checksec-2.7.1 FORTIFY detection for processes
teoberi opened this issue · 7 comments
As detailed in #236, couldn't the "N/A" and "Partial" cases also apply to running processes?
Example applied to checksec-2.7.1:
./checksec --proc=update-notifier
* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)
Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
This, among other things, implies that shared libraries will be loaded to random
addresses. Also for PIE-linked binaries, the location of code start is randomized.
See the kernel file 'Documentation/admin-guide/sysctl/kernel.rst' for more details.
* Does the CPU support NX: Yes
COMMAND PID RELRO STACK CANARY SECCOMP NX/PaX PIE FORTIFY
update-notifier 3066 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
readlink /proc/3066/exe
/usr/bin/update-notifier
./checksec --fortify-file=/usr/bin/update-notifier
* FORTIFY_SOURCE support available (libc) : Yes
* Binary compiled with FORTIFY_SOURCE support: Yes
------ EXECUTABLE-FILE ------- . -------- LIBC --------
Fortifiable library functions | Checked function names
-------------------------------------------------------
fgets | __fgets_chk
fprintf_chk | __fprintf_chk
fread | __fread_chk
getgroups_chk | __getgroups_chk
read | __read_chk
strncpy | __strncpy_chk
SUMMARY:
* Number of checked functions in libc : 79
* Total number of library functions in the executable: 286
* Number of Fortifiable functions in the executable : 6
* Number of checked functions in the executable : 2
* Number of unchecked functions in the executable : 4
./checksec --file=/usr/bin/update-notifier
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols Partial 2 6 /usr/bin/update-notifier
There is a discrepancy for Fortify in the results in case of options:
- --proc=update-notifier -> Yes (wrong)
- --file=/usr/bin/update-notifier -> Partial (correct)
also validated with the result of the --fortify-file=/usr/bin/update-notifier option.
In src/functions/proccheck.sh, replace the code from the section
#check for Fortify source support
with the code from filecheck.sh
search_libc
libc_found="false"
if ${readelf} -d "$(readlink "${1}"/exe)" 2> /dev/null | grep 'NEEDED' | grep -q 'libc\.so'; then
libc_found="true"
fi
Proc_FS_filechk_func_libc="$(${readelf} -s "${use_dynamic}" "${FS_libc}" 2> /dev/null | sed -ne 's/.*__\(.*_chk\)@@.*/\1/p')"
Proc_FS_func_libc="${Proc_FS_filechk_func_libc//_chk/}"
Proc_FS_func="$(${readelf} -s "${use_dynamic}" "${1}/exe" 2> /dev/null | awk '{ print $8 }' | sed -e 's/_*//' -e 's/@.*//' -e '/^$/d')"
Proc_FS_cnt_checked=$(grep -cFxf <(sort -u <<< "${Proc_FS_filechk_func_libc}") <(sort -u <<< "${Proc_FS_func}"))
Proc_FS_cnt_unchecked=$(grep -cFxf <(sort -u <<< "${Proc_FS_func_libc}") <(sort -u <<< "${Proc_FS_func}"))
Proc_FS_cnt_total=$((Proc_FS_cnt_unchecked + Proc_FS_cnt_checked))
if [[ "${libc_found}" == "false" ]] || [[ "${Proc_FS_cnt_total}" == "0" ]]; then
echo_message "\033[32mN/A\033[m" "N/A," ' fortify_source="n/a">' '"fortify_source":"n/a" }'
else
if [[ $Proc_FS_cnt_checked -eq $Proc_FS_cnt_total ]]; then
echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes">' '"fortify_source":"yes" }'
else
if [[ "${Proc_FS_cnt_checked}" == "0" ]]; then
echo_message "\033[31mNo\033[m" "No," ' fortify_source="no">' '"fortify_source":"no" }'
else
echo_message "\033[33mPartial\033[m" "Partial," ' fortify_source="partial">' '"fortify_source":"partial" }'
fi
fi
fi
with only 2 changes, that is:
line 3 (adapted to find the path to executables)
readlink ${1}/exe
and line 8 (adapted for processes)
${1}/exe
The new result is:
./checksec --proc=update-notifier
* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)
Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
This, among other things, implies that shared libraries will be loaded to random
addresses. Also for PIE-linked binaries, the location of code start is randomized.
