sikkienl/dash
1
0
Fork 0
mirror of https://github.com/dashpay/dash.git synced 2024-12-26 12:32:48 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
1e9733f195
dash/contrib/devtools/test-security-check.py

85 lines
4.6 KiB
Python
Raw Normal View History

Merge #12972: Add python3 script shebang lint 2bff472992 [contrib] convert test-security-check to python3 (John Newbery) 958bf40489 add lint tool to check python3 shebang (practicalswift) Pull request description: base58.py can executed by python3 Tree-SHA512: 30511204feefd4ccd5b4bf698fb88e516633e692dc95d31fe957b1c0c4879de25906355b28a5a0522171887315c8464a611e601ff00540db172d5bd463ee13d9
2018-04-16 22:03:08 +02:00
#!/usr/bin/env python3
Merge #8702: [copyright] add MIT License copyright header to remaining Python files 4677b19 [copyright] add MIT License copyright header to remaining Python files (isle2983)
2016-09-19 17:02:23 +02:00
# Copyright (c) 2015-2016 The Bitcoin Core developers
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
devtools: Add security-check.py Perform the following ELF security checks: - PIE: Check for position independent executable (PIE), allowing for address space randomization - NX: Check that no sections are writable and executable (including the stack) - RELRO: Check for read-only relocations, binding at startup - Canary: Check for use of stack canary Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
2015-10-19 14:53:56 +02:00
'''
Test script for security-check.py
'''
import subprocess
import unittest
def write_testcode(filename):
Merge #13448: Add linter: Make sure we explicitly open all text files using UTF-8 encoding in Python c8176b3cc7556d7bcec39a55ae4d6ba16453baaa Add linter: Make sure we explicitly open all text files using UTF-8 or ASCII encoding in Python (practicalswift) 634bd970013eca90f4b4c1f9044eec8c97ba62c2 Explicitly specify encoding when opening text files in Python code (practicalswift) Pull request description: Add linter: Make sure we explicitly open all text files using UTF-8 encoding in Python. As requested by @laanwj in #13440. Tree-SHA512: 1651c00fe220ceb273324abd6703aee504029b96c7ef0e3029145901762c733c9b9d24927da281394fd4681a5bff774336c04eed01fafea997bb32192c334c06 Signed-off-by: pasta <pasta@dashboost.org> # Conflicts: # contrib/devtools/circular-dependencies.py # contrib/linearize/linearize-data.py # contrib/linearize/linearize-hashes.py # contrib/seeds/generate-seeds.py # contrib/verify-commits/verify-commits.py # test/functional/multiwallet.py # test/functional/notifications.py # test/functional/test_runner.py # test/util/rpcauth-test.py
2018-06-16 15:21:01 +02:00
with open(filename, 'w', encoding="utf8") as f:
devtools: Add security-check.py Perform the following ELF security checks: - PIE: Check for position independent executable (PIE), allowing for address space randomization - NX: Check that no sections are writable and executable (including the stack) - RELRO: Check for read-only relocations, binding at startup - Canary: Check for use of stack canary Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
2015-10-19 14:53:56 +02:00
f.write('''
#include <stdio.h>
int main()
{
printf("the quick brown fox jumps over the lazy god\\n");
return 0;
}
''')
def call_security_check(cc, source, executable, options):
subprocess.check_call([cc,source,'-o',executable] + options)
Merge #12972: Add python3 script shebang lint 2bff472992 [contrib] convert test-security-check to python3 (John Newbery) 958bf40489 add lint tool to check python3 shebang (practicalswift) Pull request description: base58.py can executed by python3 Tree-SHA512: 30511204feefd4ccd5b4bf698fb88e516633e692dc95d31fe957b1c0c4879de25906355b28a5a0522171887315c8464a611e601ff00540db172d5bd463ee13d9
2018-04-16 22:03:08 +02:00
p = subprocess.Popen(['./security-check.py',executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
