Binscope 2014 User Guide

Microsoft BinScope 2014 User Guide

Microsoft Trustworthy Computing

Contents

1. Overview

Microsoft BinScope 2014 was designed in order to help detect potential vulnerabilities that can be introduced into Binary files. The tests implemented in BinScope examine application binary files to identify coding and building practices that can potentially render the application vulnerable to attack or to being used as an attack vector. The tests include:  Validating compiler and linker flags

 Ensuring the use of “known good” ATL headers

 Verifying that current compiler versions are used

 Identifying specific coding constructs that are deemed "dangerous" By default, all checks required by the Microsoft SDL Process Guidance version 5.2 are enabled. However, users can enable and disable checks. BinScope supports a command-line interface to fit the needs of your environment. Typical Information Technology users of BinScope:  Developers use BinScope to verify compliance with coding and building best practices.

 IT Security Auditors, during reviews, can evaluate the risk presented by a particular piece of software installed on the Windows platform.

By reading this document and performing the sample exercise you can expect to gain the following skills:  To have a general understanding of what BinScope does and the value it can add to your security strategy.

 Understand the software requirements for BinScope.

 Understand the installation procedure.

 Perform a basic scan using BinScope.

 Be familiar with some of the terminology used in BinScope.

2. Purpose of Tool

Each of the BinScope checks addresses a weakness commonly exploited by attackers. The requirements enforced by BinScope do not eliminate all possible weaknesses, but they do make them much harder to exploit. In addition, the safeguards should not be considered separately; rather all tests should be performed. Security checks

BinScope performs the following checks:

Check SDL Required AppContainerCheck (Required for Windows Store Certification) No ATLVersionCheck Yes ATLVulnCheck Yes CompilerVersionCheck Yes DBCheck Yes DefaultGSCookieCheck Yes ExecutableImportsCheck Yes FunctionPointersCheck No GSCheck Yes GSFriendlyInitCheck Yes GSFunctionSafeBuffersCheck Yes Check SDL Required HighEntropyVACheck Yes NXCheck Yes RSA32Check Yes SafeSEHCheck Yes SharedSectionCheck Yes VB6Check Yes WXCheck Yes Table 1 BinScope Checks

3. Installation

For installation instructions and systems requirements, please see the Microsoft BinScope 2014 Getting Started Guide.

4. How to Run BinScope

For information on how to run BinScope, please see the Microsoft BinScope 2014 Getting Started Guide.

5. Analysis of BinScope Output

For information regarding analyzing BinScope results, please see the Microsoft BinScope 2014 Getting Started Guide. 6. Features Configurability

BinScope allows users to enable and disable checks. By default, all SDL required checks are enabled. BinScope detects the type of assembly that is being scanned and determines whether or not the enabled check is applicable. Command Line Mode

To run BinScope in Command Line mode, open the command window in the BinScope install directory. BinScope command line syntax is: BinScope.exe [ The following table outlines the options available via command line mode: Option Description /Checks (short: /c) Specify the Checks for scanning. One can specify multiple checks by using /Checks multiple times. (Use /listchecks to show all available checks)

/Html Change the output format to HTML for viewing in a browser.

/ListChecks (short: /lc) List all available checks.

/LogFile (short: /l) Specify the file name to store analysis output.

/MinimumCompilerVersion Sets a minimum compiler version for native projects.

/MinimumLinkerVersion Sets a minimum linker version for native projects.

/NoLogo Disable printing the logo header output to the console.

/OutDir (short: /d) Specify the output directory name to store the LogFile.

/PREfast (short: /pf) Generate analysis output in PREfast format instead of Red format. Only one output file format can be enabled at a time.

/Red Generate analysis output in Red format.

/SaveConfig (short: /save) Save configuration information (XML format) into the specified file.

/SkippedChecks (short: /e) Specify the Checks to be skipped for scanning. One can specify multiple checks to be skipped by using /SkippedChecks multiple times.

/SymPath (short: /s) Specify /sympath to be used by Binscope.

/Target Specify the full path to the target file to be scanned. Binscope supports files which are put into a Portable Executable container; e.g. DLLs, EXEs, SYSs, etc.

/Verbose (short: /v) Enable verbose log output.

/Xslt (short: /x) Write a report XSLT file suitable for displaying the Red file in the browser. Only Option Description works for /Red format & not the /PREFast format.

Table 1 Command Line Mode Options

7. Configure BinScope to Run Windows App Certification Kit Checks

The Windows App Certification Kit includes a subset of the BinScope security checks. Microsoft BinScope 2014 can be configured to run only the checks that are run as part of the Windows App Certification Kit.

1. Open a Command Prompt window and navigate to the BinScope installation directory.

8. For scans where the private symbols are in the same location as the binary, provide the following command:

binscope.exe /target “” /Checks "AppContainerCheck" /Checks "DBCheck" /Checks "ExecutableImportsCheck" /Checks "NXCheck" /Checks "SafeSEHCheck" /Checks "SharedSectionCheck" /Checks "WXCheck"

Note: BinScope is unable to run against files located in a system-protected directory.

9. For scans where the private symbols are not in the same location as the binary, provide the following command using /SymPath:

binscope.exe /target “” /SymPath “” /Checks "ExecutableImportsCheck" /Checks "NXCheck" /Checks "SafeSEHCheck" /Checks "SharedSectionCheck" /Checks "WXCheck"

10. Troubleshooting

Please see the links listed below in “Support”. 11. Automation

Binscope.exe by default runs all of SDL required checks against the target. Use the /SkippedChecks flag to skip certain checks that might not be appropriate in a daily build environment, such as CompilerVersionCheck. Example: Binscope.exe /target /SkippedChecks “CompilerVersionCheck” /logfile

12. Support

For support, please visit the following links:  Microsoft Security Development Lifecycle

 Microsoft Cyber Trust Blog

 MSDN Forums for SDL Copyright © 2015 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

Some examples are for illustration only and are fictitious. No real association is intended or inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

Trustworthy Computing | BinScope 2014 User Guide 7