Retropex/bitcoin
1
0
Fork 0
mirror of https://github.com/Retropex/bitcoin.git synced 2025-05-29 05:22:30 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge bitcoin/bitcoin#30423: contrib: simplify test-security-check

Browse Source 
1bc9f64bee contrib: assume binary existence in sec/sym checks (fanquake)
51d8f435c9 contrib: simplify ELF test-security-check (fanquake)
1810e20677 contrib: simplify PE test-security-check (fanquake)
6c9746ff92 contrib: simplify MACHO test-security-check (fanquake)

Pull request description:

  The current `test-security-check` script is hard to understand, and change (i.e https://github.com/bitcoin/bitcoin/pull/29987/files#diff-52aa0cda44721f089e53b128cb1232a876006ef257b211655456b17dfb2ec712); tests are also not done in isolation (when-possible). Fix that, and add missing checks. Simplifies future toolchain/security/hardening changes.

ACKs for top commit:
  hebasto:
    ACK 1bc9f64bee (assuming my Guix hashes match; I'll provide them shortly).
  TheCharlatan:
    ACK 1bc9f64bee

Tree-SHA512: 1885d0ce63a94ffa61345327f919da20b63de6dd4148d6db3ee8bad4485253a36e8ab0dbee48cecc02ea35d139edfed75453af45fc364bcbef6fe16b6823bc7a
This commit is contained in:
merge-script 2024-07-24 09:42:25 +01:00
commit fa0b5d6882
No known key found for this signature in database
GPG Key ID: 2EEB9F5CC09526C1
3 changed files with 71 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
contrib/devtools/security-check.py
View File