devtools: Add security-check.py Perform the following ELF security checks: - PIE: Check for position independent executable (PIE), allowing for address space randomization - NX: Check that no sections are writable and executable (including the stack) - RELRO: Check for read-only relocations, binding at startup - Canary: Check for use of stack canary Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
2015-10-19 14:53:56 +02:00
(stdout, stderr) = p.communicate()
return (p.returncode, stdout.rstrip())
class TestSecurityChecks(unittest.TestCase):
def test_ELF(self):
source = 'test1.c'
executable = 'test1'
cc = 'gcc'
write_testcode(source)
Merge #13764: contrib: Fix test-security-check fail in Ubuntu 18.04 1e60713a68296a0ff221befb48b2958fbf019ebf contrib: Fix test-security-check fail in Ubuntu 18.04 (Chun Kuan Lee) Pull request description: - Fix test-security-check fail in Ubuntu 18.04. Those flags are enabled by default, so we must specify `-no` to make the executable does 'not' have those attributes. - Drop HIGH_ENTROPY_VA. After update our gitian system to Bionic, the compiler should support HIGH_ENTROPY_VA Tree-SHA512: 78c1f2aae1253ddd52faa1af569b7151a503a217c7ccbe21b8004d8910c45d8a27ff04695eacbdadd7192d2c91c0d59941ca20c651dd2d5052b9999163a11ae4
2018-07-30 16:01:58 +02:00
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE']),
devtools: Add security-check.py Perform the following ELF security checks: - PIE: Check for position independent executable (PIE), allowing for address space randomization - NX: Check that no sections are writable and executable (including the stack) - RELRO: Check for read-only relocations, binding at startup - Canary: Check for use of stack canary Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
2015-10-19 14:53:56 +02:00
(1, executable+': failed PIE NX RELRO Canary'))
Merge #13764: contrib: Fix test-security-check fail in Ubuntu 18.04 1e60713a68296a0ff221befb48b2958fbf019ebf contrib: Fix test-security-check fail in Ubuntu 18.04 (Chun Kuan Lee) Pull request description: - Fix test-security-check fail in Ubuntu 18.04. Those flags are enabled by default, so we must specify `-no` to make the executable does 'not' have those attributes. - Drop HIGH_ENTROPY_VA. After update our gitian system to Bionic, the compiler should support HIGH_ENTROPY_VA Tree-SHA512: 78c1f2aae1253ddd52faa1af569b7151a503a217c7ccbe21b8004d8910c45d8a27ff04695eacbdadd7192d2c91c0d59941ca20c651dd2d5052b9999163a11ae4
2018-07-30 16:01:58 +02:00
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE']),
devtools: Add security-check.py Perform the following ELF security checks: - PIE: Check for position independent executable (PIE), allowing for address space randomization - NX: Check that no sections are writable and executable (including the stack) - RELRO: Check for read-only relocations, binding at startup - Canary: Check for use of stack canary Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
2015-10-19 14:53:56 +02:00
(1, executable+': failed PIE RELRO Canary'))
Merge #13764: contrib: Fix test-security-check fail in Ubuntu 18.04 1e60713a68296a0ff221befb48b2958fbf019ebf contrib: Fix test-security-check fail in Ubuntu 18.04 (Chun Kuan Lee) Pull request description: - Fix test-security-check fail in Ubuntu 18.04. Those flags are enabled by default, so we must specify `-no` to make the executable does 'not' have those attributes. - Drop HIGH_ENTROPY_VA. After update our gitian system to Bionic, the compiler should support HIGH_ENTROPY_VA Tree-SHA512: 78c1f2aae1253ddd52faa1af569b7151a503a217c7ccbe21b8004d8910c45d8a27ff04695eacbdadd7192d2c91c0d59941ca20c651dd2d5052b9999163a11ae4
2018-07-30 16:01:58 +02:00
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-no-pie','-fno-PIE']),
devtools: Add security-check.py Perform the following ELF security checks: - PIE: Check for position independent executable (PIE), allowing for address space randomization - NX: Check that no sections are writable and executable (including the stack) - RELRO: Check for read-only relocations, binding at startup - Canary: Check for use of stack canary Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