See the kernel file 'Documentation/admin-guide/sysctl/kernel.rst' for more details.
* Does the CPU support NX: Yes
COMMAND PID RELRO STACK CANARY SECCOMP NX/PaX PIE FORTIFY
update-notifier 3066 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
The new code is working:
sudo ./checksec --proc-all
* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)
Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
This, among other things, implies that shared libraries will be loaded to random
addresses. Also for PIE-linked binaries, the location of code start is randomized.
See the kernel file 'Documentation/admin-guide/sysctl/kernel.rst' for more details.
* Does the CPU support NX: Yes
* Core-Dumps access to all users: Not Restricted
COMMAND PID RELRO STACK CANARY SECCOMP NX/PaX PIE FORTIFY
systemd 1 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
VBoxDRMClient 1212 Partial RELRO No canary found No Seccomp NX enabled No PIE No
VBoxService 1215 Partial RELRO No canary found No Seccomp NX enabled No PIE No
gdm3 1237 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
rtkit-daemon 1278 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
upowerd 1363 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Partial
packagekitd 1367 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
colord 1522 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gdm-session-wor 1619 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
systemd 1628 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
(sd-pam) 1630 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
pipewire 1636 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Yes
pipewire-media- 1637 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Partial
pulseaudio 1638 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Yes
gnome-keyring-d 1646 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
gdm-wayland-ses 1655 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
dbus-daemon 1657 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
gnome-session-b 1664 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
xdg-document-po 1672 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
xdg-permission- 1685 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
fusermount3 1695 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
gnome-session-c 1728 Full RELRO Canary found No Seccomp NX enabled PIE enabled No
gvfsd 1738 Full RELRO Canary found No Seccomp NX enabled PIE enabled No
gvfsd-fuse 1747 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gnome-session-b 1748 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
at-spi-bus-laun 1775 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
gnome-shell 1782 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
dbus-daemon 1791 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
gnome-shell-cal 1828 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
evolution-sourc 1834 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
goa-daemon 1841 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
snapd-desktop-i 1843 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled N/A
evolution-calen 1853 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
gvfs-udisks2-vo 1855 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
goa-identity-se 1873 Full RELRO Canary found No Seccomp NX enabled PIE enabled No
gvfs-afc-volume 1891 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
gvfs-mtp-volume 1899 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
dconf-service 1911 Full RELRO Canary found No Seccomp NX enabled PIE enabled No
evolution-addre 1914 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
systemd-journal 192 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Partial
gvfs-gphoto2-vo 1920 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
gvfs-goa-volume 1933 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
snapd-desktop-i 1950 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled N/A
gvfsd-trash 1972 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
at-spi2-registr 1985 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gjs 1987 Full RELRO No canary found No Seccomp NX enabled PIE enabled N/A
sh 1997 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
ibus-daemon 1999 Full RELRO Canary found No Seccomp NX enabled PIE enabled No
gsd-a11y-settin 2000 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-color 2005 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-datetime 2006 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
gsd-housekeepin 2007 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-keyboard 2013 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-media-keys 2014 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
gsd-power 2019 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-print-notif 2021 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-rfkill 2022 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-screensaver 2023 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-sharing 2027 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-smartcard 2029 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
gsd-sound 2035 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-wacom 2038 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
gsd-disk-utilit 2056 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
evolution-alarm 2071 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