@ -38,13 +38,13 @@ def check_ELF_RELRO(binary) -> bool:
return have_gnu_relro and have_bindnow return have_gnu_relro and have_bindnow
def check_ELF_Canary(binary) -> bool: def check_ELF_CANARY(binary) -> bool:
''' '''
Check for use of stack canary Check for use of stack canary
''' '''
return binary.has_symbol('__stack_chk_fail') return binary.has_symbol('__stack_chk_fail')
def check_ELF_separate_code(binary): def check_ELF_SEPARATE_CODE(binary):
''' '''
Check that sections are appropriately separated in virtual memory, Check that sections are appropriately separated in virtual memory,
based on their permissions. This checks for missing -Wl,-z,separate-code based on their permissions. This checks for missing -Wl,-z,separate-code
@ -105,7 +105,7 @@ def check_ELF_separate_code(binary):
return False return False
return True return True
def check_ELF_control_flow(binary) -> bool: def check_ELF_CONTROL_FLOW(binary) -> bool:
''' '''
Check for control flow instrumentation Check for control flow instrumentation
''' '''
@ -130,7 +130,7 @@ def check_PE_RELOC_SECTION(binary) -> bool:
'''Check for a reloc section. This is required for functional ASLR.''' '''Check for a reloc section. This is required for functional ASLR.'''
return binary.has_relocations return binary.has_relocations
def check_PE_control_flow(binary) -> bool: def check_PE_CONTROL_FLOW(binary) -> bool:
''' '''
Check for control flow instrumentation Check for control flow instrumentation
''' '''
@ -145,7 +145,7 @@ def check_PE_control_flow(binary) -> bool:
return True return True
return False return False
def check_PE_Canary(binary) -> bool: def check_PE_CANARY(binary) -> bool:
''' '''
Check for use of stack canary Check for use of stack canary
''' '''
@ -163,7 +163,7 @@ def check_MACHO_FIXUP_CHAINS(binary) -> bool:
''' '''
return binary.has_dyld_chained_fixups return binary.has_dyld_chained_fixups
def check_MACHO_Canary(binary) -> bool: def check_MACHO_CANARY(binary) -> bool:
''' '''
Check for use of stack canary Check for use of stack canary
''' '''
@ -182,7 +182,7 @@ def check_NX(binary) -> bool:
''' '''
return binary.has_nx return binary.has_nx
def check_MACHO_control_flow(binary) -> bool: def check_MACHO_CONTROL_FLOW(binary) -> bool:
''' '''
Check for control flow instrumentation Check for control flow instrumentation
''' '''
@ -192,7 +192,7 @@ def check_MACHO_control_flow(binary) -> bool:
return True return True
return False return False
def check_MACHO_branch_protection(binary) -> bool: def check_MACHO_BRANCH_PROTECTION(binary) -> bool:
''' '''
Check for branch protection instrumentation Check for branch protection instrumentation
''' '''
@ -206,8 +206,8 @@ BASE_ELF = [
('PIE', check_PIE), ('PIE', check_PIE),
('NX', check_NX), ('NX', check_NX),
('RELRO', check_ELF_RELRO), ('RELRO', check_ELF_RELRO),
('Canary', check_ELF_Canary), ('CANARY', check_ELF_CANARY),
('separate_code', check_ELF_separate_code), ('SEPARATE_CODE', check_ELF_SEPARATE_CODE),
] ]
BASE_PE = [ BASE_PE = [
@ -216,19 +216,19 @@ BASE_PE = [
('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA), ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA),
('NX', check_NX), ('NX', check_NX),
('RELOC_SECTION', check_PE_RELOC_SECTION), ('RELOC_SECTION', check_PE_RELOC_SECTION),
('CONTROL_FLOW', check_PE_control_flow), ('CONTROL_FLOW', check_PE_CONTROL_FLOW),
('Canary', check_PE_Canary), ('CANARY', check_PE_CANARY),
] ]
BASE_MACHO = [ BASE_MACHO = [
('NOUNDEFS', check_MACHO_NOUNDEFS), ('NOUNDEFS', check_MACHO_NOUNDEFS),
('Canary', check_MACHO_Canary), ('CANARY', check_MACHO_CANARY),
('FIXUP_CHAINS', check_MACHO_FIXUP_CHAINS), ('FIXUP_CHAINS', check_MACHO_FIXUP_CHAINS),
] ]
CHECKS = { CHECKS = {
lief.EXE_FORMATS.ELF: { lief.EXE_FORMATS.ELF: {
lief.ARCHITECTURES.X86: BASE_ELF + [('CONTROL_FLOW', check_ELF_control_flow)], lief.ARCHITECTURES.X86: BASE_ELF + [('CONTROL_FLOW', check_ELF_CONTROL_FLOW)],
lief.ARCHITECTURES.ARM: BASE_ELF, lief.ARCHITECTURES.ARM: BASE_ELF,
lief.ARCHITECTURES.ARM64: BASE_ELF, lief.ARCHITECTURES.ARM64: BASE_ELF,
lief.ARCHITECTURES.PPC: BASE_ELF, lief.ARCHITECTURES.PPC: BASE_ELF,
@ -240,39 +240,24 @@ CHECKS = {
lief.EXE_FORMATS.MACHO: { lief.EXE_FORMATS.MACHO: {
lief.ARCHITECTURES.X86: BASE_MACHO + [('PIE', check_PIE), lief.ARCHITECTURES.X86: BASE_MACHO + [('PIE', check_PIE),
('NX', check_NX), ('NX', check_NX),
('CONTROL_FLOW', check_MACHO_control_flow)], ('CONTROL_FLOW', check_MACHO_CONTROL_FLOW)],
lief.ARCHITECTURES.ARM64: BASE_MACHO + [('BRANCH_PROTECTION', check_MACHO_branch_protection)], lief.ARCHITECTURES.ARM64: BASE_MACHO + [('BRANCH_PROTECTION', check_MACHO_BRANCH_PROTECTION)],
} }
} }
if __name__ == '__main__': if __name__ == '__main__':
retval: int = 0 retval: int = 0
for filename in sys.argv[1:]: for filename in sys.argv[1:]:
try: binary = lief.parse(filename)
binary = lief.parse(filename) etype = binary.format
etype = binary.format arch = binary.abstract.header.architecture
arch = binary.abstract.header.architecture binary.concrete
binary.concrete
if etype == lief.EXE_FORMATS.UNKNOWN: failed: list[str] = []
print(f'{filename}: unknown executable format') for (name, func) in CHECKS[etype][arch]:
retval = 1 if not func(binary):
continue failed.append(name)
if failed:
if arch == lief.ARCHITECTURES.NONE: print(f'{filename}: failed {" ".join(failed)}')
print(f'{filename}: unknown architecture')
retval = 1
continue
failed: list[str] = []
for (name, func) in CHECKS[etype][arch]:
if not func(binary):
failed.append(name)
if failed:
print(f'{filename}: failed {" ".join(failed)}')
retval = 1
except IOError:
print(f'{filename}: cannot open')
retval = 1 retval = 1
sys.exit(retval) sys.exit(retval)

