BA3003: report NotApplicable for Rust-only binaries#1192
Open
himaja-kesari wants to merge 1 commit into
Open
Conversation
rustc enables stack protection via LLVM and does not emit the __stack_chk_fail / __stack_chk_guard / __intel_security_cookie symbols that BA3003 looks for in its symbol-table fallback path. It also does not produce GCC-style DWARF compile units, so the DWARF path yields zero valid GCC entries and BA3003 falls through to the symbol heuristic, which then false-flags every Rust binary as missing a stack protector. When the only producer recorded for the ELF is Rust (and there is no GCC compile unit), report ResultKind.NotApplicable instead, with a message explaining that the GCC heuristic does not apply to this binary. This matches the behavior the rule already uses for other NotApplicable cases via RuleResources.NotApplicable_InvalidMetadata. No behavior change for binaries that contain at least one GCC compile unit (mixed C/Rust links still go through the DWARF path).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
rustc-built ELF binaries are currently always reported as error BA3003 ("stack protector not found"), even when Rust stack protection is enabled. This PR makes BA3003 report
NotApplicablefor binaries whose only DWARF producer is rustc.Why
BA3003 has two detection paths for ELF:
-fstack-protector-strong/-fstack-protector-all.__stack_chk_fail,__stack_chk_guard, or__intel_security_cookiein the symbol table.rustc:
__stack_chk_fail/__stack_chk_guard, so path (2) returns false.Result: every rustc-only binary is reported as
error BA3003regardless of the actual stack-protection setting.Change
In the ELF branch of
Analyze, after buildingvalidGccCommandLineInfos, if:elf.CompilerscontainsElfCompilerType.Rust, andelf.Compilersdoes not containElfCompilerType.GCC…then report
ResultKind.NotApplicable(re-using the existingRuleResources.NotApplicable_InvalidMetadatamessage) with text explaining that the GCC stack-protector heuristic does not apply. Mixed C/Rust binaries (anything with at least one GCC CU) continue through the existing DWARF path unchanged.Repro that motivated this
/usr/lib/dracut/dracut-cpiofrom Azure Linux 4 (dracut-107-9.azl4.x86_64.rpm) is a small rustc-built helper. BinSkim 4.4.x reportserror BA3003on it even though the Rust source enables stack protection. With this patch the same scan reportsNotApplicablewith a clear reason, matching the rule’s contract.Testing
main(commit 696f2ba) withdotnet build src/BinSkim.Rules/BinSkim.Rules.csproj -c Release.linux-x64publish that a rustc-only binary now reports NotApplicable while a GCC-built binary with the same flags is unchanged.Happy to add a Rust binary fixture under
Test.FunctionalTests.BinSkim.Driver/TestData/BA3003.EnableStackProtector/NotApplicable/if maintainers can confirm the preferred way to commit a rustc-produced ELF into the repo.