2015-10-19 14:53:56 +02:00
(1, executable+': failed PIE RELRO'))
Merge #13764: contrib: Fix test-security-check fail in Ubuntu 18.04 1e60713a68296a0ff221befb48b2958fbf019ebf contrib: Fix test-security-check fail in Ubuntu 18.04 (Chun Kuan Lee) Pull request description: - Fix test-security-check fail in Ubuntu 18.04. Those flags are enabled by default, so we must specify `-no` to make the executable does 'not' have those attributes. - Drop HIGH_ENTROPY_VA. After update our gitian system to Bionic, the compiler should support HIGH_ENTROPY_VA Tree-SHA512: 78c1f2aae1253ddd52faa1af569b7151a503a217c7ccbe21b8004d8910c45d8a27ff04695eacbdadd7192d2c91c0d59941ca20c651dd2d5052b9999163a11ae4
2018-07-30 16:01:58 +02:00
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE']),
devtools: Add security-check.py Perform the following ELF security checks: - PIE: Check for position independent executable (PIE), allowing for address space randomization - NX: Check that no sections are writable and executable (including the stack) - RELRO: Check for read-only relocations, binding at startup - Canary: Check for use of stack canary Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
2015-10-19 14:53:56 +02:00
(1, executable+': failed RELRO'))
Merge #13764: contrib: Fix test-security-check fail in Ubuntu 18.04 1e60713a68296a0ff221befb48b2958fbf019ebf contrib: Fix test-security-check fail in Ubuntu 18.04 (Chun Kuan Lee) Pull request description: - Fix test-security-check fail in Ubuntu 18.04. Those flags are enabled by default, so we must specify `-no` to make the executable does 'not' have those attributes. - Drop HIGH_ENTROPY_VA. After update our gitian system to Bionic, the compiler should support HIGH_ENTROPY_VA Tree-SHA512: 78c1f2aae1253ddd52faa1af569b7151a503a217c7ccbe21b8004d8910c45d8a27ff04695eacbdadd7192d2c91c0d59941ca20c651dd2d5052b9999163a11ae4
2018-07-30 16:01:58 +02:00
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE']),
devtools: Add security-check.py Perform the following ELF security checks: - PIE: Check for position independent executable (PIE), allowing for address space randomization - NX: Check that no sections are writable and executable (including the stack) - RELRO: Check for read-only relocations, binding at startup - Canary: Check for use of stack canary Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
2015-10-19 14:53:56 +02:00
(0, ''))
Merge #18415: scripts: add MACHO tests to test-security-check.py 7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46 scripts: rename test_64bit_PE to test_PE (fanquake) edaca2dd123cef958699c07ab248cf0ffc71af07 scripts: add MACHO NX check to security-check.py (fanquake) 1a4e9f32efcc5f6a74290446dc58784fd85c7b31 scripts: add MACHO tests to test-security-check.py (fanquake) Pull request description: Adds tests for the MACHO checks in security-check.py: https://github.com/bitcoin/bitcoin/blob/ac579ada7e83a1b8100d611412f9ede885a4e522/contrib/devtools/security-check.py#L212-L214 I'm planning on following up with more checks in security-check.py, and corresponding tests in test-security-check.py. Note that you'll probably have to be on macOS to run them. You can run just this suite with `python3 test-security-check.py TestSecurityChecks.test_MACHO`. ACKs for top commit: laanwj: ACK 7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46 Tree-SHA512: ace3ca9f6df5d4fedd5988938fb7dc7563ec7dc587aa275f780b5f51e9b8d7d6f7768e0a1e05ce438510a07b8640aba92c76847b30c2990f46c66b78a0acf960
2020-03-28 11:48:19 +01:00
def test_PE(self):
Merge #13094: tests: Add test for 64-bit Windows PE, modify 32-bit test results ab3f4dd tests: Add test for 64-bit PE, modify 32-bit test results (Chun Kuan Lee) Pull request description: 9a75d29b6f0d6c4834e451b0fae2200786655a35 change the error result from `PIE` to `DYNAMIC_BASE`. And there are no test for 64-bit, so I made one Tree-SHA512: 9d5643dadf4d9fc34ea32d94655bfb98eec2f7bc2820b4b0f525d5acf1cd22f3acf38bf8904dda4f50fd9ca5a5e56d566a392e6f804eea6e50e03cba40048621
2018-05-07 15:14:33 +02:00
source = 'test1.c'
executable = 'test1.exe'
cc = 'x86_64-w64-mingw32-gcc'
write_testcode(source)
Merge #18629: scripts: add PE .reloc section check to security-check.py 3e38023af724a76972d39cbccfb0bba4c54a0323 scripts: add PE .reloc section check to security-check.py (fanquake) Pull request description: The `ld` in binutils has historically had a few issues with PE binaries, there's a good summary in this [thread](https://sourceware.org/bugzilla/show_bug.cgi?id=19011). One issue in particular was `ld` stripping the `.reloc` section out of PE binaries, even though it's required for functioning ASLR. This was [reported by a Tor developer in 2014](https://sourceware.org/bugzilla/show_bug.cgi?id=17321) and they have been patching their [own binutils](https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/binutils) ever since. However their patch only made it into binutils at the [start of this year](https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=dc9bd8c92af67947db44b3cb428c050259b15cd0). It adds an `--enable-reloc-section` flag, which is turned on by default if you are using `--dynamic-base`. In the mean time this issue has also been worked around by other projects, such as FFmpeg, see [this commit](https://github.com/TheRyuu/FFmpeg/commit/91b668acd6decec0a6f8d20bf56e2644f96adcb9). I have checked our recent supported Windows release binaries, and they do contain a `.reloc` section. From what I understand, we are using all the right compile/linker flags, including `-pie` & `-fPIE`, and have never run into the crashing/entrypoint issues that other projects might have seen. One other thing worth noting here, it how Debian/Ubuntu patch the binutils that they distribute, because that's what we end up using in our gitian builds. In the binutils-mingw-w64 in Bionic (18.04), which we currently use in gitian, PE hardening options/security flags are enabled by default. See the [changelog](https://changelogs.ubuntu.com/changelogs/pool/universe/b/binutils-mingw-w64/binutils-mingw-w64_8ubuntu1/changelog) and the [relevant commit](https://salsa.debian.org/mingw-w64-team/binutils-mingw-w64/-/commit/452b3013b8280cbe35eaeb166a43621b88d5f8b7). However in Focal (20.04), this has now been reversed. PE hardening options are no-longer the default. See the [changelog](https://changelogs.ubuntu.com/changelogs/pool/universe/b/binutils-mingw-w64/binutils-mingw-w64_8.8/changelog) and [relevant commit](https://salsa.debian.org/mingw-w64-team/binutils-mingw-w64/-/commit/7bd8b2fbc242a8c2fc2217f29fd61f94d3babf6f), which cites same .reloc issue mentioned here. Given that we explicitly specify/opt-in to everything that we want to use, the defaults aren't necessarily an issue for us. However I think it highlights the importance of continuing to be explicit about what we want, and not falling-back or relying on upstream. This was also prompted by the possibility of us doing link time garbage collection, see #18579 & #18605. It seemed some sanity checks would be worthwhile in-case the linker goes haywire while garbage collecting. I think Guix is going to bring great benefits when dealing with these kinds of issues. Carl you might have something to say in that regard. ACKs for top commit: dongcarl: ACK 3e38023af724a76972d39cbccfb0bba4c54a0323 Tree-SHA512: af14d63bdb334bde548dd7de3e0946556b7e2598d817b56eb4e75b3f56c705c26aa85dd9783134c4b6a7aeb7cb4de567eed996e94d533d31511f57ed332287da
2020-04-28 07:08:19 +02:00
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
(1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA NX RELOC_SECTION'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
(1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA RELOC_SECTION'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