24
contrib/devtools/symbol-check.py
View File

@ -299,22 +299,14 @@ lief.EXE_FORMATS.PE: [
if __name__ == '__main__': if __name__ == '__main__':
retval: int = 0 retval: int = 0
for filename in sys.argv[1:]: for filename in sys.argv[1:]:
try: binary = lief.parse(filename)
binary = lief.parse(filename) etype = binary.format
etype = binary.format
if etype == lief.EXE_FORMATS.UNKNOWN:
print(f'{filename}: unknown executable format')
retval = 1
continue
failed: list[str] = [] failed: list[str] = []
for (name, func) in CHECKS[etype]: for (name, func) in CHECKS[etype]:
if not func(binary): if not func(binary):
failed.append(name) failed.append(name)
if failed: if failed:
print(f'{filename}: failed {" ".join(failed)}') print(f'{filename}: failed {" ".join(failed)}')
retval = 1
except IOError:
print(f'{filename}: cannot open')
retval = 1 retval = 1
sys.exit(retval) sys.exit(retval)

97
contrib/devtools/test-security-check.py
View File

@ -59,33 +59,20 @@ class TestSecurityChecks(unittest.TestCase):
arch = get_arch(cxx, source, executable) arch = get_arch(cxx, source, executable)
if arch == lief.ARCHITECTURES.X86: if arch == lief.ARCHITECTURES.X86:
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), pass_flags = ['-Wl,-znoexecstack', '-Wl,-zrelro', '-Wl,-z,now', '-pie', '-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']
(1, executable+': failed PIE NX RELRO CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-zexecstack']), (1, executable + ': failed NX'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-no-pie','-fno-PIE']), (1, executable + ': failed PIE'))
(1, executable+': failed PIE RELRO CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-znorelro']), (1, executable + ': failed RELRO'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-z,noseparate-code']), (1, executable + ': failed SEPARATE_CODE'))
(1, executable+': failed PIE RELRO CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-fcf-protection=none']), (1, executable + ': failed CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags), (0, ''))
(1, executable+': failed RELRO CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
(1, executable+': failed separate_code CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
(1, executable+': failed CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']),
(0, ''))
else: else:
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), pass_flags = ['-Wl,-znoexecstack', '-Wl,-zrelro', '-Wl,-z,now', '-pie', '-fPIE', '-Wl,-z,separate-code']
(1, executable+': failed PIE NX RELRO')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-zexecstack']), (1, executable + ': failed NX'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-no-pie','-fno-PIE']), (1, executable + ': failed PIE'))
(1, executable+': failed PIE RELRO')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-znorelro']), (1, executable + ': failed RELRO'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-z,noseparate-code']), (1, executable + ': failed SEPARATE_CODE'))
(1, executable+': failed PIE RELRO')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags), (0, ''))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
(1, executable+': failed RELRO'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
(1, executable+': failed separate_code'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
(0, ''))
clean_files(source, executable) clean_files(source, executable)
@ -95,20 +82,16 @@ class TestSecurityChecks(unittest.TestCase):
cxx = determine_wellknown_cmd('CXX', 'x86_64-w64-mingw32-g++') cxx = determine_wellknown_cmd('CXX', 'x86_64-w64-mingw32-g++')
write_testcode(source) write_testcode(source)
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,--disable-nxcompat','-Wl,--disable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-no-pie','-fno-PIE','-fno-stack-protector']), pass_flags = ['-Wl,--nxcompat', '-Wl,--enable-reloc-section', '-Wl,--dynamicbase', '-Wl,--high-entropy-va', '-pie', '-fPIE', '-fcf-protection=full', '-fstack-protector-all', '-lssp']
(1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA NX RELOC_SECTION CONTROL_FLOW Canary'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,--nxcompat','-Wl,--disable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-no-pie','-fno-PIE','-fstack-protector-all', '-lssp']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-fno-stack-protector']), (1, executable + ': failed CANARY'))
