From b11a343f86758eb837e12ef476a162661e1aed77 Mon Sep 17 00:00:00 2001 From: teoberi Date: Mon, 13 May 2024 14:08:20 +0300 Subject: [PATCH 1/8] Update proccheck.sh (Fortify) Added detailed results for Fortify: 'N/A', 'Partial' --- checksec | 27 +++++++++++++++++++++++---- src/functions/proccheck.sh | 27 +++++++++++++++++++++++---- 2 files changed, 46 insertions(+), 8 deletions(-) diff --git a/checksec b/checksec index 46e98a3..508823d 100755 --- a/checksec +++ b/checksec @@ -1609,11 +1609,30 @@ proccheck() { fi #check for Fortify source support - Proc_FS_functions="$(${readelf} -s "${1}/exe" 2> /dev/null | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//')" - if grep -q '_chk$' <<< "$Proc_FS_functions"; then - echo_message '\033[32mYes\033[m' 'Yes' " fortify_source='yes'>" '"fortify_source":"yes" }' + search_libc + libc_found="false" + if ${readelf} -d "$(readlink "${1}"/exe)" 2> /dev/null | grep 'NEEDED' | grep -q 'libc\.so'; then + libc_found="true" + fi + Proc_FS_filechk_func_libc="$(${readelf} -s "${use_dynamic}" "${FS_libc}" 2> /dev/null | sed -ne 's/.*__\(.*_chk\)@@.*/\1/p')" + Proc_FS_func_libc="${Proc_FS_filechk_func_libc//_chk/}" + Proc_FS_func="$(${readelf} -s "${use_dynamic}" "${1}/exe" 2> /dev/null | awk '{ print $8 }' | sed -e 's/_*//' -e 's/@.*//' -e '/^$/d')" + Proc_FS_cnt_checked=$(grep -cFxf <(sort -u <<< "${Proc_FS_filechk_func_libc}") <(sort -u <<< "${Proc_FS_func}")) + Proc_FS_cnt_unchecked=$(grep -cFxf <(sort -u <<< "${Proc_FS_func_libc}") <(sort -u <<< "${Proc_FS_func}")) + Proc_FS_cnt_total=$((Proc_FS_cnt_unchecked + Proc_FS_cnt_checked)) + + if [[ "${libc_found}" == "false" ]] || [[ "${Proc_FS_cnt_total}" == "0" ]]; then + echo_message "\033[32mN/A\033[m" "N/A," ' fortify_source="n/a">' '"fortify_source":"n/a" }' else - echo_message "\033[31mNo\033[m" "No" " fortify_source='no'>" '"fortify_source":"no" }' + if [[ $Proc_FS_cnt_checked -eq $Proc_FS_cnt_total ]]; then + echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes">' '"fortify_source":"yes" }' + else + if [[ "${Proc_FS_cnt_checked}" == "0" ]]; then + echo_message "\033[31mNo\033[m" "No," ' fortify_source="no">' '"fortify_source":"no" }' + else + echo_message "\033[33mPartial\033[m" "Partial," ' fortify_source="partial">' '"fortify_source":"partial" }' + fi + fi fi } diff --git a/src/functions/proccheck.sh b/src/functions/proccheck.sh index 352876b..b2baa02 100644 --- a/src/functions/proccheck.sh +++ b/src/functions/proccheck.sh @@ -118,10 +118,29 @@ proccheck() { fi #check for Fortify source support - Proc_FS_functions="$(${readelf} -s "${1}/exe" 2> /dev/null | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//')" - if grep -q '_chk$' <<< "$Proc_FS_functions"; then - echo_message '\033[32mYes\033[m' 'Yes' " fortify_source='yes'>" '"fortify_source":"yes" }' + search_libc + libc_found="false" + if ${readelf} -d "$(readlink "${1}"/exe)" 2> /dev/null | grep 'NEEDED' | grep -q 'libc\.so'; then + libc_found="true" + fi + Proc_FS_filechk_func_libc="$(${readelf} -s "${use_dynamic}" "${FS_libc}" 2> /dev/null | sed -ne 's/.*__\(.*_chk\)@@.*/\1/p')" + Proc_FS_func_libc="${Proc_FS_filechk_func_libc//_chk/}" + Proc_FS_func="$(${readelf} -s "${use_dynamic}" "${1}/exe" 2> /dev/null | awk '{ print $8 }' | sed -e 's/_*//' -e 's/@.