Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds checks for IntelCET Indirect Branch Tracking (IBT) and Shadow Stack (SHSTK) #43

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Adds checks for IntelCET Indirect Branch Tracking (IBT) and Shadow Stack (SHSTK) #43

wants to merge 3 commits into from

Conversation

titison
Copy link

@titison titison commented Oct 29, 2023
edited
Loading

Checks the .note.gnu.property section of an ELF file for the properties GNU_PROPERTY_X86_FEATURE_1_IBT (Indirect branch tracking) and GNU_PROPERTY_X86_FEATURE_1_SHSTK (Shadow Stack)

These are features from the Intel Control-flow Enforcement Technology (IntelCET) (Architectures Software
Developer’s Manual Volume 1 - Chapter 17), which will provide hardware supported control flow checks in the future. This is intended to protect against such threats as Return-oriented Programming (ROP), and similarly call/jmp-oriented programming (COP/JOP). Unlike software solutions, this also works during Spectre-like attacks. While the ShadowStack ist already supported by multiple CPUs by both Intel and AMD, IBT is only supported by Intel Tiger Lake as of now. However, GCC is in the process of introducing a new -fhardened [1] [2] flag, which includes this feature. Thus, i value this to be a relevant feature to check for.

IBT and SHSTK can be enabled during compilation with the following flags:
*CFLAGS=*-fcf-protection=[full|branch|return|none] link

Notes:

  • The Notes section in the elf file could lie and report enabled IBT while no endbr32/64 instruction have been actually introduced.
  • The current Goblin 0.6.0 is missing the NT_GNU_PROPERTY_TYPE_0 constant for this. I set the Goblin version to the latest current version of 0.7.1. However, 0.6.1 would be sufficient for this patch to work if you don't want Goblin 0.7.x.
  • EDIT: Current Implementation will (probably) only work for little endian elf files

Future Work:
While Windows does not make use of the Indirect branch tracking feature, you can enable the shadow stack link. Thus, PE files should/could also be checked for this. EDIT: Done

@tnballo
Copy link
Contributor

tnballo commented Oct 29, 2023

I hope this PR will be merged and included in a crates.io release of checksec in the near future! Thank you for your work on this crate 🙂

Note for anyone maintaining a project that uses the latest goblin and needs to use checksec simultaneously - you can include two goblin versions in-tree under distinct namespaces (to avoid the problem in #12). Cargo.toml:

[dependencies]
goblin = "0.7"
checksec_goblin = { package = "goblin", version = "0.5" }

@titison
Copy link
Author

titison commented Oct 30, 2023

I am happy to help :)

You can now check for Shadow Stack compatibility on PE Files as-well.
Compilerflag: /CETCOMPAT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@titison @tnballo