Hardening Checks (Annobin)

Next: The run-on-binaries-in script, Previous: The check-abi script, Up: How to use the information stored in the binary. [Contents]

7.3 The hardened script ¶

hardened
  [--help]
  [--version]
  [--verbose]
  [--quiet]
  [--ignore-unknown]
  [--silent]
  [--vulnerable]
  [--not-hardened]
  [--all]
  [--file-type=auto|lib|exec|obj]
  [--skip=opt|stack|fort|now|relro|pic|operator|clash|cf|cet|realign]
  [--readelf=path]
  [--tmpdir=dir]
  [--]
  file...

The hardened script reports on the hardening status of the specified file(s). In particular it checks that the whole file was compiled with -O2 or higher and the -fstack-protector-strong, -D_FORTIFY_SOURCE=2, -Wl,-z,now, -Wl,-z,relro, -fPIE, -Wp,-D_GLIBCXX_ASSERTIONS, -fstack-clash-protection -fcf-protection=full and -mcet options.

The script accepts the following command line options:

--help

-h

Displays the usage of the script and then exits.

--version

-v

Displays the version of the script.

--verbose

-V

Enables verbose mode, causing the script to detail each action it takes.

--quiet

-q

Do not include the name of script in the out generated by the script.

--ignore-unknown

-i

Do not report file types that are not supported or recognised.

--tmpdir=dir

-t dir

Directory to use to store temporary files.

--silent

-s

Produce no output. Just return an exit status.

--vulnerable

-u

Only report files that are known to be vulnerable. Ie files that record all of the necessary information about how they were built, but which were built with an incorrect set of options.

This option is the default behaviour of the script.

--not-hardened

-n

Report any file that cannot be proven to be hardened. This is like the --vulnerable option, except that it will also report files that do not record all of the necessary information.

--all

-a

Report the hardening status of all of the files examined.

--file-type=auto|lib|exec|obj

-f=auto|lib|exec|obj

Specifies the type of file being examined. Possible values are:

‘auto’: Automatically determine the file type from its extension. This is the default.
‘lib’: Assume all files are shared libraries. Checks that the -fPIC option was used.
‘exec’: Assume all files are executables. Checks that the -fPIE option was used.
‘obj’: Assume all files are object files. Skips checks of the bind now status.

Disables checks of various different hardening features. This option can be repeated multiple times, and the values accumulate. Possible values are:

‘opt’: Disables checks of the optimization level used.
‘stack’: Disables checks of the stack protection level.
‘fort’: Disables checks for -D_FORTIFY_SOURCE.
‘now’: Disables checks for ‘BIND NOW’ status.
‘relro’: Disables checks for ‘relro’ or read-only-relocs.
‘pic’: Disables checks for -fPIC/-fPIE.
‘operator’: Disables checks for ‘-D_GLIBCXX_ASSERTIONS’.
‘clash’: Disables checks for stack clash protection.
‘cf’: Disables checks for control flow protection. Note - these checks are only run on x86_64 binaries.
‘cet’: Disables checks for control flow enforcement. Note - these checks are only run on x86_64 binaries.
‘realign’: Disable checks for stack realignment. Note - these checks are only run on i686 binaries.

--readelf=path

-r=path

Use the specified program to read the notes from the files.

--

Stop accumulating command line options. This allows the script to be run on files whose names starts with a dash.