Commit Graph

22 Commits

Author SHA1 Message Date
Kittywhiskers Van Gogh
66e1541808 merge bitcoin#21851: support cross-compiling for arm64-apple-darwin 2023-06-29 12:31:03 -05:00
Kittywhiskers Van Gogh
1158ebb2e6 merge bitcoin#23778: Guix 1.4.0 & GCC 10.3 2023-06-18 11:47:54 -05:00
Kittywhiskers Van Gogh
e39a1de731 merge bitcoin#23839: build with and test for control flow instrumentation on x86_64 2023-06-07 14:42:02 +05:30
Kittywhiskers Van Gogh
1e9278ea11 merge bitcoin#23535: check for control flow instrumentation 2023-06-07 14:42:02 +05:30
Kittywhiskers Van Gogh
110dbf82e8 merge bitcoin#22392: use LIEF for ELF security & symbol checks 2023-06-07 14:42:02 +05:30
Kittywhiskers Van Gogh
cdedbea0b4 merge bitcoin#21889: check for control flow instrumentation 2023-06-07 14:42:02 +05:30
Kittywhiskers Van Gogh
24a6642b6f partial bitcoin#22381: Test security-check sanity before performing them (with macOS)
excludes:
- d6ef3543ae16847d5a91fa9271acee9bd2164b32
2023-06-07 14:42:02 +05:30
Kittywhiskers Van Gogh
d4a8d49e56 merge bitcoin#21428: Cleanup in test-{security,symbol}-check.py 2023-06-07 14:42:02 +05:30
Kittywhiskers Van Gogh
994fb5739c merge bitcoin#18434: add a test-security target and run it in CI 2023-06-07 14:40:37 +05:30
Kittywhiskers Van Gogh
ef69317b59 merge bitcoin#19525: add -Wl,-z,separate-code to hardening flags 2023-01-18 19:02:39 -06:00
fanquake
f7a94b58d4
Merge #18629: scripts: add PE .reloc section check to security-check.py
3e38023af724a76972d39cbccfb0bba4c54a0323 scripts: add PE .reloc section check to security-check.py (fanquake)

Pull request description:

  The `ld` in binutils has historically had a few issues with PE binaries, there's a good summary in this [thread](https://sourceware.org/bugzilla/show_bug.cgi?id=19011).

  One issue in particular was `ld` stripping the `.reloc` section out of PE binaries, even though it's required for functioning ASLR. This was [reported by a Tor developer in 2014](https://sourceware.org/bugzilla/show_bug.cgi?id=17321) and they have been patching their [own binutils](https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/binutils) ever since. However their patch only made it into binutils at the [start of this year](https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=dc9bd8c92af67947db44b3cb428c050259b15cd0). It adds an `--enable-reloc-section` flag, which is turned on by default if you are using `--dynamic-base`. In the mean time this issue has also been worked around by other projects, such as FFmpeg, see [this commit](91b668acd6).

  I have checked our recent supported Windows release binaries, and they do contain a `.reloc` section. From what I understand, we are using all the right compile/linker flags, including `-pie` & `-fPIE`, and have never run into the crashing/entrypoint issues that other projects might have seen.

  One other thing worth noting here, it how Debian/Ubuntu patch the binutils that they distribute, because that's what we end up using in our gitian builds.

  In the binutils-mingw-w64 in Bionic (18.04), which we currently use in gitian, PE hardening options/security flags are enabled by default. See the [changelog](https://changelogs.ubuntu.com/changelogs/pool/universe/b/binutils-mingw-w64/binutils-mingw-w64_8ubuntu1/changelog) and the [relevant commit](452b3013b8).

  However in Focal (20.04), this has now been reversed. PE hardening options are no-longer the default. See the [changelog](https://changelogs.ubuntu.com/changelogs/pool/universe/b/binutils-mingw-w64/binutils-mingw-w64_8.8/changelog) and [relevant commit](7bd8b2fbc2), which cites same .reloc issue mentioned here.

  Given that we explicitly specify/opt-in to everything that we want to use, the defaults aren't necessarily an issue for us. However I think it highlights the importance of continuing to be explicit about what we want, and not falling-back or relying on upstream.

  This was also prompted by the possibility of us doing link time garbage collection, see #18579 & #18605. It seemed some sanity checks would be worthwhile in-case the linker goes haywire while garbage collecting.

  I think Guix is going to bring great benefits when dealing with these kinds of issues. Carl you might have something to say in that regard.

