AD2032: DotNetEnableHighEntropyVA¶

Summary¶

Description¶

64-bit .NET binaries should be compiled with high-entropy virtual address space (ASLR) enabled. This significantly increases the entropy available for Address Space Layout Randomization (ASLR), making it much harder for attackers to predict memory layout.

How It Works¶

The rule checks if the PE binary:

1. Is a .NET/managed binary (has CLR runtime header)
2. Is 64-bit
3. Has both DYNAMIC_BASE and HIGH_ENTROPY_VA DLL characteristics set

Why This Matters¶

Even though .NET is managed code with type safety, it still runs in native memory and can be targeted by memory attacks. High-entropy ASLR for .NET assemblies makes exploitation dramatically harder, especially for attacks targeting the runtime itself.

Why .NET Still Needs ASLR¶

.NET has type safety but:

Attackers target these boundaries where managed meets native.

64-bit Entropy Advantage¶

32-bit ASLR:
  Address space: 2 GB
  Entropy: ~8 bits (256 positions)
  Brute-force: Practical

64-bit standard ASLR:
  Address space: ~2 TB
  Entropy: ~17 bits
  Brute-force: Harder

64-bit High-Entropy ASLR:
  Address space: 8 TB+
  Entropy: ~24+ bits
  Brute-force: Impractical

Attack Difficulty Comparison¶

High-entropy makes remote brute-force impractical.

CLR-Specific Considerations¶

The CLR itself benefits from ASLR:

CLR Components in Memory:
  clr.dll         - Runtime engine
  mscorlib.dll    - Base class library (Framework)
  System.*.dll    - Framework libraries
  clrjit.dll      - JIT compiler

All loaded at randomized addresses with high-entropy ASLR.

.NET Framework vs .NET Core/5+¶

JIT and ASLR Interaction¶

JIT compilation benefits from ASLR:

1. JIT code allocation: Code pages at random addresses
2. Method tables: CLR structures randomized
3. Object heap: Managed heap location random

All contribute to unpredictable memory layout.

Compliance and Best Practices¶

Migration from 32-bit¶

When migrating to 64-bit, ensure high-entropy is enabled:

<!-- Old 32-bit or Any CPU -->
<PlatformTarget>AnyCPU</PlatformTarget>

<!-- New 64-bit with full protection -->
<PlatformTarget>x64</PlatformTarget>
<HighEntropyVA>true</HighEntropyVA>

High-entropy ASLR provides:

• 8 TB address space: Instead of 2 GB, providing vastly more randomization
• 17+ bits of entropy: Makes brute-force attacks impractical
• Defense-in-depth: Complements other mitigations like DEP and CFG

Without high-entropy ASLR, an attacker may be able to: - Predict code/data locations - Bypass ASLR through brute-force - Exploit information disclosure bugs more easily

Resolution¶

.NET Framework (C#/VB.NET)¶

Use the -highentropyva compiler flag:

csc.exe -highentropyva+ MyApp.cs
vbc.exe -highentropyva+ MyApp.vb

.NET Core / .NET 5+¶

Add to your project file (.csproj):

<PropertyGroup>
    <HighEntropyVA>true</HighEntropyVA>
</PropertyGroup>

Visual Studio¶

1. Open Project Properties
2. Navigate to Build tab
3. Click "Advanced..."
4. Check "High-entropy Virtual Addresses" or select "x64"

MSBuild¶

<PropertyGroup>
    <HighEntropyVA>true</HighEntropyVA>
    <PlatformTarget>x64</PlatformTarget>
</PropertyGroup>

When to Suppress¶

This rule should rarely be suppressed. Possible exceptions:

• 32-bit only: Rule only applies to 64-bit binaries
• Legacy compatibility: Rare cases requiring specific memory layout
• Embedded systems: Constrained environments without ASLR support

Caveats¶

• Only applies to 64-bit assemblies
• Requires Windows 8 or later for full benefit
• Some very old .NET runtimes may not support this flag

Related Rules¶

• AD2009: EnableAddressSpaceLayoutRandomization
• AD2015: EnableHighEntropyVirtualAddresses

References¶

• /HIGHENTROPYVA
• Address Space Layout Randomization