gsd-printer 2081 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
ibus-dconf 2084 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
ibus-extension- 2085 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
ibus-portal 2087 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
VBoxClient 2144 Partial RELRO No canary found No Seccomp NX enabled No PIE Partial
VBoxClient 2145 Partial RELRO No canary found No Seccomp NX enabled No PIE Partial
Xwayland 2162 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
snap-store 2163 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled N/A
ibus-engine-sim 2191 Full RELRO No canary found No Seccomp NX enabled PIE enabled N/A
systemd-udevd 222 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Partial
tracker-miner-f 2261 Full RELRO Canary found No Seccomp NX enabled PIE enabled N/A
xdg-desktop-por 2262 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
xdg-desktop-por 2267 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
gjs 2283 Full RELRO No canary found No Seccomp NX enabled PIE enabled N/A
gsd-xsettings 2310 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
ibus-x11 2343 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
gjs 2348 Full RELRO No canary found No Seccomp NX enabled PIE enabled N/A
xdg-desktop-por 2378 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
VBoxClient 2381 Partial RELRO No canary found No Seccomp NX enabled No PIE Partial
VBoxClient 2382 Partial RELRO No canary found No Seccomp NX enabled No PIE Partial
VBoxClient 2389 Partial RELRO No canary found No Seccomp NX enabled No PIE Partial
VBoxClient 2390 Partial RELRO No canary found No Seccomp NX enabled No PIE Partial
VBoxClient 2398 Partial RELRO No canary found No Seccomp NX enabled No PIE Partial
VBoxClient 2399 Partial RELRO No canary found No Seccomp NX enabled No PIE Partial
fwupd 2449 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled N/A
gvfsd-metadata 2451 Full RELRO Canary found No Seccomp NX enabled PIE enabled No
gnome-terminal- 2876 Full RELRO Canary found No Seccomp NX enabled PIE enabled No
bash 2961 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
sudo 3120 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
sudo 3243 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
systemd-oomd 403 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Partial
systemd-resolve 404 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Partial
systemd-timesyn 563 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Yes
accounts-daemon 689 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Partial
acpid 693 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
avahi-daemon 697 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
cron 701 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
dbus-daemon 704 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
NetworkManager 705 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
irqbalance 715 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Partial
networkd-dispat 718 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
polkitd 719 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
power-profiles- 722 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Yes
rsyslogd 728 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
snapd 732 Partial RELRO Canary found No Seccomp NX enabled PIE enabled Yes
switcheroo-cont 737 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled N/A
systemd-logind 739 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Partial
udisksd 744 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
wpa_supplicant 755 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
avahi-daemon 766 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
ModemManager 783 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Partial
cupsd 787 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
sshd 812 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
unattended-upgr 823 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
cups-browsed 852 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
kerneloops 871 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
kerneloops 875 Full RELRO Canary found No Seccomp NX enabled PIE enabled Partial
Also in tests/hardening-checks.sh the code for Fortify "Partial" case works:
# Partial
for bin in partial partial32 partial_cl partial_cl32; do
"${DIR}"/binaries/output/${bin} > /dev/null &
if [[ $("${PARENT}"/checksec --proc=${bin} --format=csv | cut -d, -f8) != "Partial" ]]; then
echo "No Fortify process validation failed on \"${bin}\": $("${PARENT}"/checksec --proc=${bin} --format=csv | cut -d, -f8)"
exit 1
fi
done
I can't find yet a solution to test the Fortify "N/A" case as well, although in the above result when testing the system for processes there are many N/A cases.
I found a solution to test the Fortify "N/A" case, the second half, i.e. Proc_FS_cnt_total=0 by adding a sleep() in the helloworld.c source file:
#include <stdio.h>
#include <unistd.h>
int main()
{
printf("Hello World\n");
sleep(2);
return 0;
}
and now make test
works for fszero fszero_cl fszero32 fszero_cl32
The first half libc_found=false remains to be solved I still can't add a sleep().
I found a solution to generate the nolibc/nolibc_cl test files usable for "Fortify" testing in the case of libc_found=false both for files and processes (tests/hardening-checks.sh).
