Changeset View
Changeset View
Standalone View
Standalone View
contrib/devtools/security-check.py
Show First 20 Lines • Show All 99 Lines • ▼ Show 20 Lines | def check_ELF_RELRO(executable): | ||||
have_bindnow = False | have_bindnow = False | ||||
p = subprocess.Popen([READELF_CMD, '-d', '-W', executable], stdout=subprocess.PIPE, | p = subprocess.Popen([READELF_CMD, '-d', '-W', executable], stdout=subprocess.PIPE, | ||||
stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True) | stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True) | ||||
(stdout, stderr) = p.communicate() | (stdout, stderr) = p.communicate() | ||||
if p.returncode: | if p.returncode: | ||||
raise IOError('Error opening file') | raise IOError('Error opening file') | ||||
for line in stdout.splitlines(): | for line in stdout.splitlines(): | ||||
tokens = line.split() | tokens = line.split() | ||||
if len(tokens) > 1 and tokens[1] == '(BIND_NOW)' or (len(tokens) > 2 and tokens[1] == '(FLAGS)' and 'BIND_NOW' in tokens[2]): | if len(tokens) > 1 and tokens[1] == '(BIND_NOW)' or ( | ||||
len(tokens) > 2 and tokens[1] == '(FLAGS)' and 'BIND_NOW' in tokens[2]): | |||||
have_bindnow = True | have_bindnow = True | ||||
return have_gnu_relro and have_bindnow | return have_gnu_relro and have_bindnow | ||||
def check_ELF_Canary(executable): | def check_ELF_Canary(executable): | ||||
''' | ''' | ||||
Check for use of stack canary | Check for use of stack canary | ||||
''' | ''' | ||||
▲ Show 20 Lines • Show All 55 Lines • ▼ Show 20 Lines | else: # Unnecessary on 32-bit | ||||
assert(arch == 'i386') | assert(arch == 'i386') | ||||
reqbits = 0 | reqbits = 0 | ||||
return (bits & reqbits) == reqbits | return (bits & reqbits) == reqbits | ||||
def check_PE_NX(executable): | def check_PE_NX(executable): | ||||
'''NX: DllCharacteristics bit 0x100 signifies nxcompat (DEP)''' | '''NX: DllCharacteristics bit 0x100 signifies nxcompat (DEP)''' | ||||
(arch, bits) = get_PE_dll_characteristics(executable) | (arch, bits) = get_PE_dll_characteristics(executable) | ||||
return (bits & IMAGE_DLL_CHARACTERISTICS_NX_COMPAT) == IMAGE_DLL_CHARACTERISTICS_NX_COMPAT | return ( | ||||
bits & IMAGE_DLL_CHARACTERISTICS_NX_COMPAT) == IMAGE_DLL_CHARACTERISTICS_NX_COMPAT | |||||
CHECKS = { | CHECKS = { | ||||
'ELF': [ | 'ELF': [ | ||||
('PIE', check_ELF_PIE), | ('PIE', check_ELF_PIE), | ||||
('NX', check_ELF_NX), | ('NX', check_ELF_NX), | ||||
('RELRO', check_ELF_RELRO), | ('RELRO', check_ELF_RELRO), | ||||
('Canary', check_ELF_Canary) | ('Canary', check_ELF_Canary) | ||||
▲ Show 20 Lines • Show All 46 Lines • Show Last 20 Lines |