*//' -e '/^$/d')" + Proc_FS_cnt_checked=$(grep -cFxf <(sort -u <<< "${Proc_FS_filechk_func_libc}") <(sort -u <<< "${Proc_FS_func}")) + Proc_FS_cnt_unchecked=$(grep -cFxf <(sort -u <<< "${Proc_FS_func_libc}") <(sort -u <<< "${Proc_FS_func}")) + Proc_FS_cnt_total=$((Proc_FS_cnt_unchecked + Proc_FS_cnt_checked)) + + if [[ "${libc_found}" == "false" ]] || [[ "${Proc_FS_cnt_total}" == "0" ]]; then + echo_message "\033[32mN/A\033[m" "N/A," ' fortify_source="n/a">' '"fortify_source":"n/a" }' else - echo_message "\033[31mNo\033[m" "No" " fortify_source='no'>" '"fortify_source":"no" }' + if [[ $Proc_FS_cnt_checked -eq $Proc_FS_cnt_total ]]; then + echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes">' '"fortify_source":"yes" }' + else + if [[ "${Proc_FS_cnt_checked}" == "0" ]]; then + echo_message "\033[31mNo\033[m" "No," ' fortify_source="no">' '"fortify_source":"no" }' + else + echo_message "\033[33mPartial\033[m" "Partial," ' fortify_source="partial">' '"fortify_source":"partial" }' + fi + fi fi } From 30add965914acea3bcdcb6dabf3899713f106131 Mon Sep 17 00:00:00 2001 From: teoberi Date: Mon, 13 May 2024 14:09:46 +0300 Subject: [PATCH 2/8] Update hardening-checks.sh (Fortify proccheck) Add cases for 'N/A' and 'Partial' --- tests/hardening-checks.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/hardening-checks.sh b/tests/hardening-checks.sh index 26d7660..62c9e0e 100755 --- a/tests/hardening-checks.sh +++ b/tests/hardening-checks.sh @@ -445,6 +445,22 @@ for bin in none none32 none_cl none_cl32; do exit 1 fi done +# N/A +for bin in nolibc nolibc_cl nolibc32 nolibc_cl32 fszero fszero_cl fszero32 fszero_cl32; do + "${DIR}"/binaries/output/${bin} > /dev/null & + if [[ $("${PARENT}"/checksec --proc=${bin} --format=csv | cut -d, -f8) != "N/A" ]]; then + echo "No Fortify process validation failed on \"${bin}\": $("${PARENT}"/checksec --proc=${bin} --format=csv | cut -d, -f8)" + exit 1 + fi +done +# Partial +for bin in partial partial32 partial_cl partial_cl32; do + "${DIR}"/binaries/output/${bin} > /dev/null & + if [[ $("${PARENT}"/checksec --proc=${bin} --format=csv | cut -d, -f8) != "Partial" ]]; then + echo "No Fortify process validation failed on \"${bin}\": $("${PARENT}"/checksec --proc=${bin} --format=csv | cut -d, -f8)" + exit 1 + fi +done echo "Fortify process validation tests passed" echo "Done." echo "All hardening validation tests passed" From fffec3a347380fe1e87f8366bf6631226b128263 Mon Sep 17 00:00:00 2001 From: teoberi Date: Mon, 13 May 2024 14:12:26 +0300 Subject: [PATCH 3/8] Update build_binaries.sh (Fortify) Generating test files for Fortify (nolibc*, fszero*) --- tests/binaries/build_binaries.sh | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/tests/binaries/build_binaries.sh b/tests/binaries/build_binaries.sh index 047c9fa..83a8fbd 100755 --- a/tests/binaries/build_binaries.sh +++ b/tests/binaries/build_binaries.sh @@ -50,12 +50,15 @@ clang -m32 -o output/none_cl32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protecto clang -m32 -c test.c -o output/rel_cl32.o clang -m32 -shared -fPIC -o output/dso_cl32.