AD4001: ReportPECompilerData¶
Summary¶
| Property | Value |
|---|---|
| ID | AD4001 |
| Name | ReportPECompilerData |
| Category | Reporting |
| Severity | Note |
| Applies to | PE (Windows) |
Description¶
This rule emits CSV data to the console for every compiler/language/version combination that's observed in any PDB-linked compiland. This information is useful for understanding the toolchain used to build a binary and can help identify outdated or potentially vulnerable compiler versions.
Why This Matters¶
Compiler and toolchain information is essential for security analysis, compliance verification, and supply chain security. Knowing what built a binary helps identify vulnerable toolchains, verify build processes, and investigate security incidents.
Toolchain Security Implications¶
| Compiler Version | Security Risk |
|---|---|
| Old MSVC (<14.0) | Missing /GS improvements |
| Pre-VS2015 | Weak CFG support |
| Pre-VS2017 | Limited Spectre mitigations |
| Pre-VS2019 | No CET support |
Older compilers lack security features that newer versions provide.
Supply Chain Verification¶
Expected build: MSVC 19.35, /GS, /sdl
Actual binary: MSVC 19.28, /GS, no /sdl
Alert: Build environment doesn't match policy!
Possible causes:
- Unauthorized toolchain
- Build system misconfiguration
- Supply chain compromise
Compliance Auditing¶
| Standard | Compiler Requirement |
|---|---|
| Microsoft SDL | Current toolchain with /GS, /sdl |
| NIST | Document toolchain |
| PCI DSS | Secure development evidence |
| SOC 2 | Controlled build environment |
Forensic Analysis Value¶
When investigating a security incident:
1. Was this binary built with our toolchain?
2. When was this version of the compiler released?
3. Were security flags enabled?
4. Is this consistent with other production builds?
Compiler Bug Tracking¶
Known compiler bugs can affect security:
| MSVC Version | Known Issue |
|---|---|
| Certain 19.x | /GS bypass in specific code patterns |
| Various | Incorrect CFG table generation |
| Some versions | Spectre mitigation incomplete |
Tracking compiler versions helps identify affected binaries.
Aggregate Analysis¶
Fleet-wide compiler data enables:
Across 1000 binaries:
- 850 built with MSVC 19.35+ ✓
- 100 built with MSVC 19.29 âš (update recommended)
- 50 built with MSVC 17.0 ✗ (EOL, security risk)
Understanding the compiler version and settings used to build a binary is important for:
- Vulnerability Assessment: Older compilers may have known security bugs
- Compliance Verification: Ensuring builds use approved compiler versions
- Forensic Analysis: Understanding the build environment
- Supply Chain Security: Verifying expected build tools were used
Output Format¶
The rule outputs CSV-formatted data with the following columns:
Where: - Module: The compiland/object file name - Compiler: Compiler type (e.g., "MSVC") - Language: Source language (C, C++, etc.) - FrontendVersion: Compiler frontend version (major.minor.build.qfe) - BackendVersion: Compiler backend version - SecurityChecks: Whether /GS is enabled (Yes/No/Unknown) - SdlChecks: Whether /sdl is enabled (Yes/No/Unknown)
Requirements¶
- A PDB file must be available for the binary
- The PDB must contain debug information with compiland symbols
Resolution¶
This rule is informational and does not require any action to resolve. To ensure this rule can provide useful information:
- Build with debug information that includes compiland details
- Keep PDB files available alongside binaries
- Use consistent build environments
See Also¶
- AD2006: BuildWithSecureTools - Ensures up-to-date compiler versions
- AD2026: EnableMicrosoftCompilerSdlSwitch - SDL compiler checks