ICU for Windows should build with compiler options SAFESEH, NXCOMPAT, DYNAMICBASE

Description

The ICU build for Windows should use all four of the following newer Visual Studio .NET compiler options, which can provide security benefits in hardening components against buffer overflow attacks: /GS, /DYNAMICBASE, /NXCOMPAT, and /SAFESEH.

  • /GS - Applications and libraries compiled with this option will have consistency checks added to the resulting executable which attempt to defeat stack-based buffer overflow exploits. Slight performance impact. Incompatible with code that makes assumptions about stack layout (e.g. inling assembly).

  • /SAFESEH - A common method of evading the security checks added by /GS is to overwrite Structured Exception Handling (SEH) records. This option adds additional information to the binary, allowing the system to detect the corruption of these records and prevent the execution of malicious code.

  • /DYNAMICBASE - This option allows the executable image to be relocated by Address Space Layout Randomization (ASLR) on Windows Vista. Code which depends on static library load addresses, for example, will fail.

  • /NXCOMPAT - Applications compiled with this option gain the benefit of Windows Vista's Data Execution Prevention (DEP) feature. Code which attempts to execute from the stack, heap, or other data regions to generate access violations, unless the pages being executed are explicitly marked for execution.
    (DYNAMICBASE and NXCOMPAT are ignored on non-Vista systems)

Status

Assignee

Peter Edberg

Reporter

Peter Edberg

Labels

None

Reviewer

None

Time Needed

None

Start date

None

Components

Priority

assess