Closed Bug 674250 Opened 10 years ago Closed 10 years ago

add binscope to Windows build images

Categories

(Release Engineering :: General, defect)

x86
Windows Server 2003
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: imelven, Assigned: bhearsum)

References

Details

(Whiteboard: [sg:want P2])

Attachments

(1 file)

for bug 642243 please install Microsoft's Binscope tool (can be downloaded at http://www.microsoft.com/download/en/details.aspx?id=11910 , more info at http://blogs.msdn.com/b/architecture/archive/2009/09/15/security-verification-binscope-binary-analyzer.aspx) on the Windows build machines. there's a python script in bug 642243 that aims to make it easy to run binscope as part of the build, feedback is appreciated :) Also please note that it seems like the .NET Framework 3.5 is a prereq on Windows 2003 server, but not on a fully patched Windows 2008 server.
Blocks: 642243
Whiteboard: [sg:want P2]
Component: Build Config → Release Engineering
Product: Core → mozilla.org
QA Contact: build-config → release
Version: Trunk → other
Is binscope freely redistributable?  It might make sense to stick it in mozilla-build if it is ...
(In reply to comment #1)
> Is binscope freely redistributable?  It might make sense to stick it in
> mozilla-build if it is ...

i'll look into this.
the EULA installed with binscope says :

1.	You may not
•	work around any technical limitations in the software;
•	reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;
•	make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;
•	publish the software for others to copy;
•	rent, lease or lend the software;
•	transfer the software or this agreement to any third party; or
•	use the software for commercial software hosting services.

IANAL, but that seems to prohibit us redistributing binscope as it stands.
Fwiw, getting it into MozillaBuild doesn't help fast deployment (we'd probably deploy it individually anyways). I'll try to have a look this week and see how easy/difficult this is.
Assignee: nobody → bhearsum
Looks like this works out-of-box on our build machines. It supports passive installation, too: "msiexec /i BinScopeSetup.exe /passive". After installation I ran it and it popped a UI, so AFAICT it will work. Is there anything else I should try to confirm?

Also, this is only required on build machines, correct? (Eg, do you need it available during unit test or talos runs?)
(In reply to comment #5)
> Looks like this works out-of-box on our build machines. It supports passive
> installation, too: "msiexec /i BinScopeSetup.exe /passive". After
> installation I ran it and it popped a UI, so AFAICT it will work. Is there
> anything else I should try to confirm?
> 
> Also, this is only required on build machines, correct? (Eg, do you need it
> available during unit test or talos runs?)

if you felt so inclined you could try running the python script in bug 642243 and seeing if it works correctly on a build machine. i would also love your feedback on the right paths for logs etc. and if there's anything else in the script in terms of input or output you would like, or of course feel free to tweak it to be suitable, if you prefer.

it's only required on the build machines (if my understanding of our infrastructure is correct), if we can turn the build red (fail it) when the windows binaries don't pass the binscope checks, that's our goal.
(In reply to comment #6)
> (In reply to comment #5)
> > Looks like this works out-of-box on our build machines. It supports passive
> > installation, too: "msiexec /i BinScopeSetup.exe /passive". After
> > installation I ran it and it popped a UI, so AFAICT it will work. Is there
> > anything else I should try to confirm?
> > 
> > Also, this is only required on build machines, correct? (Eg, do you need it
> > available during unit test or talos runs?)
> 
> if you felt so inclined you could try running the python script in bug
> 642243 and seeing if it works correctly on a build machine. i would also
> love your feedback on the right paths for logs etc. and if there's anything
> else in the script in terms of input or output you would like, or of course
> feel free to tweak it to be suitable, if you prefer.

I didn't actually have a Firefox build on the machine I installed it on, but I did have a XULRunner one. Here's what I tried:
E:\builds\moz2_slave\m-cen-w32-xr\build\obj-firefox\dist>python bs.py bin/xulrunner.exe bin/plugin-container.exe crashreporter-symbols
Microsoft SDL BinScope binary analysis tool v1.0.4027.29711
TEST-UNEXPECTED-FAIL |autobinscope.py| firefox.exe is missing a needed Windows protection, such as /G
S or ASLR
Microsoft SDL BinScope binary analysis tool v1.0.4027.29711
TEST-UNEXPECTED-FAIL |autobinscope.py| plugin-container.exe is missing a needed Windows protection, s
uch as /GS or ASLR

Also, I left comments in the other bug about the script.
Attachment #549215 - Flags: review?(rail) → review+
looks good to me.
Attachment #549215 - Flags: checked-in+
I set this to roll out on all of the Windows build machines (64-bit Windows excluded, because it's not a supported platform yet....)

It'll take a day or two for all of the slaves to pick it up. After than, you're good to start pushing to try or landing changes that require it!
This is now installed on all accessible build slaves (a few are done for maintenance, should pick it up when they come back online).
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.