diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -163,27 +163,41 @@ return binary.has_nx +BASE_ELF = [ + ("PIE", check_PIE), + ("NX", check_NX), + ("RELRO", check_ELF_RELRO), + ("Canary", check_ELF_Canary), + ("separate_code", check_ELF_separate_code), +] + +BASE_PE = [ + ("PIE", check_PIE), + ("DYNAMIC_BASE", check_PE_DYNAMIC_BASE), + ("HIGH_ENTROPY_VA", check_PE_HIGH_ENTROPY_VA), + ("NX", check_NX), + ("RELOC_SECTION", check_PE_RELOC_SECTION), +] + +BASE_MACHO = [ + ("PIE", check_PIE), + ("NOUNDEFS", check_MACHO_NOUNDEFS), + ("NX", check_NX), + ("Canary", check_MACHO_Canary), +] + CHECKS = { - "ELF": [ - ("PIE", check_PIE), - ("NX", check_NX), - ("RELRO", check_ELF_RELRO), - ("Canary", check_ELF_Canary), - ("separate_code", check_ELF_separate_code), - ], - "PE": [ - ("PIE", check_PIE), - ("DYNAMIC_BASE", check_PE_DYNAMIC_BASE), - ("HIGH_ENTROPY_VA", check_PE_HIGH_ENTROPY_VA), - ("NX", check_NX), - ("RELOC_SECTION", check_PE_RELOC_SECTION), - ], - "MACHO": [ - ("PIE", check_PIE), - ("NOUNDEFS", check_MACHO_NOUNDEFS), - ("NX", check_NX), - ("Canary", check_MACHO_Canary), - ], + lief.EXE_FORMATS.ELF: { + lief.ARCHITECTURES.X86: BASE_ELF, + lief.ARCHITECTURES.ARM: BASE_ELF, + lief.ARCHITECTURES.ARM64: BASE_ELF, + }, + lief.EXE_FORMATS.PE: { + lief.ARCHITECTURES.X86: BASE_PE, + }, + lief.EXE_FORMATS.MACHO: { + lief.ARCHITECTURES.X86: BASE_MACHO, + }, } @@ -192,14 +206,22 @@ for filename in sys.argv[1:]: try: binary = lief.parse(filename) - etype = binary.format.name + etype = binary.format + arch = binary.abstract.header.architecture + binary.concrete + if etype == lief.EXE_FORMATS.UNKNOWN: print(f"{filename}: unknown executable format") retval = 1 continue + if arch == lief.ARCHITECTURES.NONE: + print(f"{filename}: unknown architecture") + retval = 1 + continue + failed: List[str] = [] - for name, func in CHECKS[etype]: + for name, func in CHECKS[etype][arch]: if not func(binary): failed.append(name) if failed: diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py --- a/contrib/devtools/symbol-check.py +++ b/contrib/devtools/symbol-check.py @@ -3,12 +3,12 @@ # Distributed under the MIT software license, see the accompanying # file COPYING or http://www.opensource.org/licenses/mit-license.php. """ -A script to check that the executables produced by gitian only contain -certain symbols and are only linked against allowed libraries. +A script to check that release executables only contain certain symbols +and are only linked against allowed libraries. Example usage: - find contrib/gitian-builder/build -type f -executable | xargs python3 contrib/devtools/symbol-check.py + find ../path/to/binaries -type f -executable | xargs python3 contrib/devtools/symbol-check.py """ import sys @@ -283,18 +283,18 @@ CHECKS = { - "ELF": [ + lief.EXE_FORMATS.ELF: [ ("IMPORTED_SYMBOLS", check_imported_symbols), ("EXPORTED_SYMBOLS", check_exported_symbols), ("LIBRARY_DEPENDENCIES", check_ELF_libraries), ("INTERPRETER_NAME", check_ELF_interpreter), ], - "MACHO": [ + lief.EXE_FORMATS.MACHO: [ ("DYNAMIC_LIBRARIES", check_MACHO_libraries), ("MIN_OS", check_MACHO_min_os), ("SDK", check_MACHO_sdk), ], - "PE": [ + lief.EXE_FORMATS.PE: [ ("DYNAMIC_LIBRARIES", check_PE_libraries), ("SUBSYSTEM_VERSION", check_PE_subsystem_version), ], @@ -306,7 +306,7 @@ for filename in sys.argv[1:]: try: binary = lief.parse(filename) - etype = binary.format.name + etype = binary.format if etype == lief.EXE_FORMATS.UNKNOWN: print(f"{filename}: unknown executable format")