This is a beta feature, and currently only applicable to the application executable file. PowerBuilder Runtime files will support this feature in the next major release.
This release introduces the following configurable security flags for the application executable file (appname.exe):
-
DEP (Data Execution Prevention) — Prevents execution of code in non-executable memory regions, helping mitigate buffer overflow attacks.
-
ASLR (Address Space Layout Randomization) — Randomizes the memory address layout to hinder attacks that rely on fixed addresses.
-
CFG (Control Flow Guard) — Verifies the validity of indirect calls and jumps, reducing the risk of function pointer overwrites and code injection.
-
SafeSEH (Safe Structured Exception Handling) — Protects the structured exception handling chain from being tampered with (only effective for 32-bit executables).
How to enable for native C/S apps
An Advanced Executable Security section is added to the Security tab of the project painter. Developers can select the desired security options before building the application.
-
For Pcode 32-bit / 64-bit — All four options available in 32-bit; SafeSEH is not applicable in 64-bit due to a different exception handling mechanism.
-
For Machine Code 32-bit / 64-bit — Not supported due to the compiler limitations; switch to Pcode to enable security flags.
How to enable for PowerClient apps
In the PowerClient project painter > Security tab, an Advanced Executable Security section has been added. Developers can select the desired security options before building the application.
How to enable for PowerServer installable cloud apps
-
For PowerServer Web API projects, these security options are automatically enabled during compilation and require no manual configuration.
-
For the client app, in the PowerServer project painter > Security tab, an Advanced Executable Security section has been added. Developers can select the desired security options before building the application.
Verification
After building, you can verify that the security flags are set by using tools such as PESecurity, dumpbin, or Windbg. For detailed instructions, refer to this article.
