Problem: Badly formed or missing GNU property notes can compromise an application at runtime Fix By: Investigate and fix the creation of the notes Waive If: Using old tools that do not generate the notes Example: FAIL: property-note test because there is more than one GNU Property note Example: FAIL: property-note test because the property note does not have expected name Example: FAIL: property-note test because the property note data has the wrong size Example: FAIL: property-note test because the note section is present but empty Example: FAIL: property-note test because the property note data has an invalid size Example: FAIL: property-note test because the IBT property is not enabled Example: FAIL: property-note test because the SHSTK property is not enabled Example: FAIL: property-note test because unexpected property note type Example: FAIL: property-note test because the BTI property is not enabled Example: FAIL: property-note test because the GNU Property note segment not 8 byte aligned Example: FAIL: property-note test because there is more than one GNU Property note in the note segment Example: FAIL: property-note test because .note.gnu.property section not found (it is needed for branch protection support Example: FAIL: property-note test because no .note.gnu.property section = no control flow information Example: FAIL: property-note test because control flow protection is not enabled
GNU property notes are special markers in binary files that provide information about the program to the runtime loader. This information is architecture specific and it often includes details about any security features that were enabled when the program was compiled.
This test checks that the property note is present - if needed for the particular architcture - and that it is properly formatted.
Problems with property notes are usually related to other security options being missing, or the use of assembler source files which do not contain their own instructions for creating property notes.
If necessary the test can be disabled via the --skip-property-note option and re-enabled via the --test-property-note option.