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -z relro -z now -z noexecstack -s -gcc -o output/nolibc main.c start.S hello.S -w -nostdlib -no-pie -s -clang -o output/nolibc_cl main.c start.S hello.S -w -nostdlib -no-pie -s -gcc -m32 -o output/nolibc32 main.c start.S hello.S -w -nostdlib -no-pie -s -clang -m32 -o output/nolibc_cl32 main.c start.S hello.S -w -nostdlib -no-pie -s +# Fortify source +nasm -f elf64 -o nolibc.o nolibc.asm +nasm -f elf32 -o nolibc32.o nolibc32.asm +gcc -o output/nolibc nolibc.o -w -nostdlib -no-pie -s +clang -o output/nolibc_cl nolibc.o -w -nostdlib -no-pie -s +gcc -m32 -o output/nolibc32 nolibc32.o -w -nostdlib -no-pie -s +clang -m32 -o output/nolibc_cl32 nolibc32.o -w -nostdlib -no-pie -s -gcc -o output/fszero helloworld.c -w -D_FORTIFY_SOURCE=0 -O2 -s -clang -o output/fszero_cl helloworld.c -w -D_FORTIFY_SOURCE=0 -O2 -s -gcc -m32 -o output/fszero32 helloworld.c -w -D_FORTIFY_SOURCE=0 -O2 -s -clang -m32 -o output/fszero_cl32 helloworld.c -w -D_FORTIFY_SOURCE=0 -O2 -s +gcc -o output/fszero fszero.c -w -D_FORTIFY_SOURCE=0 -O2 -s +clang -o output/fszero_cl fszero.c -w -D_FORTIFY_SOURCE=0 -O2 -s +gcc -m32 -o output/fszero32 fszero.c -w -D_FORTIFY_SOURCE=0 -O2 -s +clang -m32 -o output/fszero_cl32 fszero.c -w -D_FORTIFY_SOURCE=0 -O2 -s From 042ea070a7270f6f6a273a3a60ab177b069a3a08 Mon Sep 17 00:00:00 2001 From: teoberi Date: Mon, 13 May 2024 14:19:48 +0300 Subject: [PATCH 4/8] Change test files for Fortify --- tests/binaries/{helloworld.c => fszero.c} | 2 ++ tests/binaries/hello.S | 18 ------------------ tests/binaries/main.c | 7 ------- tests/binaries/nolibc.asm | 23 +++++++++++++++++++++++ tests/binaries/nolibc32.asm | 23 +++++++++++++++++++++++ tests/binaries/start.S | 5 ----- 6 files changed, 48 insertions(+), 30 deletions(-) rename tests/binaries/{helloworld.c => fszero.c} (69%) delete mode 100644 tests/binaries/hello.S delete mode 100644 tests/binaries/main.c create mode 100644 tests/binaries/nolibc.asm create mode 100644 tests/binaries/nolibc32.asm delete mode 100644 tests/binaries/start.S diff --git a/tests/binaries/helloworld.c b/tests/binaries/fszero.c similarity index 69% rename from tests/binaries/helloworld.c rename to tests/binaries/fszero.c index c3ce445..fc88b61 100644 --- a/tests/binaries/helloworld.c +++ b/tests/binaries/fszero.c @@ -1,7 +1,9 @@ #include +#include int main() { printf("Hello World\n"); + sleep(2); return 0; } diff --git a/tests/binaries/hello.S b/tests/binaries/hello.S deleted file mode 100644 index 5b5e727..0000000 --- a/tests/binaries/hello.S +++ /dev/null @@ -1,18 +0,0 @@ -.section .text -.global hello -hello: - movl $len,%edx # third argument: message length - movl $msg,%ecx # second argument: pointer to message to write - movl $1,%ebx # first argument: file handle (stdout) - movl $4,%eax # system call number (sys_write) - int $0x80 # call kernel - - # and exit - - movl $0,%ebx # first argument: exit code - movl $1,%eax # system call number (sys_exit) - int $0x80 # call kernel -.section .data - msg: - .ascii "Hello, world!\n" # our dear string - len = . - msg # length of our dear string diff --git a/tests/binaries/main.c b/tests/binaries/main.c deleted file mode 100644 index 21618b8..0000000 --- a/tests/binaries/main.c +++ /dev/null @@ -1,7 +0,0 @@ -extern void hello(); - -int main() -{ - hello(); - return 0; -} diff --git a/tests/binaries/nolibc.asm b/tests/binaries/nolibc.asm new file mode 100644 index 0000000..c51ea17 --- /dev/null +++ b/tests/binaries/nolibc.asm @@ -0,0 +1,23 @@ +section .data + msg db 'Hello, World!', 0ah ;note the newline (Line