ACKs for top commit:
  dongcarl:
    ACK 3e38023af724a76972d39cbccfb0bba4c54a0323

Tree-SHA512: af14d63bdb334bde548dd7de3e0946556b7e2598d817b56eb4e75b3f56c705c26aa85dd9783134c4b6a7aeb7cb4de567eed996e94d533d31511f57ed332287da
2022-06-18 22:14:03 -07:00
fanquake
bd7b5a3ad4
Merge #18713: scripts: Add MACHO stack canary check to security-check.py
8334ee31f868f0f9baf0920d14d20174ed889dbe scripts: add MACHO LAZY_BINDINGS test to test-security-check.py (fanquake)
7b99c7454cdb74cd9cd7a5eedc2fb9d0a19df456 scripts: add MACHO Canary check to security-check.py (fanquake)

Pull request description:

  7b99c7454cdb74cd9cd7a5eedc2fb9d0a19df456 uses `otool -Iv` to check for `___stack_chk_fail` in the macOS binaries. Similar to the [ELF check](https://github.com/bitcoin/bitcoin/blob/master/contrib/devtools/security-check.py#L105). Note that looking for a triple underscore prefixed function (as opposed to two for ELF) is correct for the macOS binaries. i.e:
  ```bash
  otool -Iv bitcoind | grep chk
  0x00000001006715b8   509 ___memcpy_chk
  0x00000001006715be   510 ___snprintf_chk
  0x00000001006715c4   511 ___sprintf_chk
  0x00000001006715ca   512 ___stack_chk_fail
  0x00000001006715d6   517 ___vsnprintf_chk
  0x0000000100787898   513 ___stack_chk_guard
  ```

  8334ee31f868f0f9baf0920d14d20174ed889dbe is a follow up to #18295 and adds test cases to `test-security-check.py` that for some reason I didn't add at the time. I'll sort out #18434 so that we can run these tests in the CI.

ACKs for top commit:
  practicalswift:
    ACK 8334ee31f868f0f9baf0920d14d20174ed889dbe: Mitigations are important. Important things are worth asserting :)
  jonasschnelli:
    utACK 8334ee31f868f0f9baf0920d14d20174ed889dbe.

Tree-SHA512: 1aa5ded34bbd187eddb112b27278deb328bfc21ac82316b20fab6ad894f223b239a76b53dab0ac1770d194c1760fcc40d4da91ec09959ba4fc8eadedb173936a
2022-06-18 22:14:03 -07:00
Wladimir J. van der Laan
3c4982205c
Merge #18415: scripts: add MACHO tests to test-security-check.py
7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46 scripts: rename test_64bit_PE to test_PE (fanquake)
edaca2dd123cef958699c07ab248cf0ffc71af07 scripts: add MACHO NX check to security-check.py (fanquake)
1a4e9f32efcc5f6a74290446dc58784fd85c7b31 scripts: add MACHO tests to test-security-check.py (fanquake)

Pull request description:

  Adds tests for the MACHO checks in security-check.py:
  ac579ada7e/contrib/devtools/security-check.py (L212-L214)

  I'm planning on following up with more checks in security-check.py, and corresponding tests in test-security-check.py.

  Note that you'll probably have to be on macOS to run them. You can run just this suite with `python3 test-security-check.py TestSecurityChecks.test_MACHO`.

ACKs for top commit:
  laanwj:
    ACK 7142d50ac33e0ad7d24e49e04c1fc7e3e769ed46

Tree-SHA512: ace3ca9f6df5d4fedd5988938fb7dc7563ec7dc587aa275f780b5f51e9b8d7d6f7768e0a1e05ce438510a07b8640aba92c76847b30c2990f46c66b78a0acf960
2022-06-18 22:14:02 -07:00
Wladimir J. van der Laan
07a7fda225
Merge #15939: gitian: Remove Windows 32 bit build
fa193dc8e6f3b96fa2dba2f1c1668f7720fed320 doc: Remove win32 from the release process (MarcoFalke)
faf666f8148eeb305a9c4f78459aff2c7268016b Remove Windows 32 bit build (MarcoFalke)

Pull request description:

  The Windows 32 bit build has been removed from https://bitcoincore.org/en/download/, so unless there are complaints, we don't need to build it even

ACKs for commit fa193d:
  fanquake:
    utACK fa193dc8e6

Tree-SHA512: d6f2976a2e0c407698f720b00ac23ec4056626de4eff8621f4c5581120af0460afd1bdef72329cc0e7d92afca48d94ae5fce6777cb36bfabb60b8034ff08fd88
2021-09-02 22:27:58 +03:00
Wladimir J. van der Laan
f0b1c562a1 Merge #13764: contrib: Fix test-security-check fail in Ubuntu 18.04
1e60713a68296a0ff221befb48b2958fbf019ebf contrib: Fix test-security-check fail in Ubuntu 18.04 (Chun Kuan Lee)

