mirror of
https://github.com/dashpay/dash.git
synced 2024-12-25 12:02:48 +01:00
Merge #17787: scripts: add MACHO PIE check to security-check.py
7c9e821c4e6cb186208ead9c8df616d1f393a49a scripts: add MACHO NOUNDEFS check to security-check.py (fanquake) 4ca92dc6d3f3e487d63286d8871d1829b3d279ff scripts: add MACHO PIE check to security-check.py (fanquake) Pull request description: This uses `otool -vh` to print the mach header and look for the `PIE` flag: ```bash otool -vh src/bitcoind Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC_64 X86_64 ALL LIB64 EXECUTE 24 2544 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE ``` From [`mach-o/loader.h`](https://opensource.apple.com/source/cctools/cctools-927.0.2/include/mach-o/loader.h.auto.html): ```c #define MH_PIE 0x200000 /* When this bit is set, the OS will load the main executable at a random address. Only used in MH_EXECUTE filetypes. */ ``` ACKs for top commit: laanwj: code review ACK 7c9e821c4e6cb186208ead9c8df616d1f393a49a Tree-SHA512: 5ba2f60440d0e31c70371a355c91ca4f723d80f7287d04e2098bf5b11892cc74216ff8f1454603c4db9675d4f7983614843b992b8dcfca0309aadf2aa7ab2e4b
This commit is contained in:
parent
f7ac575861
commit
a25ee06cc1
@ -159,7 +159,7 @@ repository (requires pngcrush).
|
||||
security-check.py and test-security-check.py
|
||||
============================================
|
||||
|
||||
Perform basic ELF security checks on a series of executables.
|
||||
Perform basic security checks on a series of executables.
|
||||
|
||||
symbol-check.py
|
||||
===============
|
||||
|
@ -3,10 +3,10 @@
|
||||
# Distributed under the MIT software license, see the accompanying
|
||||
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
||||
'''
|
||||
Perform basic ELF security checks on a series of executables.
|
||||
Perform basic security checks on a series of executables.
|
||||
Exit status will be 0 if successful, and the program will be silent.
|
||||
Otherwise the exit status will be 1 and it will log which executables failed which checks.
|
||||
Needs `readelf` (for ELF) and `objdump` (for PE).
|
||||
Needs `readelf` (for ELF), `objdump` (for PE) and `otool` (for MACHO).
|
||||
'''
|
||||
import subprocess
|
||||
import sys
|
||||
@ -14,6 +14,7 @@ import os
|
||||
|
||||
READELF_CMD = os.getenv('READELF', '/usr/bin/readelf')
|
||||
OBJDUMP_CMD = os.getenv('OBJDUMP', '/usr/bin/objdump')
|
||||
OTOOL_CMD = os.getenv('OTOOL', '/usr/bin/otool')
|
||||
NONFATAL = {} # checks which are non-fatal for now but only generate a warning
|
||||
|
||||
def check_ELF_PIE(executable):
|
||||
@ -162,6 +163,40 @@ def check_PE_NX(executable):
|
||||
(arch,bits) = get_PE_dll_characteristics(executable)
|
||||
return (bits & IMAGE_DLL_CHARACTERISTICS_NX_COMPAT) == IMAGE_DLL_CHARACTERISTICS_NX_COMPAT
|
||||
|
||||
def get_MACHO_executable_flags(executable):
|
||||
p = subprocess.Popen([OTOOL_CMD, '-vh', executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
|
||||
(stdout, stderr) = p.communicate()
|
||||
if p.returncode:
|
||||
raise IOError('Error opening file')
|
||||
|
||||
flags = []
|
||||
for line in stdout.splitlines():
|
||||
tokens = line.split()
|
||||
# filter first two header lines
|
||||
if 'magic' in tokens or 'Mach' in tokens:
|
||||
continue
|
||||
# filter ncmds and sizeofcmds values
|
||||
flags += [t for t in tokens if not t.isdigit()]
|
||||
return flags
|
||||
|
||||
def check_MACHO_PIE(executable) -> bool:
|
||||
'''
|
||||
Check for position independent executable (PIE), allowing for address space randomization.
|
||||
'''
|
||||
flags = get_MACHO_executable_flags(executable)
|
||||
if 'PIE' in flags:
|
||||
return True
|
||||
return False
|
||||
|
||||
def check_MACHO_NOUNDEFS(executable) -> bool:
|
||||
'''
|
||||
Check for no undefined references.
|
||||
'''
|
||||
flags = get_MACHO_executable_flags(executable)
|
||||
if 'NOUNDEFS' in flags:
|
||||
return True
|
||||
return False
|
||||
|
||||
CHECKS = {
|
||||
'ELF': [
|
||||
('PIE', check_ELF_PIE),
|
||||
@ -173,6 +208,10 @@ CHECKS = {
|
||||
('DYNAMIC_BASE', check_PE_DYNAMIC_BASE),
|
||||
('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA),
|
||||
('NX', check_PE_NX)
|
||||
],
|
||||
'MACHO': [
|
||||
('PIE', check_MACHO_PIE),
|
||||
('NOUNDEFS', check_MACHO_NOUNDEFS),
|
||||
]
|
||||
}
|
||||
|
||||
@ -183,6 +222,8 @@ def identify_executable(executable):
|
||||
return 'PE'
|
||||
elif magic.startswith(b'\x7fELF'):
|
||||
return 'ELF'
|
||||
elif magic.startswith(b'\xcf\xfa'):
|
||||
return 'MACHO'
|
||||
return None
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
@ -145,6 +145,7 @@ script: |
|
||||
CONFIG_SITE=${BASEPREFIX}/${i}/share/config.site ./configure --prefix=/ --disable-maintainer-mode --disable-dependency-tracking ${CONFIGFLAGS}
|
||||
make ${MAKEOPTS}
|
||||
make -C src osx_debug
|
||||
make ${MAKEOPTS} -C src check-security
|
||||
make install-strip DESTDIR=${INSTALLPATH}
|
||||
|
||||
make osx_volname
|
||||
|
@ -911,7 +911,7 @@ endif
|
||||
check-security: $(bin_PROGRAMS)
|
||||
if HARDEN
|
||||
@echo "Checking binary security..."
|
||||
$(AM_V_at) READELF=$(READELF) OBJDUMP=$(OBJDUMP) $(PYTHON) $(top_srcdir)/contrib/devtools/security-check.py < $(bin_PROGRAMS)
|
||||
$(AM_V_at) READELF=$(READELF) OBJDUMP=$(OBJDUMP) OTOOL=$(OTOOL) $(PYTHON) $(top_srcdir)/contrib/devtools/security-check.py < $(bin_PROGRAMS)
|
||||
endif
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user