phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-04-29 23:09:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

contrib: simplify ELF test-security-check

Browse source
This commit is contained in:
fanquake 2024-07-10 16:37:14 +01:00
parent 1810e20677
commit 51d8f435c9
No known key found for this signature in database
GPG key ID: 2EEB9F5CC09526C1
2 changed files with 19 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
contrib/devtools/security-check.py
View file

@ -38,13 +38,13 @@ def check_ELF_RELRO(binary) -> bool:
return have_gnu_relro and have_bindnow return have_gnu_relro and have_bindnow
def check_ELF_Canary(binary) -> bool: def check_ELF_CANARY(binary) -> bool:
''' '''
Check for use of stack canary Check for use of stack canary
''' '''
return binary.has_symbol('__stack_chk_fail') return binary.has_symbol('__stack_chk_fail')
def check_ELF_separate_code(binary): def check_ELF_SEPARATE_CODE(binary):
''' '''
Check that sections are appropriately separated in virtual memory, Check that sections are appropriately separated in virtual memory,
based on their permissions. This checks for missing -Wl,-z,separate-code based on their permissions. This checks for missing -Wl,-z,separate-code
@ -105,7 +105,7 @@ def check_ELF_separate_code(binary):
return False return False
return True return True
def check_ELF_control_flow(binary) -> bool: def check_ELF_CONTROL_FLOW(binary) -> bool:
''' '''
Check for control flow instrumentation Check for control flow instrumentation
''' '''
@ -206,8 +206,8 @@ BASE_ELF = [
('PIE', check_PIE), ('PIE', check_PIE),
('NX', check_NX), ('NX', check_NX),
('RELRO', check_ELF_RELRO), ('RELRO', check_ELF_RELRO),
('Canary', check_ELF_Canary), ('CANARY', check_ELF_CANARY),
('separate_code', check_ELF_separate_code), ('SEPARATE_CODE', check_ELF_SEPARATE_CODE),
] ]
BASE_PE = [ BASE_PE = [
@ -228,7 +228,7 @@ BASE_MACHO = [
CHECKS = { CHECKS = {
lief.EXE_FORMATS.ELF: { lief.EXE_FORMATS.ELF: {
lief.ARCHITECTURES.X86: BASE_ELF + [('CONTROL_FLOW', check_ELF_control_flow)], lief.ARCHITECTURES.X86: BASE_ELF + [('CONTROL_FLOW', check_ELF_CONTROL_FLOW)],
lief.ARCHITECTURES.ARM: BASE_ELF, lief.ARCHITECTURES.ARM: BASE_ELF,
lief.ARCHITECTURES.ARM64: BASE_ELF, lief.ARCHITECTURES.ARM64: BASE_ELF,
lief.ARCHITECTURES.PPC: BASE_ELF, lief.ARCHITECTURES.PPC: BASE_ELF,

39
contrib/devtools/test-security-check.py
View file

@ -59,33 +59,20 @@ class TestSecurityChecks(unittest.TestCase):
arch = get_arch(cxx, source, executable) arch = get_arch(cxx, source, executable)
if arch == lief.ARCHITECTURES.X86: if arch == lief.ARCHITECTURES.X86:
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), pass_flags = ['-Wl,-znoexecstack', '-Wl,-zrelro', '-Wl,-z,now', '-pie', '-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']
(1, executable+': failed PIE NX RELRO CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-zexecstack']), (1, executable + ': failed NX'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-no-pie','-fno-PIE']), (1, executable + ': failed PIE'))
(1, executable+': failed PIE RELRO CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-znorelro']), (1, executable + ': failed RELRO'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-z,noseparate-code']), (1, executable + ': failed SEPARATE_CODE'))
(1, executable+': failed PIE RELRO CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-fcf-protection=none']), (1, executable + ': failed CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags), (0, ''))
(1, executable+': failed RELRO CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
(1, executable+': failed separate_code CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
(1, executable+': failed CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']),
(0, ''))
else: else:
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), pass_flags = ['-Wl,-znoexecstack', '-Wl,-zrelro', '-Wl,-z,now', '-pie', '-fPIE', '-Wl,-z,separate-code']
(1, executable+': failed PIE NX RELRO')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-zexecstack']), (1, executable + ': failed NX'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-no-pie','-fno-PIE']), (1, executable + ': failed PIE'))
(1, executable+': failed PIE RELRO')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-znorelro']), (1, executable + ': failed RELRO'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-z,noseparate-code']), (1, executable + ': failed SEPARATE_CODE'))
(1, executable+': failed PIE RELRO')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags), (0, ''))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
(1, executable+': failed RELRO'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
(1, executable+': failed separate_code'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
(0, ''))
clean_files(source, executable) clean_files(source, executable)