Skip to content

Windows build: node.exe missing Control Flow Guard (CFG) and DYNAMICBASE mitigationsΒ #64212

Description

@ertl

Version

24.16.0

Platform

error BA2008: 'node.exe' does not enable the control flow guard (CFG) mitigation.
To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.
For VC projects use ItemDefinitionGroup - ClCompile - ControlFlowGuard property with 'Guard' value, link CFG property will be set automatically.

Subsystem

Windows11

What steps will reproduce the bug?

https://github.com/microsoft/binskim

BinSkim.exe analyze C:\path\to\node.exe --config binskim_config_no_pdb.xml --kind Fail

binskim_config_no_pdb.xml is:

<?xml version="1.0" encoding="utf-8"?>
<Properties>
  <Properties Key="BinaryParsers.Options">
    <Property Key="IgnorePdbLoadError" Value="True" Type="System.Boolean" />
    <Property Key="DisableTelemetry" Value="True" Type="System.Boolean" />
  </Properties>

  <!-- Disabled rules that need a PDB file -->
  <Properties Key="BA2002.DoNotIncorporateVulnerableDependencies.Options">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
  <Properties Key="BA2006.BuildWithSecureTools.Options">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
  <Properties Key="BA2007.EnableCriticalCompilerWarnings.Options">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
  <Properties Key="BA2011.EnableStackProtection.Options">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
  <Properties Key="BA2013.InitializeStackProtection.Options">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
  <Properties Key="BA2014.DoNotDisableStackProtectionForFunctions.Options">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
  <Properties Key="BA2024.EnableSpectreMitigations.Options">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
  <Properties Key="BA2025.EnableShadowStack.Options">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
  <Properties Key="BA2026.EnableMicrosoftCompilerSdlSwitch.Options">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
  <Properties Key="BA2027.EnableSourceLink.Options">
    <Property Key="RuleEnabled" Value="Disabled" Type="Driver.RuleEnabledState" />
  </Properties>
</Properties>

How often does it reproduce? Is there a required condition?

What is the expected behavior? Why is that the expected behavior?

No exploit is found

What do you see instead?

Additional information

There was already prior work on this topic see (#42100)

PR #42126 was closed in favor of #56605

However, #42126 also handled the missing /DYNAMICBASE flag, which was not addressed in the newer discussions. As a result, node.exe still lacks both CFG and DYNAMICBASE, and BinSkim continues to report BA2008 and BA2009.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions