mirror of
https://github.com/dashpay/dash.git
synced 2024-12-25 12:02:48 +01:00
merge bitcoin#21889: check for control flow instrumentation
This commit is contained in:
parent
853583019b
commit
cdedbea0b4
@ -188,6 +188,19 @@ def check_NX(executable) -> bool:
|
|||||||
binary = lief.parse(executable)
|
binary = lief.parse(executable)
|
||||||
return binary.has_nx
|
return binary.has_nx
|
||||||
|
|
||||||
|
def check_control_flow(executable) -> bool:
|
||||||
|
'''
|
||||||
|
Check for control flow instrumentation
|
||||||
|
'''
|
||||||
|
binary = lief.parse(executable)
|
||||||
|
|
||||||
|
content = binary.get_content_from_virtual_address(binary.entrypoint, 4, lief.Binary.VA_TYPES.AUTO)
|
||||||
|
|
||||||
|
if content == [243, 15, 30, 250]: # endbr64
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
CHECKS = {
|
CHECKS = {
|
||||||
'ELF': [
|
'ELF': [
|
||||||
('PIE', check_ELF_PIE),
|
('PIE', check_ELF_PIE),
|
||||||
@ -208,7 +221,8 @@ CHECKS = {
|
|||||||
('NOUNDEFS', check_MACHO_NOUNDEFS),
|
('NOUNDEFS', check_MACHO_NOUNDEFS),
|
||||||
('NX', check_NX),
|
('NX', check_NX),
|
||||||
('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS),
|
('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS),
|
||||||
('Canary', check_MACHO_Canary)
|
('Canary', check_MACHO_Canary),
|
||||||
|
('CONTROL_FLOW', check_control_flow),
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -81,16 +81,18 @@ class TestSecurityChecks(unittest.TestCase):
|
|||||||
write_testcode(source)
|
write_testcode(source)
|
||||||
|
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']),
|
||||||
(1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS Canary'))
|
(1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS Canary CONTROL_FLOW'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']),
|
||||||
(1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS'))
|
(1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS CONTROL_FLOW'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']),
|
||||||
(1, executable+': failed PIE NOUNDEFS LAZY_BINDINGS'))
|
(1, executable+': failed PIE NOUNDEFS LAZY_BINDINGS CONTROL_FLOW'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']),
|
||||||
(1, executable+': failed PIE LAZY_BINDINGS'))
|
(1, executable+': failed PIE LAZY_BINDINGS CONTROL_FLOW'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all']),
|
||||||
|
(1, executable+': failed PIE CONTROL_FLOW'))
|
||||||
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']),
|
||||||
(1, executable+': failed PIE'))
|
(1, executable+': failed PIE'))
|
||||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all']),
|
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']),
|
||||||
(0, ''))
|
(0, ''))
|
||||||
|
|
||||||
clean_files(source, executable)
|
clean_files(source, executable)
|
||||||
|
@ -30,6 +30,7 @@ $(package)_config_libraries=filesystem,thread,test
|
|||||||
$(package)_cxxflags=-std=c++17 -fvisibility=hidden
|
$(package)_cxxflags=-std=c++17 -fvisibility=hidden
|
||||||
$(package)_cxxflags_linux=-fPIC
|
$(package)_cxxflags_linux=-fPIC
|
||||||
$(package)_cxxflags_android=-fPIC
|
$(package)_cxxflags_android=-fPIC
|
||||||
|
$(package)_cxxflags_darwin=-fcf-protection=full
|
||||||
endef
|
endef
|
||||||
|
|
||||||
# Fix unused variable in boost_process, can be removed after upgrading to 1.72
|
# Fix unused variable in boost_process, can be removed after upgrading to 1.72
|
||||||
|
Loading…
Reference in New Issue
Block a user