Skip to content

Commit

Permalink
Merge pull request #236 from teoberi/teoberi-Fortify
Browse files Browse the repository at this point in the history
checksec FORTIFY detection
  • Loading branch information
slimm609 authored Apr 25, 2024
2 parents 1507d4a + d7a3704 commit 753bc11
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 12 deletions.
14 changes: 11 additions & 3 deletions src/functions/filecheck.sh
Original file line number Diff line number Diff line change
Expand Up @@ -138,10 +138,18 @@ filecheck() {
FS_cnt_unchecked=$(grep -cFxf <(sort <<< "${FS_func_libc}") <(sort <<< "${FS_func}"))
FS_cnt_total=$((FS_cnt_unchecked + FS_cnt_checked))

if [[ $FS_cnt_checked -eq $FS_cnt_total ]]; then
echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",'
if [[ "${FS_cnt_total}" == "0" ]]; then
echo_message "\033[32mN/A\033[m" "N/A," ' fortify_source="n/a" ' '"fortify_source":"n/a",'
else
echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",'
if [[ $FS_cnt_checked -eq $FS_cnt_total ]]; then
echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",'
else
if [[ "${FS_cnt_checked}" == "0" ]]; then
echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",'
else
echo_message "\033[33mPartial\033[m" "Partial," ' fortify_source="partial" ' '"fortify_source":"partial",'
fi
fi
fi
echo_message "\t${FS_cnt_checked}\t" "${FS_cnt_checked}", "fortified=\"${FS_cnt_checked}\" " "\"fortified\":\"${FS_cnt_checked}\","
echo_message "\t${FS_cnt_total}\t\t" "${FS_cnt_total}" "fortify-able=\"${FS_cnt_total}\"" "\"fortify-able\":\"${FS_cnt_total}\""
Expand Down
16 changes: 8 additions & 8 deletions tests/binaries/build_binaries.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@ set -x
export PATH=$PATH:/zig/

# All hardening features on (except for CFI and SafeStack)
gcc -o all test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
gcc -o all test.c -w -D_FORTIFY_SOURCE=3 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
# Partial RELRO
gcc -o partial test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
gcc -o partial test.c -w -D_FORTIFY_SOURCE=1 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
# RPATH
gcc -o rpath test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
# RUNPATH
Expand All @@ -21,8 +21,8 @@ gcc -shared -fPIC -o dso.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-stro
clang -o cfi test.c -w -flto -fsanitize=cfi -fvisibility=default
clang -o sstack test.c -w -fsanitize=safe-stack
# clang instead of gcc
clang -o all_cl test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
clang -o partial_cl test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
clang -o all_cl test.c -w -D_FORTIFY_SOURCE=3 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
clang -o partial_cl test.c -w -D_FORTIFY_SOURCE=1 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
clang -o rpath_cl test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
clang -o runpath_cl test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags
clang -o none_cl test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack
Expand All @@ -31,8 +31,8 @@ clang -shared -fPIC -o dso_cl.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector

# 32-bit use zig for cross compile
# zig cc --target=x86-linux-gnu
gcc -m32 -o all32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
gcc -m32 -o partial32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
gcc -m32 -o all32 test.c -w -D_FORTIFY_SOURCE=3 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
gcc -m32 -o partial32 test.c -w -D_FORTIFY_SOURCE=1 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
gcc -m32 -o rpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
gcc -m32 -o runpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags
gcc -m32 -o none32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack
Expand All @@ -41,8 +41,8 @@ gcc -m32 -shared -fPIC -o dso32.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protect

clang -m32 -o cfi32 test.c -w -flto -fsanitize=cfi -fvisibility=default
clang -m32 -o sstack32 test.c -w -fsanitize=safe-stack
clang -m32 -o all_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
clang -m32 -o partial_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
clang -m32 -o all_cl32 test.c -w -D_FORTIFY_SOURCE=3 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
clang -m32 -o partial_cl32 test.c -w -D_FORTIFY_SOURCE=1 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
clang -m32 -o rpath_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
clang -m32 -o runpath_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags
clang -m32 -o none_cl32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack
Expand Down
16 changes: 15 additions & 1 deletion tests/hardening-checks.sh
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,7 @@ echo "Symbols validation tests passed"

#============================================

echo "Starting Foritfy check"
echo "Starting Fortify check"
# Yes
for bin in all all32 all_cl all_cl32; do
if [[ $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8) != "Yes" ]]; then
Expand All @@ -267,6 +267,20 @@ for bin in none none32 none_cl none_cl32; do
exit 1
fi
done
# N/A
for bin in rel.o rel32.o rel_cl.o rel_cl32.o; do
if [[ $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8) != "N/A" ]]; then
echo "No Fortify validation failed on \"${bin}\": $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8)"
exit 1
fi
done
# Partial
for bin in partial partial32 partial_cl partial_cl32; do
if [[ $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8) != "Partial" ]]; then
echo "No Fortify validation failed on \"${bin}\": $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8)"
exit 1
fi
done
echo "Fortify validation tests passed"

#============================================
Expand Down

0 comments on commit 753bc11

Please sign in to comment.