SQ14159
Detected Windows executable files with exception handlers susceptible to pointer hijacking.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
| None | pass | high | medium | None | hardening: warning Reason: execution hijacking risks |
About the issueโ
Sensitive executable memory regions should be kept as read-only to protect the integrity of trusted execution code flow paths. Exception handlers are pointers to functions that implement the error-handling logic. If those pointers are changed by malicious code, execution paths can be redirected to unintended locations. Most modern programming language toolchains protect those memory regions appropriately. Newest linker versions also track programming language-specific handlers and protect them from runtime manipulation. These issues are commonly reported for outdated linkers and non-compliant executable packing solutions.
How to resolve the issueโ
- Review the programming language linker options, and consider a build toolchain update.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Region-based memory management (External resource - Wikipedia)
- Code Pointer Integrity (External resource - Medium)
- Function pointer (External resource - Wikipedia)