Skip to main content

SQ14125

Detected Windows shared library files that do not suppress exports which reduces CFG vulnerability mitigation protection effectiveness.

priorityCI/CD statusseverityeffortRL levelRL assessment
passmediummediumNoneNone

About the issueโ€‹

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that dynamic calls are made only to vetted functions. Trusted execution paths rely on the ability of the operating system to build a list of valid function targets. Certain functions can intentionally be disallowed to prevent malicious code from deactivating vulnerability mitigation features. A list of such invalid function targets can include publicly exported symbols. Applications that enhance control flow integrity through export suppression rely on libraries to mark their publicly visible symbols as suppressed. This is done for all symbols that are considered to be sensitive functions, and to which access should be restricted. It is considered dangerous to mix applications that perform export suppression with libraries that do not.

How to resolve the issueโ€‹

  • To enable this mitigation on library code, refer to your programming language toolchain documentation.
  • In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.

Incidence statisticsโ€‹

ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.

For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.

The percentages are calculated from the total amount of packages analyzed:

  • RubyGems: 174K
  • Nuget: 189K
  • PyPi: 403K
  • NPM: 2.1M