AD2046: EnableAddressSanitizerPE¶
Summary¶
| Property | Value |
|---|---|
| ID | AD2046 |
| Name | EnableAddressSanitizerPE |
| Category | Security |
| Severity | Note |
| Applies to | PE (Windows) |
Description¶
PE binaries used for testing should consider enabling AddressSanitizer (ASAN) to detect memory safety issues like buffer overflows and use-after-free.
Note: This is an informational rule. ASAN is typically used in testing, not production.
How It Works¶
The rule checks for ASAN runtime symbols:
__asan_*function family- ASAN shadow memory setup
- Runtime library linkage
Why This Matters¶
Memory safety bugs account for approximately 70% of security vulnerabilities in large C/C++ codebases.
What ASAN Detects¶
| Bug Class | Detection |
|---|---|
| Heap buffer overflow | ✓ |
| Stack buffer overflow | ✓ |
| Use-after-free | ✓ |
| Double-free | ✓ |
| Memory leaks | ✓ (with LSan) |
ASAN on Windows¶
| Compiler | Support |
|---|---|
| MSVC | /fsanitize=address (VS 2019+) |
| Clang-CL | -fsanitize=address |
| MinGW | -fsanitize=address |
Performance Overhead¶
| Metric | Typical Overhead |
|---|---|
| CPU | 2x slowdown |
| Memory | 2-3x usage |
| Binary size | 2x larger |
Acceptable for testing, not production.
Performance Considerations¶
ASAN has significant overhead—it is designed for testing, not production:
| Metric | Overhead | Notes |
|---|---|---|
| CPU | 2-3x slowdown | Varies by workload |
| Memory | 2-3x usage | Shadow memory + redzones |
| Binary size | 2x larger | Instrumentation code |
| Startup time | Slower | Shadow memory setup |
Test infrastructure planning:
| Consideration | Recommendation |
|---|---|
| CI/CD time | 2-3x longer test runs |
| Test machines | Provision 3x RAM |
| Parallel tests | May need reduction |
| Coverage | Run subset in ASAN mode |
When to use ASAN: - Development builds - CI/CD test runs - Fuzzing campaigns - Pre-release security testing
When NOT to use ASAN: - Production deployments - Performance benchmarking - Customer-facing builds
Example Detection¶
char buf[10];
buf[10] = 'x'; // Out-of-bounds write
// ASAN output:
// ERROR: AddressSanitizer: stack-buffer-overflow
// WRITE of size 1 at 0x7fff5e9c6c5a
// #0 main test.c:3
Resolution¶
Enable ASAN in test builds: