highperfocused/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-06-30 10:42:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

scripts: use LIEF for ELF checks in security-check.py

Browse Source
This commit is contained in:
fanquake
2021-07-02 19:53:33 +08:00
parent 8242ae230e
commit cad40a5b16
1 changed files with 52 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
contrib/devtools/security-check.py
View File

@ -11,28 +11,6 @@ import sys
from typing import List, Optional from typing import List, Optional
import lief import lief
import pixie
def check_ELF_PIE(executable) -> bool:
'''
Check for position independent executable (PIE), allowing for address space randomization.
'''
elf = pixie.load(executable)
return elf.hdr.e_type == pixie.ET_DYN
def check_ELF_NX(executable) -> bool:
'''
Check that no sections are writable and executable (including the stack)
'''
elf = pixie.load(executable)
have_wx = False
have_gnu_stack = False
for ph in elf.program_headers:
if ph.p_type == pixie.PT_GNU_STACK:
have_gnu_stack = True
if (ph.p_flags & pixie.PF_W) != 0 and (ph.p_flags & pixie.PF_X) != 0: # section is both writable and executable
have_wx = True
return have_gnu_stack and not have_wx
def check_ELF_RELRO(executable) -> bool: def check_ELF_RELRO(executable) -> bool:
''' '''
@ -40,23 +18,25 @@ def check_ELF_RELRO(executable) -> bool:
GNU_RELRO program header must exist GNU_RELRO program header must exist
Dynamic section must have BIND_NOW flag Dynamic section must have BIND_NOW flag
''' '''
elf = pixie.load(executable) binary = lief.parse(executable)
have_gnu_relro = False have_gnu_relro = False
for ph in elf.program_headers: for segment in binary.segments:
# Note: not checking p_flags == PF_R: here as linkers set the permission differently # Note: not checking p_flags == PF_R: here as linkers set the permission differently
# This does not affect security: the permission flags of the GNU_RELRO program # This does not affect security: the permission flags of the GNU_RELRO program
# header are ignored, the PT_LOAD header determines the effective permissions. # header are ignored, the PT_LOAD header determines the effective permissions.
# However, the dynamic linker need to write to this area so these are RW. # However, the dynamic linker need to write to this area so these are RW.
# Glibc itself takes care of mprotecting this area R after relocations are finished. # Glibc itself takes care of mprotecting this area R after relocations are finished.
# See also https://marc.info/?l=binutils&m=1498883354122353 # See also https://marc.info/?l=binutils&m=1498883354122353
if ph.p_type == pixie.PT_GNU_RELRO: if segment.type == lief.ELF.SEGMENT_TYPES.GNU_RELRO:
have_gnu_relro = True have_gnu_relro = True
have_bindnow = False have_bindnow = False
for flags in elf.query_dyn_tags(pixie.DT_FLAGS): try:
assert isinstance(flags, int) flags = binary.get(lief.ELF.DYNAMIC_TAGS.FLAGS)
if flags & pixie.DF_BIND_NOW: if flags.value & lief.ELF.DYNAMIC_FLAGS.BIND_NOW:
have_bindnow = True have_bindnow = True
except:
have_bindnow = False
return have_gnu_relro and have_bindnow return have_gnu_relro and have_bindnow
@ -64,12 +44,8 @@ def check_ELF_Canary(executable) -> bool:
''' '''
Check for use of stack canary Check for use of stack canary
''' '''
elf = pixie.load(executable) binary = lief.parse(executable)
ok = False return binary.has_symbol('__stack_chk_fail')
for symbol in elf.dyn_symbols:
if symbol.name == b'__stack_chk_fail':
ok = True
return ok
def check_ELF_separate_code(executable): def check_ELF_separate_code(executable):
''' '''