An nolibc.asm file written in NASM:
- display the message "Hello, World!" (usable in the # file checks section);
- suspend the execution of the program (after displaying the message) for approximately 2 seconds (usable and necessary in the # process checks section).
section .data
msg db 'Hello, World!', 0ah ;note the newline (Line Feed-LF) at the end (hex:0ah; decimal:10)
len equ $ - msg ;calculate the length of the message
delay dq 2, 100000000 ;define delay with Timespec structure members tv_sec, tv_nsec (qwords, 64-bit integer values)
section .text
global _start ;must be declared for linker (ld)
_start: ;tells linker entry point
mov rax, 1 ;system call for write (sys_write 1)
mov rdi, 1 ;file descriptor (1 is stdout)
mov rsi, msg ;address of string to output
mov rdx, len ;message length
syscall ;invoke operating system to do the write
mov rax, 35 ;system call for nanosleep (sys_nanosleep 35)
mov rdi, delay ;load the pointer to our delay
mov rsi, 0 ;exit code 0
syscall ;invoke operating system to do the delay
mov rax, 60 ;system call for exit (sys_exit 60)
xor rdi, rdi ;exit code 0
syscall ;invoke operating system to exit
There are 2 options for compilation:
- NASM will be a requirement, it will be installed and these commands will be run:
nasm -f elf64 -o nolibc.o nolibc.asm
gcc -o nolibc nolibc.o -w -nostdlib -no-pie -s
clang -o nolibc_cl nolibc.o -w -nostdlib -no-pie -s
- The file .o (object file) nolibc.o will be delivered directly (as source file) and only these commands will be run:
gcc -o nolibc nolibc.o -w -nostdlib -no-pie -s
clang -o nolibc_cl nolibc.o -w -nostdlib -no-pie -s
@slimm609 here I need your decision, I would opt for the first option with NASM installation but it will become a requirement (among many others) for running the tests.
It remains to write an .asm file for x86 assembly (different syntax compared to x86-64 presented previously) to complete the Fortify test files for the nolibc case.
And the solution for nolibc32/nolibc_cl32 test files: nolibc32.asm
section .data
msg db "Hello, world!", 0xa ;note the newline (Line Feed-LF) at the end (hex:0ah; decimal:10)
len equ $ - msg ;calculate the length of the message
delay dd 2, 100000000 ;define delay with Timespec structure members tv_sec, tv_nsec (dwords, 32-bit integer values)
section .text
global _start ;must be declared for linker (ld)
_start: ;tells linker entry point
mov eax,4 ;system call for write (sys_write 4)
mov ebx,1 ;file descriptor (1 is stdout)
mov ecx,msg ;address of string to output
mov edx,len ;message length
int 0x80 ;invoke operating system to do the write
mov eax, 162 ;system call for nanosleep (sys_nanosleep 162)
mov ebx, delay ;load the pointer to our delay
mov ecx, 0 ;exit code 0
int 0x80 ;invoke operating system to do the delay
mov eax,1 ;system call for exit (sys_exit 1)
xor ebx, ebx ;exit code 0
int 0x80 ;invoke operating system to exit
Compilation commands:
nasm -f elf32 -o nolibc32.o nolibc32.asm
gcc -m32 -o nolibc32 nolibc32.o -w -nostdlib -no-pie -s
clang -m32 -o nolibc_cl32 nolibc32.o -w -nostdlib -no-pie -s
These are all for tests so adding dependencies to the test images is completely fine. These are rather difficult to test int he different scenarios so the more tests we can add, the more reliable the tests will be.
There is also a full rewrite/port to golang in progress so these tests will be vital in validating the 2 versions side by side.
I found a solution to generate the nolibc/nolibc_cl test files usable for "Fortify" testing in the case of libc_found=false both for files and processes (tests/hardening-checks.sh). An nolibc.asm file written in NASM:
Why not simply compile a regular helloworld.c with the -static flag? That one will also pass the N/A test because the external libc dependency will be gone.
Hi,
It can be done!
Pros/cons here.
The advantage is that if library changes, or is not present on a system, the program will run fine, because it has the functions and other stuff with it already.
The disadvantage is large memory footprint, large file size, and no fixing of bugs, no updates of the library code without recompiling.
Example in our case (existing fszero and nolibc) and fszero-static compiled with the command:
gcc -o fszero-static fszero.c -static -w -D_FORTIFY_SOURCE=0 -O2 -s
nolibc -> 8,4K
fszero -> 15K
fszero-static -> 801K
This was the recommended solution for "Hello, world!" without libc using assembler.