with a `configurePresets` as below:
+```
+{
+    "name": "arm-release",
+    "displayName": "ARM Release",
+    "inherits": "windows-base",
+    "architecture": {
+        "value": "arm",
+        "strategy": "external"
+    },
+    "cacheVariables": {
+        "CMAKE_BUILD_TYPE": "RelWithDebInfo"
+    }
+},
+```
diff --git a/src/BinSkim.Rules/PERules/BA2025.EnableShadowStack.cs b/src/BinSkim.Rules/PERules/BA2025.EnableShadowStack.cs
@@ -66,6 +66,12 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.Proper
                 return notApplicable;
             }
 
+            if (portableExecutable.Machine == Machine.Arm || portableExecutable.Machine == Machine.ArmThumb2)
+            {
+                reasonForNotAnalyzing = MetadataConditions.ImageIsArmBinary;
+                return notApplicable;
+            }
+
             reasonForNotAnalyzing = null;
             return AnalysisApplicability.ApplicableToSpecifiedTarget;
         }

diff --git a/src/BinSkim.Sdk/MetadataConditions.cs b/src/BinSkim.Sdk/MetadataConditions.cs
@@ -10,6 +10,7 @@ public static class MetadataConditions
         public static readonly string ImageIsNotExe = SdkResources.MetadataCondition_ImageIsNotExe;
         public static readonly string ImageIsNotMachO = SdkResources.MetadataCondition_ImageIsNotMachO;
         public static readonly string CouldNotLoadPdb = SdkResources.MetadataCondition_CouldNotLoadPdb;
+        public static readonly string ImageIsArmBinary = SdkResources.MetadataCondition_ImageIsArmBinary;
         public static readonly string ImageIsDebugOnly = SdkResources.MetadataCondition_ImageIsDebugOnly;
         public static readonly string ImageIsNotSigned = SdkResources.MetadataCondition_ImageIsNotSigned;
         public static readonly string ImageIsWixBinary = SdkResources.MetadataCondition_ImageIsWixBinary;

diff --git a/src/BinSkim.Sdk/SdkResources.Designer.cs b/src/BinSkim.Sdk/SdkResources.Designer.cs
diff --git a/src/BinSkim.Sdk/SdkResources.resx b/src/BinSkim.Sdk/SdkResources.resx
@@ -243,4 +243,7 @@
   <data name="MetadataCondition_ImageIsArm64BitBinary" xml:space="preserve">
     <value>image is an ARM64 binary</value>
   </data>
+  <data name="MetadataCondition_ImageIsArmBinary" xml:space="preserve">
+    <value>image is an ARM binary</value>
+  </data>
 </root>
diff --git a/src/ReleaseHistory.md b/src/ReleaseHistory.md
@@ -7,6 +7,7 @@
 * Bump ELFSharp from 2.14.0 to 2.15.0. [#631](https://github.com/microsoft/binskim/pull/631)
 * FEATURE: Enable BinSkim for MacOS. [#576](https://github.com/microsoft/binskim/pull/576)
 * Bump Sarif.Sdk by updating submodule from [4e9f606 to fc9a9df](https://github.com/microsoft/sarif-sdk/compare/4e9f606bb0e88428866e253352cdc70dc68f98cb...fc9a9dfb865096b5aaa9fa3651854670940f7459). [#638](https://github.com/microsoft/binskim/pull/638)
+* FALSE POSITIVE FIX: Skip `BA2025.EnableShadowStack` rule for ARM Binaries which cannot use `/CETCOMPAT`. [#650](https://github.com/microsoft/binskim/pull/650)
 
 ## **v1.9.4** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.9.4)
 

diff --git a/...ionalTestData/BA2025.EnableShadowStack/NotApplicable/ARM_CETShadowStack_NotApplicable.exe b/...ionalTestData/BA2025.EnableShadowStack/NotApplicable/ARM_CETShadowStack_NotApplicable.exe
diff --git a/...ionalTestData/BA2025.EnableShadowStack/NotApplicable/ARM_CETShadowStack_NotApplicable.pdb b/...ionalTestData/BA2025.EnableShadowStack/NotApplicable/ARM_CETShadowStack_NotApplicable.pdb
diff --git a/src/Test.FunctionalTests.BinSkim.Rules/RuleTests.cs b/src/Test.FunctionalTests.BinSkim.Rules/RuleTests.cs
@@ -248,6 +248,26 @@ private void VerifyThrows<ExceptionType>(
             }
         }
 
