ICU for Windows should build with compiler options SAFESEH, NXCOMPAT, DYNAMICBASE

Description

The ICU build for Windows should use all four of the following newer Visual Studio .NET compiler options, which can provide security benefits in hardening components against buffer overflow attacks: /GS, /DYNAMICBASE, /NXCOMPAT, and /SAFESEH.

  • /GS - Applications and libraries compiled with this option will have consistency checks added to the resulting executable which attempt to defeat stack-based buffer overflow exploits. Slight performance impact. Incompatible with code that makes assumptions about stack layout (e.g. inling assembly).

  • /SAFESEH - A common method of evading the security checks added by /GS is to overwrite Structured Exception Handling (SEH) records. This option adds additional information to the binary, allowing the system to detect the corruption of these records and prevent the execution of malicious code.

  • /DYNAMICBASE - This option allows the executable image to be relocated by Address Space Layout Randomization (ASLR) on Windows Vista. Code which depends on static library load addresses, for example, will fail.

  • /NXCOMPAT - Applications compiled with this option gain the benefit of Windows Vista's Data Execution Prevention (DEP) feature. Code which attempts to execute from the stack, heap, or other data regions to generate access violations, unless the pages being executed are explicitly marked for execution.
    (DYNAMICBASE and NXCOMPAT are ignored on non-Vista systems)

Activity

Show:
TracBot
June 30, 2018, 11:37 PM
Trac Comment 1 by —2008-04-23T18:41:48.000Z

Raise any issues if these would break (fail with an error) on older compilers.
Add to config/mh-cygwin-msvc and project files and determine if it would break on 2005 or 2008, and 2003 ( may not care about 2003 ).

dbertoni to determine what will break on other compilers.

Jeff Genovy
August 21, 2019, 7:14 PM

Note: We now have /DYNAMICBASE and /NXCOMPAT enabled on all the DLLs as of ICU-20768.

Assignee

Peter Edberg

Reporter

Peter Edberg

Components

Labels

Reviewer

None

Priority

assess

Time Needed

None

Fix versions

None
Configure