Merge bitcoin/bitcoin#29170: contrib: add macho branch protection check

5335e45 contrib: add macho branch protection check (fanquake) Pull request description: Followup to bitcoin/bitcoin#28459. Add a sanity check that `bti` instructions are present in the arm macho binary, similar to our x86_64 check for control flow. Could do something similar for aarch64 linux in future, and maybe could use lief-project/LIEF#975. ACKs for top commit: TheCharlatan: ACK 5335e45 Tree-SHA512: 6cc8721209fe07fe07f0524ef6f114004e2b98844f73d31ff16547f7055c7cb4a5609480058c45ede21b457b2dea5357f1475eaa5063ea1f9772aa260f49039b
bitcoin-core · Jan 16, 2024 · f1fcc96 · f1fcc96
2 parents 9fa8eda + 5335e45
commit f1fcc96
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 5 deletions.
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
@@ -192,6 +192,16 @@ def check_MACHO_control_flow(binary) -> bool:
         return True
     return False
 
+def check_MACHO_branch_protection(binary) -> bool:
+    '''
+    Check for branch protection instrumentation
+    '''
+    content = binary.get_content_from_virtual_address(binary.entrypoint, 4, lief.Binary.VA_TYPES.AUTO)
+
+    if content.tolist() == [95, 36, 3, 213]: # bti
+        return True
+    return False
+
 BASE_ELF = [
     ('PIE', check_PIE),
     ('NX', check_NX),
@@ -231,7 +241,7 @@ def check_MACHO_control_flow(binary) -> bool:
         lief.ARCHITECTURES.X86: BASE_MACHO + [('PIE', check_PIE),
                                               ('NX', check_NX),
                                               ('CONTROL_FLOW', check_MACHO_control_flow)],
-        lief.ARCHITECTURES.ARM64: BASE_MACHO,
+        lief.ARCHITECTURES.ARM64: BASE_MACHO + [('BRANCH_PROTECTION', check_MACHO_branch_protection)],
     }
 }
 

diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py
@@ -137,12 +137,12 @@ def test_MACHO(self):
         else:
             # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks
             self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-no_fixup_chains']),
-                (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains']),
+                (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS BRANCH_PROTECTION'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains', '-mbranch-protection=bti']),
                 (1, executable+': failed NOUNDEFS Canary'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains', '-mbranch-protection=bti']),
                 (1, executable+': failed NOUNDEFS'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains', '-mbranch-protection=bti']),
                 (0, ''))