Implement test checking whether CET is active #71509
Conversation
ghost
added
the
|
Tagging subscribers to this area: @hoyosjs Issue DetailsAs part of Control Flow Enforcement Technology (CET) testing we need Thanks Tomas P.S. In practice this initial commit only introduces the necessary infra that the new test gets now built and run and it fails as expected. I need
|
There was a problem hiding this comment.
The strongest check would be to actually trigger a crash by performing an operation that is prohibited with CET.
We can then have a pair of tests: One that verifies that the operation is succeeding when CET is disabled, and one that verifies that the operation is crashing when CET is enabled.
There was a problem hiding this comment.
trigger a crash by performing an operation that is prohibited with CET.
You probably still need to a bit of unmanaged code for that.
There was a problem hiding this comment.
I think checking the value of SSP is sufficient. The SSP is always nonzero if CET is enabled for the process and zero otherwise.
There was a problem hiding this comment.
I have already implemented the SSP check. We can easily add more tests if desired once that's shown to work.
As part of Control Flow Enforcement Technology (CET) testing we need to make sure that CET is actually active on the execution machines; otherwise subtle infra changes could easily regress the testing by inadvertently deactivating CET without anyone noticing. This change introduces an initial CET availability test for this purpose. Thanks Tomas
|
/azp run runtime-cet |
|
No pipelines are associated with this pull request. |
|
@eduardo-vp - I have created the CET activation check test and run it through the runtime-cet pipeline where it failed claiming CET is not enabled: baseservices\CET\CheckCETPresence\CheckCETPresence.cmd [FAIL]
Return code: 1
Raw output file: C:\h\w\A1AF08B4\w\A9AF09A7\uploads\Reports\baseservices.CET\CheckCETPresence\CheckCETPresence.output.txt
Raw output:
BEGIN EXECUTION
"C:\h\w\A1AF08B4\p\corerun.exe" -p "System.Reflection.Metadata.MetadataUpdater.IsSupported=false" CheckCETPresence.dll
Checking whether codeflow enforcement technology (CET) is active
Shadow stack pointer: 0x0000000000000000
Expected: 100
Actual: 101
END EXECUTION - FAILED
FAILED
Can you please follow up with @ilyas1974 and @janvorli to figure out what remains to be done to turn CET on for the pipeline? IIRC we require a certain version of Windows and some registry keys to be set. Thanks Tomas |
trylek
changed the title
|
After receiving heads-up from @ilyas1974 that the new CET pool should now have all the required artifacts, I have retested the runtime-cet pipeline on this change and it is passing now so I'm merging it in. |
4 participants
As part of Control Flow Enforcement Technology (CET) testing we need
to make sure that CET is actually active on the execution machines;
otherwise subtle infra changes could easily regress the testing by
inadvertently deactivating CET without anyone noticing. This change
introduces an initial CET availability test for this purpose.
Thanks
Tomas
P.S. In practice this initial commit only introduces the necessary infra
changes required for implementing the CET test. I have verified in the private
run
https://dev.azure.com/dnceng/public/_build/results?buildId=1855384&view=ms.vss-test-web.build-test-results-tab&runId=48818082&resultId=100238&paneView=debug
that the new test gets now built and run and it fails as expected. I need
help regarding its actual implementation, according to JanV we likely need
a bit of native interop to read the value of the SSP register, I'm definitely
no expert in this field.