You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/core/deploying/native-aot/index.md
+16-57Lines changed: 16 additions & 57 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,18 +14,6 @@ The benefit of Native AOT is most significant for workloads with a high number o
14
14
15
15
The Native AOT deployment model uses an ahead-of-time compiler to compile IL to native code at the time of publish. Native AOT apps don't use a just-in-time (JIT) compiler when the application runs. Native AOT apps can run in restricted environments where a JIT isn't allowed. Native AOT applications target a specific runtime environment, such as Linux x64 or Windows x64, just like publishing a [self-contained app](../index.md#publish-self-contained).
16
16
17
-
## Limitations in the .NET Native AOT deployment model
18
-
19
-
### [.NET 7](#tab/net7)
20
-
21
-
Native AOT is targeted towards console-type apps. Only a limited number of libraries are fully compatible with Native AOT.
22
-
23
-
### [.NET 8+](#tab/net8plus)
24
-
25
-
AOT support in .NET 8 is more comprehensive than in .NET 7. However, there are still some limitations. For more information, see [Limitations of Native AOT deployment](#limitations-of-native-aot-deployment).
26
-
27
-
---
28
-
29
17
## Prerequisites
30
18
31
19
# [Windows](#tab/windows)
@@ -84,12 +72,6 @@ Check out the [Native AOT samples](https://github.com/dotnet/samples/tree/main/c
84
72
85
73
## AOT-compatibility analyzers
86
74
87
-
### [.NET 7](#tab/net7)
88
-
89
-
AOT-compatibility analyzers are available only in .NET 8 and later versions.
90
-
91
-
### [.NET 8+](#tab/net8plus)
92
-
93
75
The `IsAotCompatible` property is used to indicate whether a library is compatible with Native AOT. Consider when a library sets the `IsAotCompatible` property to `true`, for example:
94
76
95
77
```xml
@@ -107,24 +89,8 @@ The preceding configuration assigns a default of `true` to the following propert
107
89
108
90
These analyzers help to ensure that a library is compatible with Native AOT.
109
91
110
-
---
111
-
112
92
## Native debug information
113
93
114
-
### [.NET 7](#tab/net7)
115
-
116
-
Native AOT publishing follows platform conventions for native toolchains. The default behavior of native toolchains on Windows is to produce debug information in a separate *.pdb* file. The default behavior of native toolchains on Linux is to include the debug information in the native binary, which makes the native binary larger.
117
-
118
-
Set the `StripSymbols` property to `true` to produce the debug information in a separate *.dbg* file and exclude it from the native binary on Linux. (This property has no effect on Windows.)
119
-
120
-
```xml
121
-
<PropertyGroup>
122
-
<StripSymbols>true</StripSymbols>
123
-
</PropertyGroup>
124
-
```
125
-
126
-
### [.NET 8+](#tab/net8plus)
127
-
128
94
By default, Native AOT publishing produces debug information in a separate file:
129
95
130
96
- Linux: *.dbg*
@@ -139,8 +105,6 @@ The debug file is necessary for running the app under the [debugger or inspectin
139
105
</PropertyGroup>
140
106
```
141
107
142
-
---
143
-
144
108
## Limitations of Native AOT deployment
145
109
146
110
Native AOT apps have the following limitations:
@@ -154,35 +118,16 @@ Native AOT apps have the following limitations:
154
118
- Apps include required runtime libraries (just like [self-contained apps](../index.md#publish-self-contained), increasing their size as compared to framework-dependent apps).
155
119
-<xref:System.Linq.Expressions> always use their interpreted form, which is slower than run-time generated compiled code.
156
120
- Not all the runtime libraries are fully annotated to be Native AOT compatible. That is, some warnings in the runtime libraries aren't actionable by end developers.
157
-
158
-
The publish process analyzes the entire project and its dependencies for possible limitations. Warnings are issued for each limitation the published app may encounter at run time.
159
-
160
-
### Version specific limitations
161
-
162
-
### [.NET 7](#tab/net7)
163
-
164
-
- Should be targeted for console type apps. ASP.NET Core is ***not*** supported.
165
-
- Limited diagnostic support for debugging and profiling.
166
-
167
-
### [.NET 8+](#tab/net8plus)
168
-
169
121
-[Diagnostic support for debugging and profiling](./diagnostics.md) with some limitations.
170
122
- Support for some ASP.NET Core features. For more information, see [ASP.NET Core support for Native AOT](/aspnet/core/fundamentals/native-aot/).
171
123
172
-
---
124
+
The publish process analyzes the entire project and its dependencies for possible limitations. Warnings are issued for each limitation the published app might encounter at run time.
173
125
174
126
## Platform/architecture restrictions
175
127
176
128
The following table shows supported compilation targets.
description: Learn about security features available with native AOT.
4
+
author: MichalStrehovsky
5
+
ms.author: michals
6
+
ms.date: 09/11/2024
7
+
---
8
+
9
+
# Security features
10
+
11
+
.NET offers many facilities to help address security concerns when building apps. Native AOT deployment builds on top of these facilities and provides several that can help harden your apps.
12
+
13
+
## No run-time code generation
14
+
15
+
Since native AOT generates all code at the time of publishing the app, no new executable code needs to be generated at run time. This allows running your apps in environments that disallow creation of new executable code pages at run time. All the code that the CPU executes can be digitally signed.
16
+
17
+
## Restricted reflection surface
18
+
19
+
When apps are published with native AOT, the compiler analyzes the usage of reflection within the app. Only the program elements that were deemed to be targets of reflection are available for reflection at run time. Places within the program that attempt to do unconstrained reflection are flagged using [trimming warnings](../trimming/fixing-warnings.md). Program elements that weren't intended to be targets of reflection cannot be reflected on. This restriction can prevent a class of issues where a malicious actor gets in control of what the program reflects on and invokes unintended code. This restriction includes approaches that use `Assembly.LoadFrom` or `Reflection.Emit` - neither of those work with native AOT, and their use is flagged with a warning at build time.
20
+
21
+
## Control Flow Guard
22
+
23
+
[Control Flow Guard](/windows/win32/secbp/control-flow-guard) is a highly optimized platform security feature on Windows that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows.
24
+
25
+
To enable Control Flow Guard on your native AOT app, set the `ControlFlowGuard` property in the published project.
Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature. It provides capabilities to defend against return-oriented programming (ROP) based malware attacks.
37
+
38
+
CET is enabled by default when publishing for Windows. To disable CET, set the `CetCompat` property in the published project.
![dotnet-policy-service[bot]](https://avatars.githubusercontent.com/in/285228?v=4&size=40){kind=avatar}
0 commit comments