devtools: Add security-check.py #6854
Conversation
|
Nice. Concept ACK. ASLR/PIE check on OSX can be done with |
laanwj
force-pushed
the
2015_10_security_checks
branch
from
fbf6aac to
210996d
Compare
|
Nice! So testing this would be: |
|
How to check security for Windows ? |
|
@gavinandresen Right, to speed up testing you could use any C file: cat > test1.c << EOF
#include <stdio.h>
int main()
{
printf("the quick brown fox jumps over the lazy god\n");
return 0;
}
EOF
gcc test1.c -o test1 -Wl,-zexecstack;
contrib/devtools/security-check.py test1; echo $?
gcc test1.c -o test1
contrib/devtools/security-check.py test1; echo $?
gcc test1.c -o test1 -fstack-protector-all
contrib/devtools/security-check.py test1; echo $?
gcc test1.c -o test1 -fstack-protector-all -pie -fPIE
contrib/devtools/security-check.py test1; echo $?
gcc test1.c -o test1 -fstack-protector-all -pie -fPIE -Wl,-zrelro -Wl,-z,now
contrib/devtools/security-check.py test1; echo $?Output: @LongShao007 yes, how? ( |
|
On windows: NX: DllCharacteristics bit 0x100 signifies PIE: DllCharacteristics bit 0x40 signifies Not sure whether there is a RELRO equivalent, Canary is there but difficult to check from the outside as the mingw library is linked statically. Edit: Ok, added the windows checks above for PE executables, and converted the above test to a test script |
laanwj
force-pushed
the
2015_10_security_checks
branch
2 times, most recently
from
5b8cf73 to
4bad3e3
Compare
|
@theuni paths to tools like READELF, OBJDUMP can now be overridden |
contrib/devtools/security-check.py
Outdated
laanwj
force-pushed
the
2015_10_security_checks
branch
from
a0dd4e0 to
5f78ded
Compare
|
concept ACK |
contrib/devtools/security-check.py
Outdated
There was a problem hiding this comment.
Interestingly on my machine, whether or not this shows up as R or RW seems to depend on the linker. I'm afraid I don't know enough to determine if having this section writable is a security implication.
$ g++ ... -o bitcoin-cli -fuse-ld=bfd
$ readelf -l -W bitcoin-cli | grep RELRO
GNU_RELRO 0x243e20 0x0000000000443e20 0x0000000000443e20 0x0201e0 0x0201e0 R 0x1$ g++ ... -o bitcoin-cli -fuse-ld=gold
$ readelf -l -W bitcoin-cli | grep RELRO
GNU_RELRO 0x244e20 0x0000000000245e20 0x0000000000245e20 0x0201e0 0x0201e0 RW 0x20There was a problem hiding this comment.
One important point of RELRO in combination with BIND_NOW is that the area can be read-only, as that part contains function pointers. Common heap overflow exploits allow overwriting a word, these frequently invoked function pointers make good targets.
LOAD 0x000000 0x0000000000400000 0x0000000000400000 0x0007d4 0x0007d4 R E 0x200000
02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
LOAD 0x000db8 0x0000000000600db8 0x0000000000600db8 0x000258 0x000260 RW 0x200000
03 .init_array .fini_array .jcr .dynamic .got .data .bss
...
GNU_RELRO 0x000db8 0x0000000000600db8 0x0000000000600db8 0x000248 0x000248 R 0x1
08 .init_array .fini_array .jcr .dynamic .got
However, all the sections are part of the second LOAD section which are what actually maps memory and determine the permissions, and those are RW, also with my linker. I don't think the flags on GNU_RELRO have any influence.
It looks like the executable itself takes care of mprotecting this area at start (glibc _dl_protect_relro):
mprotect(0x600000, 4096, PROT_READ) = 0
I experimentally verified that the section is unwritable during runtime, both when linked with bfd and with gold.
This all makes sense, as the dynamic linker does need to write to it to set the pointers in the first place...
There was a problem hiding this comment.
See also this thread: http://permalink.gmane.org/gmane.comp.gnu.binutils/71347
Will remove the check - although I agree with Alan that having it as 'R' is clearer, as that is the eventual intention.
|
Looks good other than the comment above. Something to note: As discussed on IRC, this should also be hooked up to a make target for easier testing w/ travis and gitian. That can be done as a next step. |
Perform the following ELF security checks: - PIE: Check for position independent executable (PIE), allowing for address space randomization - NX: Check that no sections are writable and executable (including the stack) - RELRO: Check for read-only relocations, binding at startup - Canary: Check for use of stack canary Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
laanwj
force-pushed
the
2015_10_security_checks
branch
from
5f78ded to
579b863
Compare
579b863 devtools: Add security-check.py (Wladimir J. van der Laan)
Add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities). See 56734f4 for the earlier changes.
Upstream gitian updates This PR pulls in all gitian-related PRs that have been merged upstream since 0.11.2. The only ones I left out were documentation-only PRs, because we removed `doc/gitian-building.md` at some point. Here are the commits applied here, in the order shown in `git log` (ie. last to first): - bitcoin/bitcoin#7283 - fa42a67 - fa58c76 - bitcoin/bitcoin#8175 - 74c1347 - bitcoin/bitcoin#8167 - 7e7eb27 - ad38204 - b676f38 - bitcoin/bitcoin#7776 - f063863 - bitcoin/bitcoin#7424 - a81c87f ~ we already partly applied - a8ce872 - f3d3eaf ~ we already partly applied - 475813b - ~~cd27bf5~~ X we already applied - bitcoin/bitcoin#7060 - 3b468a0 ~ we removed doc/gitian-building.md - ~~99fda26~~ X we removed doc/gitian-building.md - bitcoin/bitcoin#7251 - fa09562 - bitcoin/bitcoin#6900 - ~~2cecb24~~ X we removed doc/gitian-building.md - 957c0fd - 2e31d74 - ~~0b416c6~~ X we removed QT - 9f251b7 - bitcoin/bitcoin#6854 - 579b863 ~ we already partly applied Part of #540
7 participants
Performs the following ELF security checks:
Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
This needs to be integrated into Travis, or at least the gitian build so that we won't do releases that don't pass these checks. We also need similar checks for OSX and Windows at some point.