Feed-LF) at the end (hex:0ah; decimal:10) + len equ $ - msg ;calculate the length of the message + delay dq 2, 100000000 ;define delay with Timespec structure members tv_sec, tv_nsec (qwords, 64-bit integer values) + +section .text + global _start ;must be declared for linker (ld) + +_start: ;tells linker entry point + mov rax, 1 ;system call for write (sys_write 1) + mov rdi, 1 ;file descriptor (1 is stdout) + mov rsi, msg ;address of string to output + mov rdx, len ;message length + syscall ;invoke operating system to do the write + + mov rax, 35 ;system call for nanosleep (sys_nanosleep 35) + mov rdi, delay ;load the pointer to our delay + mov rsi, 0 ;exit code 0 + syscall ;invoke operating system to do the delay + + mov rax, 60 ;system call for exit (sys_exit 60) + xor rdi, rdi ;exit code 0 + syscall ;invoke operating system to exit diff --git a/tests/binaries/nolibc32.asm b/tests/binaries/nolibc32.asm new file mode 100644 index 0000000..c016d93 --- /dev/null +++ b/tests/binaries/nolibc32.asm @@ -0,0 +1,23 @@ +section .data + msg db "Hello, world!", 0xa ;note the newline (Line Feed-LF) at the end (hex:0ah; decimal:10) + len equ $ - msg ;calculate the length of the message + delay dd 2, 100000000 ;define delay with Timespec structure members tv_sec, tv_nsec (dwords, 32-bit integer values) + +section .text + global _start ;must be declared for linker (ld) + +_start: ;tells linker entry point + mov eax,4 ;system call for write (sys_write 4) + mov ebx,1 ;file descriptor (1 is stdout) + mov ecx,msg ;address of string to output + mov edx,len ;message length + int 0x80 ;invoke operating system to do the write + + mov eax, 162 ;system call for nanosleep (sys_nanosleep 162) + mov ebx, delay ;load the pointer to our delay + mov ecx, 0 ;exit code 0 + int 0x80 ;invoke operating system to do the delay + + mov eax,1 ;system call for exit (sys_exit 1) + xor ebx, ebx ;exit code 0 + int 0x80 ;invoke operating system to exit diff --git a/tests/binaries/start.S b/tests/binaries/start.S deleted file mode 100644 index 2981576..0000000 --- a/tests/binaries/start.S +++ /dev/null @@ -1,5 +0,0 @@ -.globl _start -_start:call main - movl $1, %eax - xorl %ebx, %ebx - int $0x80 From 90fdaf8c53ff2d6315bdd07db867ea88410ddda3 Mon Sep 17 00:00:00 2001 From: teoberi Date: Fri, 17 May 2024 10:45:44 +0300 Subject: [PATCH 5/8] Add files via upload *.o (object files) Required if NASM assembler is not installed. --- tests/binaries/nolibc.o | Bin 0 -> 960 bytes tests/binaries/nolibc32.o | Bin 0 -> 688 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 tests/binaries/nolibc.o create mode 100644 tests/binaries/nolibc32.o diff --git a/tests/binaries/nolibc.o b/tests/binaries/nolibc.o new file mode 100644 index 0000000000000000000000000000000000000000..73d4192fb9915e0081bc68be38c319b23dd68574 GIT binary patch literal 960 zcmbVKJ5Iwu5FO`35CW1S5{Lp4C}@xcv>=oQv#vAVWq*La zvOkl3*5yw2KgI+3CZv7m{8LUO4UHuGdx6%`N$)O-wcp<;ZZiL-fzc+^a7LT=NtkT9 zja$1pIYQ^nh#||4k-fy&J4@SK!1a|;;F{pofSWugCN^q_(Kxi8aU5u6MOm>wH=3vc zi?m8uul&LE&c*$Tw9PD%uL@xQ$s(nzmaUrs2PD6Te5ay5j3WIqd~{V3LYO>(4o2YP cUB_^r7!