[sqlite] Windows 8.x security requirements / SafeSEHCheck - NXCheck - DBCheck
Hi Everyone, I am new here, and have a question. For my application that relies on Sqlite I am seeking Windows 8 certification in accordance with the following article. [ https://msdn.microsoft.com/en-us/windows/desktop/hh749939.aspx ]( https://msdn.microsoft.com/en-us/windows/desktop/hh749939.aspx ) To verify its compliance I run the installer against The Windows Certification KIT 3.4. This indicates that the SQLite dll I use fails the above mentioned test. Is there any SQLite binary out there that complies with the security mesures MS imposes for desktop app certification. Best regards, Maarten MOSTERT 28 Av Alphonse Denis 83400 Hy?res, France +33 676411296 [ http://stakepoint.com/ ]( http://stakepoint.com/ )
[sqlite] Windows 8.x security requirements / SafeSEHCheck - NXCheck - DBCheck
Please find here under the test results. Best regards, Maarten MOSTERT 28 Av Alphonse Denis 83400 Hy?res, France +33 676411296 [ http://stakepoint.com/ ]( http://stakepoint.com/ ) == Windows App Certification Kit - Test Results Windows App Certification Kit - Test Results App name:StakePoint ?Technical-Preview? App publisher:Maarten MOSTERT App version:15.03.0019 OS Version:Microsoft Windows 8.1 (6.3.9600.0) Kit Version:3.4 Report time:31/03/2015 15:03:53 Overall result: PASSED WITH WARNINGS It is highly recommended that you investigate and root cause warnings to ensure that users of your app aren?t negatively impacted. Windows security features test WARNING Binary analyzer Warning: The binary analyzer test detected the following errors: File C:\Program Files\StakePoint\sqlite3.dll has failed the NXCheck check. File C:\Program Files\StakePoint\sqlite3.dll has failed the DBCheck check. File C:\Program Files\StakePoint\sqlite3.dll has failed the SafeSEHCheck check. Impact if not fixed: If the app doesn?t use the available Windows protections, it can increase the vulnerability of the customer's computer to malware. How to fix: Apply the SAFESEH, DYNAMICBASE, and NXCOMPAT options when you link the app. See link below for more information: [ Fixing Binary Analyzer Errors ]( http://go.microsoft.com/fwlink/?LinkId=247433 ) > "Richard Hipp" | > On 4/2/15, maarten.mostert at stakepoint.com > wrote: > > > > Hi Everyone, > > > > I am new here, and have a question. > > > > For my application that relies on Sqlite I am seeking Windows 8 > > certification in accordance with the following article. > > > > [ https://msdn.microsoft.com/en-us/windows/desktop/hh749939.aspx ]( > > https://msdn.microsoft.com/en-us/windows/desktop/hh749939.aspx ) > > > > To verify its compliance I run the installer against The Windows > > Certification KIT 3.4. > > > > This indicates that the SQLite dll I use fails the above mentioned test. > > The links you provide mention dozens of different tests. Which ones > are failing? > > > > > > Is there any SQLite binary out there that complies with the security mesures > > MS imposes for desktop app certification. > > > > Best regards, > > > > Maarten MOSTERT > > > > > > > > 28 Av Alphonse Denis > > 83400 Hy?res, France > > +33 676411296 > > [ http://stakepoint.com/ ]( http://stakepoint.com/ ) > > > > ___ > > sqlite-users mailing list > > sqlite-users at mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > -- > D. Richard Hipp > drh at sqlite.org > ___ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >
[sqlite] Windows 8.x security requirements / SafeSEHCheck - NXCheck - DBCheck
This are basically compiler switches as far as I understand. I am not a C programmer, so also quite difficult for me to link the library statically. This is what I can read about it here: [ https://msdn.microsoft.com/en-us/library/windows/apps/jj657973.aspx#binscope_2 ]( https://msdn.microsoft.com/en-us/library/windows/apps/jj657973.aspx#binscope_2 ) /SafeSEH Exception Handling Protection Windows App Certification Kit error message: SafeSEHCheck Test failed An exception handler runs when the app encounters an exceptional condition, such as a divide-by-zero error. Because the address of the exception handler is stored on the stack when a function is called, it could be vulnerable to a buffer overflow attacker if some malicious software were to overwrite the stack. What to do if your app fails this test Enable the /SAFESEH option in the linker command when you build your app. This option is on by default in the Release configurations of Visual Studio. Verify this option is enabled in the build instructions for all executable modules in your app. Remarks The test is not performed on 64-bit binaries or ARM chipset binaries because they don't store exception handler addresses on the stack. Data Execution Prevention Windows App Certification Kit error message: NXCheck Test failed This test verifies that an app doesn't run code that is stored in a data segment. What to do if your app fails this test Enable the /NXCOMPAT option in the linker command when you build your app. This