BinSkim is a binary static analysis tool that scans Windows Portable Executable (PE) files for security and correctness. Among the verifications performed by BinSkim are validations that the PE file has opted into all of the binary mitigations offered by the Windows Platform. Some of these mitigations ensure the binary has:
- SafeSEH enabled for safe exception handling,
- ASLR enabled so that memory is not laid out in a predictable fashion easier and
- Stack Protection is enabled to prevent overflow
BinSkim is a useful mechanism to ensure that applications are benefiting from all mitigations available today.
What about Binscope?
BinSkim is not the first tool released by Microsoft to perform this verification. For a number of years Microsoft has made Binscope available for the same purpose. Going forward, Binscope will be phased out in favor of BinSkim, as BinSkim offers several advantages, such as:
- Leaner and more performant codebase, written in modern C#,
- Open source, released under the MIT license on GitHub, so that it can be included in other projects
- Static Analysis Results Interchange Format (SARIF) support to log findings. All Microsoft Static Analysis tools are unifying on this format. It is quite permissive, and other producers of static analysis tools are encouraged to provide support.
How do I get started with BinSkim?
To get started:
- Follow the instructions on downloading a stable build of BinSkim
- Alternatively, the source for BinSkim is available, which you can build yourself
- Run it against the output directory of a build via the command line:
binskim.exe <your output directory> --recurse --policy default --output MyRun.sarif
More details on the command line options can be found at https://github.com/Microsoft/binskim#command-line-documentation
Give BinSkim a spin and let us know about any issues or feature requests in the comments below or on Github. More enhancements are coming to the tool over time, and we will let you know about them here.