+        private void VerifyApplicabililtyByConditionsOnly(
+            BinarySkimmer skimmer,
+            HashSet<string> applicabilityConditions,
+            string expectedReasonForNotAnalyzing,
+            AnalysisApplicability expectedApplicability = AnalysisApplicability.NotApplicableToSpecifiedTarget,
+            bool useDefaultPolicy = false)
+        {
+            string ruleName = skimmer.GetType().Name;
+
+            HashSet<string> targets = this.GetTestFilesMatchingConditions(applicabilityConditions);
+
+            VerifyApplicabilityResults(
+                skimmer,
+                targets,
+                useDefaultPolicy,
+                expectedApplicability,
+                ruleName,
+                expectedReasonForNotAnalyzing);
+        }
+
         private void VerifyApplicability(
             BinarySkimmer skimmer,
             HashSet<string> applicabilityConditions,
@@ -261,8 +281,6 @@ private void VerifyApplicability(
             testFilesDirectory = Path.Combine(Environment.CurrentDirectory, "FunctionalTestData", testFilesDirectory);
             testFilesDirectory = Path.Combine(testFilesDirectory, "NotApplicable");
 
-            var context = new BinaryAnalyzerContext();
-
             HashSet<string> targets = this.GetTestFilesMatchingConditions(applicabilityConditions);
 
             if (Directory.Exists(testFilesDirectory))
@@ -276,6 +294,25 @@ private void VerifyApplicability(
                 }
             }
 
+            VerifyApplicabilityResults(
+                skimmer,
+                targets,
+                useDefaultPolicy,
+                expectedApplicability,
+                ruleName,
+                expectedReasonForNotAnalyzing);
+        }
+
+        private void VerifyApplicabilityResults(
+            BinarySkimmer skimmer,
+            HashSet<string> targets,
+            bool useDefaultPolicy,
+            AnalysisApplicability expectedApplicability,
+            string ruleName,
+            string expectedReasonForNotAnalyzing)
+        {
+            var context = new BinaryAnalyzerContext();
+
             var logger = new TestMessageLogger();
             context.Logger = logger;
 
@@ -460,6 +497,17 @@ private HashSet<string> GetTestFilesMatchingConditions(HashSet<string> metadataC
                 result.Add(Path.Combine(testFilesDirectory, "DotnetNative_x86_VS2019_UniversalApp.exe"));
             }
 
+            if (metadataConditions.Contains(MetadataConditions.ImageIsArmBinary))
+            {
+                result.Add(Path.Combine(testFilesDirectory, "ARM_CETShadowStack_NotApplicable.exe"));
+            }
+
+            if (metadataConditions.Contains(MetadataConditions.ImageIsArm64BitBinary))
+            {
+                result.Add(Path.Combine(testFilesDirectory, "ARM64_CETShadowStack_NotApplicable.exe"));
+                result.Add(Path.Combine(testFilesDirectory, "ARM64_dotnet_CETShadowStack_NotApplicable.exe"));
+            }
+
             return result;
         }
 
@@ -1166,10 +1214,19 @@ public void BA2025_EnableShadowStack_Fail()
         [Fact]
         public void BA2025_EnableShadowStack_NotApplicable()
         {
-            this.VerifyApplicability(
+            HashSet<string> notApplicableArm64 = new HashSet<string>() { MetadataConditions.ImageIsArm64BitBinary };
+
+            this.VerifyApplicabililtyByConditionsOnly(
                 skimmer: new EnableShadowStack(),
-                applicabilityConditions: null,
+                applicabilityConditions: notApplicableArm64,
                 expectedReasonForNotAnalyzing: MetadataConditions.ImageIsArm64BitBinary);
+
+            HashSet<string> notApplicableArm = new HashSet<string>() { MetadataConditions.ImageIsArmBinary };
+
+            this.VerifyApplicabililtyByConditionsOnly(
+                skimmer: new EnableShadowStack(),
+                applicabilityConditions: notApplicableArm64,
+                expectedReasonForNotAnalyzing: MetadataConditions.ImageIsArmBinary);
         }
 
         [Fact]