option is on by default in linker versions that support Data Execution Prevention (DEP). Remarks We recommend that you test your apps on a DEP-capable CPU and fix any failures you find that result from DEP. Address Space Layout Randomization Windows App Certification Kit error message: DBCheck Test failed Address Space Layout Randomization (ASLR) loads executable images into unpredictable locations in memory, which makes it harder for malicious software that expects a program to be loaded at a certain virtual address to operate predictably. Your app and all components that your app uses must support ASLR. What to do if your app fails this test Enable the /DYNAMICBASE option in the linker command when you build your app. Verify that all modules that your app uses also use this linker option. Remarks Normally, ASLR doesn't affect performance. But in some scenarios there is a slight performance improvement on 32-bit systems. It is possible that performance could degrade in a highly congested system that have many images loaded in many different memory locations. This test is performed on only apps written in managed code, such as by using C# or .NET Framework. Best regards, Maarten MOSTERT, > "Richard Hipp" | > On 4/2/15, maarten.mostert at stakepoint.com > wrote: > > > > WARNING > > Binary analyzer > > Warning: The binary analyzer test detected the following errors: > > File C:\Program Files\StakePoint\sqlite3.dll has failed the NXCheck check. > > File C:\Program Files\StakePoint\sqlite3.dll has failed the DBCheck check. > > File C:\Program Files\StakePoint\sqlite3.dll has failed the SafeSEHCheck > > check. > > > > I have no idea what the above means. > > Can you work around it by statically linking SQLite into your > application, rather than using a separate DLL? > -- > D. Richard Hipp > drh at sqlite.org > ___ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >
[sqlite] Windows 8.x security requirements / SafeSEHCheck - NXCheck - DBCheck
Thank you very much for the DLL and this very interesting discussion. SQLite passes the the certification test with this version. I don't have my hands on an XP box, to test if this version runs there, but I can ship a different version for XP if that is the tall to pay. Notice that SQLite is not the only dll with problems, many libraries like Cairo graphics and pacparser for instance do not comply yet. But then like any industry, security is something we have to deal with. Best regards and thanks again. Maarten MOSTERT 28 Av Alphonse Denis 83400 Hy?res, France +33 676411296 [ http://stakepoint.com/ ]( http://stakepoint.com/ ) > "Random Coder" | > On Thu, Apr 2, 2015 at 10:58 AM, wrote: > > > > This are basically compiler switches as far as I understand. > > > > I am not a C programmer, so also quite difficult for me to link the library > statically. > > These tests basically map to the /SAFESEH, /DYNAMICBASE, and /NXCOMPAT > linker flags. Though, as I understand it, passing these tests is > recommended, and not required for Windows 8 certification. > > I have a dump of a build of sqlite from a recent internal build. I'm > not connected with the Sqlite project, I just use it, and happen to > turn on these flags in my build environment for other reasons. > > https://bucket-1f8c9d86.s3.amazonaws.com/sqlite3.zip > > You can either use my DLL, or build your own version of the DLL with > these options enabled. > > I'd recommend the SQLite team turn them on for the version of the DLL > they distribute, but I'm honestly not sure if there are negative side > effects to doing so. > ___ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >
[sqlite] Prevent database file from being overwritten by other processes
I have the same problem but in order to prevent overriding I actually make a hidden copy of the file in the local app directory when opening it. This allows me to recover it if the application breaks and to implement save, save As etc. and if it is no longer there I can still save where it was. just an idea Regards, Maarten, > "Fabian Pr?bstl" | > Hi there! > > Currently, we are using SQLite as our application file format for a Windows > 7/C#/System.Data.SQLite based desktop application. We only allow one instance > to > open the file by running "set locking_mode=EXCLUSIVE;BEGIN EXCLUSIVE;COMMIT" > when > connecting to the database. > > This all works fine, however a user can still open Windows Explorer and copy > paste > a file with the same name but different content (e.g. an empty file) over an > existing, exclusively locked database. From what I found out with the > OpenedFilesView tool, SQLite seems to open the file with SHARED_WRITE, which > explains why *any* process can overwrite the contents. > > Is there an easy way of configuring / changing this so that SHARED_WRITE is > not > acquired? Will SQLite even function? Is it just easier to create a hidden > copy and > work on that? > > Thanks for the advice > Fabian > ___ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >
