Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

win,build: add option to enable cfg #56605

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

win,build: add option to enable cfg #56605

wants to merge 4 commits into from
+21 −0

Conversation

huseyinacacak-janea
Copy link
Contributor

@huseyinacacak-janea huseyinacacak-janea commented Jan 15, 2025
edited
Loading

This adds an option to vcbuild.bat to compile with CFG (Control Flow Guard).

CFG is a programming or security concept used to ensure that the execution of a program follows its intended flow and prevents unauthorized or unintended behavior. It is often used to detect and mitigate attacks that exploit vulnerabilities, such as control flow hijacking, which occurs when an attacker manipulates the program’s control flow to execute malicious code.

  • CFG validates that indirect calls (e.g., calls via function pointers) and jumps go to legitimate, pre-determined destinations within the program.
  • When the application is compiled with CFG enabled, the compiler generates metadata about the valid control flow targets.
  • At runtime, Windows uses this metadata to verify the destination of indirect calls or jumps before allowing them.

More information about the CFG can be found at https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard

Fixes: #42100

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/gyp

@nodejs-github-bot nodejs-github-bot added build Issues and PRs related to build files or the CI. needs-ci PRs that need a full CI run. windows Issues and PRs related to the Windows platform. labels Jan 15, 2025
jasnell
jasnell approved these changes Jan 15, 2025
View reviewed changes
Copy link
Member

@jasnell jasnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but would be worthwhile to expand on the motivation a bit in the PR or the commit message for folks unfamiliar with cfg

richardlau
richardlau reviewed Jan 15, 2025
View reviewed changes
Copy link
Member

@richardlau richardlau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rather a more descriptive name than "cfg" was used in common.gypi and configure (I'm less concerned with vcbuild.bat).

Are there any plans to enable this by default in the future?

common.gypi Outdated Show resolved Hide resolved
configure.py Outdated Show resolved Hide resolved
@huseyinacacak-janea
Copy link
Contributor Author

Are there any plans to enable this by default in the future?

No plan yet. CFG adds extra checks to the code to increase security. Therefore, these checks have a runtime cost in certain situations. Instead of enabling it by default, it might be enabled and released as a separate executable.

@huseyinacacak-janea
Copy link
Contributor Author

LGTM but would be worthwhile to expand on the motivation a bit in the PR or the commit message for folks unfamiliar with cfg

I've updated the PR description to give more information about CFG.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richardlau richardlau richardlau left review comments

@jasnell jasnell jasnell approved these changes

Assignees
No one assigned
Labels
build Issues and PRs related to build files or the CI. needs-ci PRs that need a full CI run. windows Issues and PRs related to the Windows platform.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable CFG in node.exe
4 participants
@huseyinacacak-janea @nodejs-github-bot @jasnell @richardlau