{jxZHnzY_D`3mJ!BzGN_^h`2chFOHUIzs literal 0 HcmV?d00001 diff --git a/tests/binaries/nolibc32.o b/tests/binaries/nolibc32.o new file mode 100644 index 0000000000000000000000000000000000000000..78ad93388a6d5d21938b78954a5d6afa7da69994 GIT binary patch literal 688 zcmbVKJ5Iwu6nq;3;Uf^D2n`Y-3Mi08AP1l!qTmj&!4@E`V`Q%csqj${C!h@E3^@T6 zHy{Odn6Y2qZ)7B#jEgMi=|iaI&P1SvxrStqln7o3mZAYc^GGLE;YAdb-jBu?V;x3 z_4ZL%@NovB~<>Dlt-yH5RV#Ao~Z>+qpVVUHk7q~Iw zqKX0;osUT_L8z^kz($W&g6uZ4snvZ%!?^S=Pa{)u(DxVoy~t_GbXMp7{uB5<4dIz8 zDA_<#)uuCk(<)c8Rgv*dxc?wAcm3;=<3MMz#MzCQXdq!^^iVD{t5aKRK)3=^Xrm7O E5A2jV%m4rY literal 0 HcmV?d00001 From fda3410356bc0b5e2ee4b04776b4800f4e8b4888 Mon Sep 17 00:00:00 2001 From: teoberi Date: Tue, 21 May 2024 09:14:40 +0300 Subject: [PATCH 6/8] Update build_binaries.sh (Fortify). Added warning about NASM assembler installation. Installing the NASM assembler leads to the regeneration of the object files (.o) from the .asm sources --- tests/binaries/build_binaries.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/binaries/build_binaries.sh b/tests/binaries/build_binaries.sh index 83a8fbd..a397c29 100755 --- a/tests/binaries/build_binaries.sh +++ b/tests/binaries/build_binaries.sh @@ -50,7 +50,7 @@ clang -m32 -o output/none_cl32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protecto clang -m32 -c test.c -o output/rel_cl32.o clang -m32 -shared -fPIC -o output/dso_cl32.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -z relro -z now -z noexecstack -s -# Fortify source +# Fortify source (installation of NASM assembler is recommended) nasm -f elf64 -o nolibc.o nolibc.asm nasm -f elf32 -o nolibc32.o nolibc32.asm gcc -o output/nolibc nolibc.o -w -nostdlib -no-pie -s From f9fddafb23d051d8a730d6d4fd0a68d386fc4e8f Mon Sep 17 00:00:00 2001 From: teoberi Date: Thu, 23 May 2024 07:56:44 +0300 Subject: [PATCH 7/8] Add NASM and binutils in the base image. --- Dockerfile.ubuntu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.ubuntu b/Dockerfile.ubuntu index 59ecfea..ac5c049 100644 --- a/Dockerfile.ubuntu +++ b/Dockerfile.ubuntu @@ -5,7 +5,7 @@ RUN apt-get update && apt-get -y -q upgrade && DEBIAN_FRONTEND=noninteractive ap bc bison flex build-essential git file \ libncurses-dev libssl-dev u-boot-tools wget \ xz-utils vim libxml2-utils python3 python3-pip jq \ - gcc clang gcc-multilib && apt-get clean \ + gcc clang gcc-multilib nasm binutils && apt-get clean \ pip3 install --upgrade pip && pip3 install setuptools && \ pip3 install demjson3 && mkdir -p /zig && \ wget https://ziglang.org/builds/zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz && \ From cca825b1f009dbc30e1b6dcce6e1940c5df4a54b Mon Sep 17 00:00:00 2001 From: teoberi Date: Thu, 23 May 2024 08:05:20 +0300 Subject: [PATCH 8/8] Add NASM and binutils on the base image. --- Dockerfile.photon | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.photon b/Dockerfile.photon index b0dce12..b81c44a 100644 --- a/Dockerfile.photon +++ b/Dockerfile.photon @@ -4,7 +4,7 @@ FROM photon:5.0 RUN tdnf upgrade -y && tdnf remove toybox -y && \ tdnf install -y build-essential git rpm-build coreutils util-linux \ make autoconf automake gcc ncurses-devel sed tar texinfo wget procps-ng grep \ - findutils gzip file which libxml2 python3 python3-pip jq clang && \ + findutils gzip file which libxml2 python3 python3-pip jq clang nasm binutils && \ pip3 install --upgrade pip && pip3 install setuptools && \ pip3 install demjson3 && mkdir -p /zig && \ wget https://ziglang.org/builds/zig-linux-$(uname -m)-0.12.0-dev.3667+77abd3a96.tar.xz && \