(1, executable+': failed HIGH_ENTROPY_VA RELOC_SECTION'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-no-pie','-fno-PIE']),
(1, executable+': failed RELOC_SECTION'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE']),
Merge #18415: scripts: add MACHO tests to test-security-check.py 7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46 scripts: rename test_64bit_PE to test_PE (fanquake) edaca2dd123cef958699c07ab248cf0ffc71af07 scripts: add MACHO NX check to security-check.py (fanquake) 1a4e9f32efcc5f6a74290446dc58784fd85c7b31 scripts: add MACHO tests to test-security-check.py (fanquake) Pull request description: Adds tests for the MACHO checks in security-check.py: https://github.com/bitcoin/bitcoin/blob/ac579ada7e83a1b8100d611412f9ede885a4e522/contrib/devtools/security-check.py#L212-L214 I'm planning on following up with more checks in security-check.py, and corresponding tests in test-security-check.py. Note that you'll probably have to be on macOS to run them. You can run just this suite with `python3 test-security-check.py TestSecurityChecks.test_MACHO`. ACKs for top commit: laanwj: ACK 7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46 Tree-SHA512: ace3ca9f6df5d4fedd5988938fb7dc7563ec7dc587aa275f780b5f51e9b8d7d6f7768e0a1e05ce438510a07b8640aba92c76847b30c2990f46c66b78a0acf960
2020-03-28 11:48:19 +01:00
(0, ''))
def test_MACHO(self):
source = 'test1.c'
executable = 'test1'
cc = 'clang'
write_testcode(source)
Merge #18713: scripts: Add MACHO stack canary check to security-check.py 8334ee31f868f0f9baf0920d14d20174ed889dbe scripts: add MACHO LAZY_BINDINGS test to test-security-check.py (fanquake) 7b99c7454cdb74cd9cd7a5eedc2fb9d0a19df456 scripts: add MACHO Canary check to security-check.py (fanquake) Pull request description: 7b99c7454cdb74cd9cd7a5eedc2fb9d0a19df456 uses `otool -Iv` to check for `___stack_chk_fail` in the macOS binaries. Similar to the [ELF check](https://github.com/bitcoin/bitcoin/blob/master/contrib/devtools/security-check.py#L105). Note that looking for a triple underscore prefixed function (as opposed to two for ELF) is correct for the macOS binaries. i.e: ```bash otool -Iv bitcoind | grep chk 0x00000001006715b8 509 ___memcpy_chk 0x00000001006715be 510 ___snprintf_chk 0x00000001006715c4 511 ___sprintf_chk 0x00000001006715ca 512 ___stack_chk_fail 0x00000001006715d6 517 ___vsnprintf_chk 0x0000000100787898 513 ___stack_chk_guard ``` 8334ee31f868f0f9baf0920d14d20174ed889dbe is a follow up to #18295 and adds test cases to `test-security-check.py` that for some reason I didn't add at the time. I'll sort out #18434 so that we can run these tests in the CI. ACKs for top commit: practicalswift: ACK 8334ee31f868f0f9baf0920d14d20174ed889dbe: Mitigations are important. Important things are worth asserting :) jonasschnelli: utACK 8334ee31f868f0f9baf0920d14d20174ed889dbe. Tree-SHA512: 1aa5ded34bbd187eddb112b27278deb328bfc21ac82316b20fab6ad894f223b239a76b53dab0ac1770d194c1760fcc40d4da91ec09959ba4fc8eadedb173936a
2020-04-22 10:19:51 +02:00
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']),
(1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS Canary'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']),
(1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']),
(1, executable+': failed PIE NOUNDEFS LAZY_BINDINGS'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']),
(1, executable+': failed PIE LAZY_BINDINGS'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all']),
