SQ14158
Detected Windows executable files with TLS callbacks susceptible to pointer hijacking.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | medium | None | hardening: warning Reason: execution hijacking risks |
About the issueโ
Sensitive executable memory regions should be kept as read-only to protect the integrity of trusted execution code flow paths. Thread local storage (TLS) callbacks are pointers to code initialization and resource release functions. If those pointers are changed by malicious code, execution paths can be redirected to unintended locations. Most modern programming language toolchains protect those memory regions appropriately. These issues are commonly reported for outdated linkers and non-compliant executable packing solutions.
How to resolve the issueโ
- Review the programming language linker options, and consider a build toolchain update.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Region-based memory management (External resource - Wikipedia)
- Code Pointer Integrity (External resource - Medium)
- Thread Local Storage (TLS) (External resource - Microsoft)