Pull request description:

  - Fix test-security-check fail in Ubuntu 18.04. Those flags are enabled by default, so we must specify `-no` to make the executable does 'not' have those attributes.
  - Drop HIGH_ENTROPY_VA. After update our gitian system to Bionic, the compiler should support HIGH_ENTROPY_VA

Tree-SHA512: 78c1f2aae1253ddd52faa1af569b7151a503a217c7ccbe21b8004d8910c45d8a27ff04695eacbdadd7192d2c91c0d59941ca20c651dd2d5052b9999163a11ae4
2020-07-28 21:35:31 -05:00
Wladimir J. van der Laan
d1200755f1 Merge #13448: Add linter: Make sure we explicitly open all text files using UTF-8 encoding in Python
c8176b3cc7556d7bcec39a55ae4d6ba16453baaa Add linter: Make sure we explicitly open all text files using UTF-8 or ASCII encoding in Python (practicalswift)
634bd970013eca90f4b4c1f9044eec8c97ba62c2 Explicitly specify encoding when opening text files in Python code (practicalswift)

Pull request description:

  Add linter: Make sure we explicitly open all text files using UTF-8 encoding in Python.

  As requested by @laanwj in #13440.

Tree-SHA512: 1651c00fe220ceb273324abd6703aee504029b96c7ef0e3029145901762c733c9b9d24927da281394fd4681a5bff774336c04eed01fafea997bb32192c334c06
Signed-off-by: pasta <pasta@dashboost.org>

# Conflicts:
#	contrib/devtools/circular-dependencies.py
#	contrib/linearize/linearize-data.py
#	contrib/linearize/linearize-hashes.py
#	contrib/seeds/generate-seeds.py
#	contrib/verify-commits/verify-commits.py
#	test/functional/multiwallet.py
#	test/functional/notifications.py
#	test/functional/test_runner.py
#	test/util/rpcauth-test.py
2020-07-07 11:50:56 -05:00
Wladimir J. van der Laan
8a09758298 Merge #13094: tests: Add test for 64-bit Windows PE, modify 32-bit test results
ab3f4dd tests: Add test for 64-bit PE, modify 32-bit test results (Chun Kuan Lee)

Pull request description:

  9a75d29b6f change the error result from `PIE` to `DYNAMIC_BASE`. And there are no test for 64-bit, so I made one

Tree-SHA512: 9d5643dadf4d9fc34ea32d94655bfb98eec2f7bc2820b4b0f525d5acf1cd22f3acf38bf8904dda4f50fd9ca5a5e56d566a392e6f804eea6e50e03cba40048621
2020-06-28 19:28:57 -05:00
MarcoFalke
714beebe07 Merge #12972: Add python3 script shebang lint
2bff472992 [contrib] convert test-security-check to python3 (John Newbery)
958bf40489 add lint tool to check python3 shebang (practicalswift)

Pull request description:

  base58.py can executed by python3

Tree-SHA512: 30511204feefd4ccd5b4bf698fb88e516633e692dc95d31fe957b1c0c4879de25906355b28a5a0522171887315c8464a611e601ff00540db172d5bd463ee13d9
2020-06-27 10:43:32 -05:00
MarcoFalke
be63fb7953 Merge #9508: Remove unused Python imports
95bab82 Remove unused Python imports (practicalswift)
2018-01-21 12:48:33 +01:00
Wladimir J. van der Laan
473ffa0641 Merge #8702: [copyright] add MIT License copyright header to remaining Python files
4677b19 [copyright] add MIT License copyright header to remaining Python files (isle2983)
2018-01-11 13:20:57 +01:00
MarcoFalke
bc659c3e6e Merge #8270: Tests: Use portable #! in python scripts (/usr/bin/env)
7b01ce2 Favour python over python2 as per PR #7723 (Matthew King)
873e81f Use portable #! in python scripts (/usr/bin/env) (Matthew King)
2018-01-08 18:04:55 +01:00
Wladimir J. van der Laan
579b863cd7 devtools: Add security-check.py
Perform the following ELF security checks:

- PIE: Check for position independent executable (PIE), allowing for address space randomization
- NX: Check that no sections are writable and executable (including the stack)
- RELRO: Check for read-only relocations, binding at startup
- Canary: Check for use of stack canary

Also add a check to symbol-check.py that checks that only the subset of
allowed libraries is imported (to avoid incompatibilities).
2015-10-22 03:35:38 +02:00