Merge #18415: scripts: add MACHO tests to test-security-check.py 7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46 scripts: rename test_64bit_PE to test_PE (fanquake) edaca2dd123cef958699c07ab248cf0ffc71af07 scripts: add MACHO NX check to security-check.py (fanquake) 1a4e9f32efcc5f6a74290446dc58784fd85c7b31 scripts: add MACHO tests to test-security-check.py (fanquake) Pull request description: Adds tests for the MACHO checks in security-check.py: https://github.com/bitcoin/bitcoin/blob/ac579ada7e83a1b8100d611412f9ede885a4e522/contrib/devtools/security-check.py#L212-L214 I'm planning on following up with more checks in security-check.py, and corresponding tests in test-security-check.py. Note that you'll probably have to be on macOS to run them. You can run just this suite with `python3 test-security-check.py TestSecurityChecks.test_MACHO`. ACKs for top commit: laanwj: ACK 7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46 Tree-SHA512: ace3ca9f6df5d4fedd5988938fb7dc7563ec7dc587aa275f780b5f51e9b8d7d6f7768e0a1e05ce438510a07b8640aba92c76847b30c2990f46c66b78a0acf960
2020-03-28 11:48:19 +01:00
(1, executable+': failed PIE'))
Merge #18713: scripts: Add MACHO stack canary check to security-check.py 8334ee31f868f0f9baf0920d14d20174ed889dbe scripts: add MACHO LAZY_BINDINGS test to test-security-check.py (fanquake) 7b99c7454cdb74cd9cd7a5eedc2fb9d0a19df456 scripts: add MACHO Canary check to security-check.py (fanquake) Pull request description: 7b99c7454cdb74cd9cd7a5eedc2fb9d0a19df456 uses `otool -Iv` to check for `___stack_chk_fail` in the macOS binaries. Similar to the [ELF check](https://github.com/bitcoin/bitcoin/blob/master/contrib/devtools/security-check.py#L105). Note that looking for a triple underscore prefixed function (as opposed to two for ELF) is correct for the macOS binaries. i.e: ```bash otool -Iv bitcoind | grep chk 0x00000001006715b8 509 ___memcpy_chk 0x00000001006715be 510 ___snprintf_chk 0x00000001006715c4 511 ___sprintf_chk 0x00000001006715ca 512 ___stack_chk_fail 0x00000001006715d6 517 ___vsnprintf_chk 0x0000000100787898 513 ___stack_chk_guard ``` 8334ee31f868f0f9baf0920d14d20174ed889dbe is a follow up to #18295 and adds test cases to `test-security-check.py` that for some reason I didn't add at the time. I'll sort out #18434 so that we can run these tests in the CI. ACKs for top commit: practicalswift: ACK 8334ee31f868f0f9baf0920d14d20174ed889dbe: Mitigations are important. Important things are worth asserting :) jonasschnelli: utACK 8334ee31f868f0f9baf0920d14d20174ed889dbe. Tree-SHA512: 1aa5ded34bbd187eddb112b27278deb328bfc21ac82316b20fab6ad894f223b239a76b53dab0ac1770d194c1760fcc40d4da91ec09959ba4fc8eadedb173936a
2020-04-22 10:19:51 +02:00
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all']),
Merge #18415: scripts: add MACHO tests to test-security-check.py 7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46 scripts: rename test_64bit_PE to test_PE (fanquake) edaca2dd123cef958699c07ab248cf0ffc71af07 scripts: add MACHO NX check to security-check.py (fanquake) 1a4e9f32efcc5f6a74290446dc58784fd85c7b31 scripts: add MACHO tests to test-security-check.py (fanquake) Pull request description: Adds tests for the MACHO checks in security-check.py: https://github.com/bitcoin/bitcoin/blob/ac579ada7e83a1b8100d611412f9ede885a4e522/contrib/devtools/security-check.py#L212-L214 I'm planning on following up with more checks in security-check.py, and corresponding tests in test-security-check.py. Note that you'll probably have to be on macOS to run them. You can run just this suite with `python3 test-security-check.py TestSecurityChecks.test_MACHO`. ACKs for top commit: laanwj: ACK 7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46 Tree-SHA512: ace3ca9f6df5d4fedd5988938fb7dc7563ec7dc587aa275f780b5f51e9b8d7d6f7768e0a1e05ce438510a07b8640aba92c76847b30c2990f46c66b78a0acf960
2020-03-28 11:48:19 +01:00
(0, ''))
devtools: Add security-check.py Perform the following ELF security checks: - PIE: Check for position independent executable (PIE), allowing for address space randomization - NX: Check that no sections are writable and executable (including the stack) - RELRO: Check for read-only relocations, binding at startup - Canary: Check for use of stack canary Also add a check to symbol-check.py that checks that only the subset of allowed libraries is imported (to avoid incompatibilities).
2015-10-19 14:53:56 +02:00
if __name__ == '__main__':
unittest.main()
Reference in New Issue Copy Permalink