@ -77,60 +53,60 @@ def check_ELF_separate_code(executable):
based on their permissions. This checks for missing -Wl,-z,separate-code based on their permissions. This checks for missing -Wl,-z,separate-code
and potentially other problems. and potentially other problems.
''' '''
elf = pixie.load(executable) binary = lief.parse(executable)
R = pixie.PF_R R = lief.ELF.SEGMENT_FLAGS.R
W = pixie.PF_W W = lief.ELF.SEGMENT_FLAGS.W
E = pixie.PF_X E = lief.ELF.SEGMENT_FLAGS.X
EXPECTED_FLAGS = { EXPECTED_FLAGS = {
# Read + execute # Read + execute
b'.init': R | E, '.init': R | E,
b'.plt': R | E, '.plt': R | E,
b'.plt.got': R | E, '.plt.got': R | E,
b'.plt.sec': R | E, '.plt.sec': R | E,
b'.text': R | E, '.text': R | E,
b'.fini': R | E, '.fini': R | E,
# Read-only data # Read-only data
b'.interp': R, '.interp': R,
b'.note.gnu.property': R, '.note.gnu.property': R,
b'.note.gnu.build-id': R, '.note.gnu.build-id': R,
b'.note.ABI-tag': R, '.note.ABI-tag': R,
b'.gnu.hash': R, '.gnu.hash': R,
b'.dynsym': R, '.dynsym': R,
b'.dynstr': R, '.dynstr': R,
b'.gnu.version': R, '.gnu.version': R,
b'.gnu.version_r': R, '.gnu.version_r': R,
b'.rela.dyn': R, '.rela.dyn': R,
b'.rela.plt': R, '.rela.plt': R,
b'.rodata': R, '.rodata': R,
b'.eh_frame_hdr': R, '.eh_frame_hdr': R,
b'.eh_frame': R, '.eh_frame': R,
b'.qtmetadata': R, '.qtmetadata': R,
b'.gcc_except_table': R, '.gcc_except_table': R,
b'.stapsdt.base': R, '.stapsdt.base': R,
# Writable data # Writable data
b'.init_array': R | W, '.init_array': R | W,
b'.fini_array': R | W, '.fini_array': R | W,
b'.dynamic': R | W, '.dynamic': R | W,
b'.got': R | W, '.got': R | W,
b'.data': R | W, '.data': R | W,
b'.bss': R | W, '.bss': R | W,
} }
if elf.hdr.e_machine == pixie.EM_PPC64: if binary.header.machine_type == lief.ELF.ARCH.PPC64:
# .plt is RW on ppc64 even with separate-code # .plt is RW on ppc64 even with separate-code
EXPECTED_FLAGS[b'.plt'] = R | W EXPECTED_FLAGS['.plt'] = R | W
# For all LOAD program headers get mapping to the list of sections, # For all LOAD program headers get mapping to the list of sections,
# and for each section, remember the flags of the associated program header. # and for each section, remember the flags of the associated program header.
flags_per_section = {} flags_per_section = {}
for ph in elf.program_headers: for segment in binary.segments:
if ph.p_type == pixie.PT_LOAD: if segment.type == lief.ELF.SEGMENT_TYPES.LOAD:
for section in ph.sections: for section in segment.sections:
assert(section.name not in flags_per_section) assert(section.name not in flags_per_section)
flags_per_section[section.name] = ph.p_flags flags_per_section[section.name] = segment.flags
# Spot-check ELF LOAD program header flags per section # Spot-check ELF LOAD program header flags per section
# If these sections exist, check them against the expected R/W/E flags # If these sections exist, check them against the expected R/W/E flags
for (section, flags) in flags_per_section.items(): for (section, flags) in flags_per_section.items():
if section in EXPECTED_FLAGS: if section in EXPECTED_FLAGS:
if EXPECTED_FLAGS[section] != flags: if int(EXPECTED_FLAGS[section]) != int(flags):
return False return False
return True return True
@ -203,8 +179,8 @@ def check_control_flow(executable) -> bool:
CHECKS = { CHECKS = {
'ELF': [ 'ELF': [
('PIE', check_ELF_PIE), ('PIE', check_PIE),
('NX', check_ELF_NX), ('NX', check_NX),
('RELRO', check_ELF_RELRO), ('RELRO', check_ELF_RELRO),
('Canary', check_ELF_Canary), ('Canary', check_ELF_Canary),
('separate_code', check_ELF_separate_code), ('separate_code', check_ELF_separate_code),