You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by David Cleary <da...@progress.com> on 2020/01/30 17:41:08 UTC

Compiling TCNative on Windows

One of our customers got binged on a security audit because some Windows binaries weren't compiled with the security features listed below. TCNative is on that list. We only include it for our Windows distributions since it is available in binary form. One side effect of ASLR is that pointers can live in the entire address space. So, some code can have issues if they assume that pointers will only be in the lower 32 bit address space. Has any tried this or know of a reason that compiling with the switches will cause issues with TCNative? My choices are to bring it in house and build ourselves, or drop it from our distribution.

ASLR - Address Space Layout Randomization

Linker option: /DYNAMICBASE[:NO]

https://docs.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019

DEP - Data Execution Prevention

Linker option: /NXCOMPAT[:NO]

https://docs.microsoft.com/en-us/cpp/build/reference/nxcompat-compatible-with-data-execution-prevention?view=vs-2019

SafeSEH - Safe Exception Handlers

Linker option: /SAFESEH[:NO]

https://docs.microsoft.com/en-us/cpp/build/reference/safeseh-image-has-safe-exception-handlers?view=vs-2019

Thanks
Dave

Re: Compiling TCNative on Windows

Posted by Mark Thomas <ma...@apache.org>.

On 30/01/2020 17:41, David Cleary wrote:
> One of our customers got binged on a security audit because some Windows binaries weren't compiled with the security features listed below. TCNative is on that list. We only include it for our Windows distributions since it is available in binary form. One side effect of ASLR is that pointers can live in the entire address space. So, some code can have issues if they assume that pointers will only be in the lower 32 bit address space. Has any tried this or know of a reason that compiling with the switches will cause issues with TCNative? My choices are to bring it in house and build ourselves, or drop it from our distribution.

Haven't tried it. Don't know if it will cause an issue. Happy to try it.
Best to open an issue against Tomcat Native so it doesn't get forgotten.

If you go the in-house route this might help:
https://cwiki.apache.org/confluence/display/TOMCAT/Building+the+Tomcat+Native+Connector+binaries+for+Windows

Mark


> 
> ASLR - Address Space Layout Randomization
> 
> Linker option: /DYNAMICBASE[:NO]
> 
> https://docs.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019
> 
> DEP - Data Execution Prevention
> 
> Linker option: /NXCOMPAT[:NO]
> 
> https://docs.microsoft.com/en-us/cpp/build/reference/nxcompat-compatible-with-data-execution-prevention?view=vs-2019
> 
> SafeSEH - Safe Exception Handlers
> 
> Linker option: /SAFESEH[:NO]
> 
> https://docs.microsoft.com/en-us/cpp/build/reference/safeseh-image-has-safe-exception-handlers?view=vs-2019
> 
> Thanks
> Dave
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org