Have an amazing solution built in RAD Studio? Let us know. Looking for discounts? Visit our Special Offers page!
News

RAD Studio 11.1 and Windows PE Security Flags

Delphi and C++Builder 11.1 enable a number of PE security flags for Windows applications by default, some of which were previously available but a little hidden.


ASLR and other recommended Windows security flags have long been supported by Delphi. In the recent 11.1 release, Embarcadero made it easier to use those flags in both Delphi and C++Builder by surfacing specific linker options, enabling them by default and also building packages and applications that are part of RAD Studio with those flags enabled.

More on these Windows PE Flags

Data Execution Prevention (DEP)

Allows the system to mark one or more pages of memory as non-executable preventing code from running from these regions of memory, and making it harder to exploit buffer overruns. You can read more about it in the Microsoft documentation here.

Address Space Layout Randomization (ASLR)

Randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap, and libraries. Prevents exploitation of memory-corruption vulnerabilities. You can read more about ASLR on Wikipedia.

High-entropy 64-bit ASLR (Only in 64-bit applications)

Allows ASLR to use the entire 64-bit address space, as you can read here.

Terminal Services

Create Terminal Server aware (TSAWARE) applications. This is not related with security and covered by Microsoft here.

RAD Studio Improved Support

While compiler flags existed before, the RAD Studio IDE now exposes these flags as linker options. You can see below the settings for Delphi and C++ Windows compilers (thanks for the images to Jim McKeeth)

peflags111_01-2313780

peflags111_02-3606655

A Couple of Caveats

The ASLR compiler configuration works as expected for Delphi applications that use runtime package. For programs that link in libraries in the executable, there is a conflict with the way programs refer to delayed loaded DLL functions, which is preventing the expected behavior. This is an issue Embarcadero found after the release and would provide a fix for in the (near) future.

As you can see below, for an app with runtime packages, you get the proper configuration, as shown by SysInternals Process Explorer:

peflags111_03-9363841

In general, these flags enforce security, and an application that uses low-level code may no longer function properly. We discovered, for example, that some old ActiveX controls no longer work in the IDE due to a conflict with the DEP flag.

If you notice any problems with your applications, you can disable these flags, but we recommend investigating the underlying problem, as some companies are requiring that all software they use to be built with all of the Microsoft recommended security flags enabled.

 

Interested in using Embarcadero’s IDE Software? It will help you Build Apps 5x Faster With One Codebase for Windows, Android, iOS, macOS, and Linux. Request a free trial here.


What's Coming in Delphi, C++Builder, and RAD Studio 11.2 Alexandria

Reduce development time and get to market faster with RAD Studio, Delphi, or C++Builder.
Design. Code. Compile. Deploy.
Start Free Trial   Upgrade Today

   Free Delphi Community Edition   Free C++Builder Community Edition

About author

Marco is one of the RAD Studio Product Managers, focused on Delphi. He's the best selling author of over 20 books on Delphi.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

IN THE ARTICLES