AD2006: BuildWithSecureTools¶
Summary¶
| Property | Value |
|---|---|
| ID | AD2006 |
| Name | BuildWithSecureTools |
| Category | Security |
| Severity | Error |
| Applies to | PE (Windows) with PDB files |
Description¶
Application code should be compiled with the latest tool sets possible to take advantage of the most current compile-time security features. Among other things, these features provide address space layout randomization, help prevent arbitrary code execution, and enable code generation that can help prevent speculative execution side-channel attacks.
How It Works¶
The rule examines the PDB file associated with a binary and extracts compiler version information from the compiland records. It compares the compiler version against known minimum secure versions:
- Visual Studio 2022 (17.x): MSVC 19.30+
- Visual Studio 2019 (16.x): MSVC 19.20+
- Visual Studio 2017 (15.x): MSVC 19.10+
Older compilers may have known vulnerabilities or lack important security features.
Why This Matters¶
Compilers are complex software that can contain security vulnerabilities in their code generation. Using outdated compilers means your binaries may contain code patterns that are inherently exploitable, regardless of how secure your source code is.
Compiler Security Evolution¶
Each compiler version brings security improvements:
| Era | Security Features Added |
|---|---|
| MSVC 2012 | /sdl (Security Development Lifecycle) checks |
| MSVC 2015 | Improved CFG (Control Flow Guard), better /GS |
| MSVC 2017 | Spectre mitigations (/Qspectre), improved ASLR |
| MSVC 2019 | CET Shadow Stack support, enhanced CFI |
| MSVC 2022 | ARM64 security features, improved sanitizers |
Known Compiler Vulnerabilities¶
Historical examples of compiler bugs that affected security:
-
Incorrect optimization removing security checks: Compilers have been known to optimize away security-critical null checks or bounds checks that appear "unnecessary" to the optimizer.
-
Code generation bugs: Certain code patterns could trigger incorrect code generation, creating vulnerabilities even in correct source code.
-
Mitigation bypasses: Early implementations of security features like
/GShad known bypass techniques that were fixed in later versions.
Spectre and Microarchitectural Attacks¶
The Spectre vulnerabilities (2018) required compiler updates to mitigate. The /Qspectre flag, available only in MSVC 2017 15.5.5 and later, inserts instructions to prevent speculative execution side-channel attacks. Binaries built with older compilers cannot have these mitigations.
Security Feature Effectiveness¶
Newer compilers implement security features more effectively:
- Control Flow Guard: The CFG implementation improves with each release, covering more indirect call patterns and reducing false negatives.
- Stack cookies: Cookie generation and checking code becomes more resistant to bypass techniques.
- ASLR support: Better handling of high-entropy addresses and position-independent code.
Compliance and Auditing¶
Many security standards and internal policies require current toolchains:
- NIST guidelines recommend current, supported software
- Many enterprise security policies mandate specific minimum compiler versions
Performance Considerations¶
Newer compilers generally produce faster code due to improved optimization passes, in addition to being more secure. There is rarely a performance reason to use older compilers.
Resolution¶
Upgrade Visual Studio¶
- Download the latest Visual Studio from visualstudio.microsoft.com
- Install the "Desktop development with C++" workload
- Rebuild your project with the new toolchain
For Build Servers¶
Update the Visual Studio Build Tools:
Verify Compiler Version¶
Check your compiler version:
When to Suppress¶
This rule can be suppressed in the following scenarios:
- Legacy projects: Projects that cannot be upgraded due to dependencies
- Compatibility requirements: When newer compilers break compatibility
- Third-party binaries: When you can't control the build process
- Intentional older toolchain: Documented decision to use specific version
Caveats¶
- Requires PDB files to determine compiler version
- Different compilands may use different compiler versions
- Version checking is based on MSVC version numbers, not Visual Studio year
Minimum Recommended Versions¶
| Visual Studio | MSVC Version | Notes |
|---|---|---|
| VS 2022 17.0+ | 19.30+ | Current recommended |
| VS 2019 16.0+ | 19.20+ | Still supported |
| VS 2017 15.0+ | 19.10+ | End of support |
| VS 2015 | 19.00 | Not recommended |
| VS 2013 | 18.00 | Avoid |
Related Rules¶
- AD2007: EnableCriticalCompilerWarnings
- AD2024: EnableSpectreMitigations
- AD2026: EnableMicrosoftCompilerSdlSwitch