(1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA RELOC_SECTION CONTROL_FLOW')) # https://github.com/lief-project/LIEF/issues/1076 - in future, we could test this individually.
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-no-pie','-fno-PIE','-fstack-protector-all', '-lssp']), # self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,--disable-reloc-section']), (1, executable + ': failed RELOC_SECTION'))
(1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,--disable-nxcompat']), (1, executable + ': failed NX'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--disable-dynamicbase','-Wl,--disable-high-entropy-va','-pie','-fPIE','-fstack-protector-all', '-lssp']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,--disable-dynamicbase']), (1, executable + ': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA')) # -pie -fPIE does nothing without --dynamicbase
(1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA CONTROL_FLOW')) # -pie -fPIE does nothing unless --dynamicbase is also supplied self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,--disable-high-entropy-va']), (1, executable + ': failed HIGH_ENTROPY_VA'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--disable-high-entropy-va','-pie','-fPIE','-fstack-protector-all', '-lssp']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-fcf-protection=none']), (1, executable + ': failed CONTROL_FLOW'))
(1, executable+': failed HIGH_ENTROPY_VA CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags), (0, ''))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE','-fstack-protector-all', '-lssp']),
(1, executable+': failed CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE', '-fcf-protection=full','-fstack-protector-all', '-lssp']),
(0, ''))
clean_files(source, executable) clean_files(source, executable)
@ -120,27 +103,21 @@ class TestSecurityChecks(unittest.TestCase):
arch = get_arch(cxx, source, executable) arch = get_arch(cxx, source, executable)
if arch == lief.ARCHITECTURES.X86: if arch == lief.ARCHITECTURES.X86:
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-no_fixup_chains']), pass_flags = ['-Wl,-pie', '-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']
(1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-no_pie', '-Wl,-no_fixup_chains']), (1, executable+': failed FIXUP_CHAINS PIE')) # -fixup_chains is incompatible with -no_pie
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-no_fixup_chains']), (1, executable + ': failed FIXUP_CHAINS'))
(1, executable+': failed NOUNDEFS Canary CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-fno-stack-protector']), (1, executable + ': failed CANARY'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-flat_namespace']), (1, executable + ': failed NOUNDEFS'))
(1, executable+': failed NOUNDEFS CONTROL_FLOW')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-fcf-protection=none']), (1, executable + ': failed CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags), (0, ''))
(1, executable+': failed CONTROL_FLOW'))
self.assertEqual(call_security_check(cxx, source, executable, ['-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
(0, ''))
else: else:
# arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks # arm64 darwin doesn't support non-PIE binaries or executable stacks
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-no_fixup_chains']), pass_flags = ['-fstack-protector-all', '-Wl,-fixup_chains', '-mbranch-protection=bti']
(1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS BRANCH_PROTECTION')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-mbranch-protection=none']), (1, executable + ': failed BRANCH_PROTECTION'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains', '-mbranch-protection=bti']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-no_fixup_chains']), (1, executable + ': failed FIXUP_CHAINS'))
(1, executable+': failed NOUNDEFS Canary')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-fno-stack-protector']), (1, executable + ': failed CANARY'))
self.assertEqual(call_security_check(cxx, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains', '-mbranch-protection=bti']), self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-Wl,-flat_namespace']), (1, executable + ': failed NOUNDEFS'))
(1, executable+': failed NOUNDEFS')) self.assertEqual(call_security_check(cxx, source, executable, pass_flags), (0, ''))
self.assertEqual(call_security_check(cxx, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains', '-mbranch-protection=bti']),
(0, ''))
clean_files(source, executable) clean_files(source, executable)