This manual describes the ANNOBIN plugin, and how you can use it to
determine what security features were used when building your binary.
- This manual is for 'annobin' (Annobin) version 5.1.
+ This manual is for 'annobin' (Annobin) version 5.9.
This document is distributed under the terms of the GNU Free
Documentation License version 1.3. A copy of the license is included in
[-not-hardened]
[-all]
[-file-type=AUTO|LIB|EXEC|OBJ]
- [-skip=OPT|STACK|FORT|NOW|RELRO|PIC|OPERATOR|CLASH|CF|CET]
+ [-skip=OPT|STACK|FORT|NOW|RELRO|PIC|OPERATOR|CLASH|CF|CET|REALIGN]
[-readelf=path]
[-tmpdir=dir]
[-]
Disables checks for stack clash protection.
'cf'
- Disables checks for control flow protections.
+ Disables checks for control flow protection. Note - these
+ checks are only run on x86_64 binaries.
'cet'
- Disables checks for control flow enforcement.
+ Disables checks for control flow enforcement. Note - these
+ checks are only run on x86_64 binaries.
+
+ 'realign'
+ Disable checks for stack realignment. Note - these checks are
+ only run on i686 binaries.
'--readelf=path'
'-r=path'
Node: Who Built Me\7f16136
Node: ABI Checking\7f18899
Node: Hardening Checks\7f21016
-Node: Checking Archives\7f24844
-Node: GNU FDL\7f27272
+Node: Checking Archives\7f25105
+Node: GNU FDL\7f27533
\1f
End Tag Table
@setchapternewpage odd
@c man begin INCLUDE
-@set VERSION 5.1
+@set VERSION 5.9
@set VERSION_PACKAGE (Annobin)
-@set UPDATED March 2018
+@set UPDATED May 2018
@c man end
@ifnottex
[@b{--not-hardened}]
[@b{--all}]
[@b{--file-type=}@var{auto|lib|exec|obj}]
- [@b{--skip=}@var{opt|stack|fort|now|relro|pic|operator|clash|cf|cet}]
+ [@b{--skip=}@var{opt|stack|fort|now|relro|pic|operator|clash|cf|cet|realign}]
[@b{--readelf=}@file{path}]
[@b{--tmpdir=}@file{dir}]
[@b{--}]
Disables checks for stack clash protection.
@item cf
-Disables checks for control flow protections.
+Disables checks for control flow protection.
+Note - these checks are only run on x86_64 binaries.
@item cet
Disables checks for control flow enforcement.
+Note - these checks are only run on x86_64 binaries.
+
+@item realign
+Disable checks for stack realignment.
+Note - these checks are only run on i686 binaries.
@end table
@item --readelf=@file{path}
.\" ========================================================================
.\"
.IX Title "HARDENED 1"
-.TH HARDENED 1 "2018-04-20" "annobin-1" "RPM Development Tools"
+.TH HARDENED 1 "2018-05-30" "annobin-1" "RPM Development Tools"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
[\fB\-\-not\-hardened\fR]
[\fB\-\-all\fR]
[\fB\-\-file\-type=\fR\fIauto|lib|exec|obj\fR]
- [\fB\-\-skip=\fR\fIopt|stack|fort|now|relro|pic|operator|clash|cf|cet\fR]
+ [\fB\-\-skip=\fR\fIopt|stack|fort|now|relro|pic|operator|clash|cf|cet|realign\fR]
[\fB\-\-readelf=\fR\fIpath\fR]
[\fB\-\-tmpdir=\fR\fIdir\fR]
[\fB\-\-\fR]
Disables checks for stack clash protection.
.IP "\fBcf\fR" 4
.IX Item "cf"
-Disables checks for control flow protections.
+Disables checks for control flow protection.
+Note \- these checks are only run on x86_64 binaries.
.IP "\fBcet\fR" 4
.IX Item "cet"
Disables checks for control flow enforcement.
+Note \- these checks are only run on x86_64 binaries.
+.IP "\fBrealign\fR" 4
+.IX Item "realign"
+Disable checks for stack realignment.
+Note \- these checks are only run on i686 binaries.
.RE
.RS 4
.RE
static unsigned verbose_level = 0;
static char * annobin_current_filename = NULL;
static char * annobin_current_endname = NULL;
-static unsigned char annobin_version = 5; /* NB. Keep in sync with version_string below. */
-static const char * version_string = N_("Version 5");
+static unsigned char annobin_version = 6; /* NB. Keep in sync with version_string below. */
+static const char * version_string = N_("Version 6");
static const char * help_string = N_("Supported options:\n\
disable Disable this plugin\n\
enable Enable this plugin\n\
#define GNU_PROPERTY_X86_ISA_1_AVX512DQ (1U << 16)
#define GNU_PROPERTY_X86_ISA_1_AVX512BW (1U << 17)
-static unsigned long global_x86_isa = 0;
-static unsigned long min_x86_isa = 0;
-static unsigned long max_x86_isa = 0;
+static unsigned long global_x86_isa = 0;
+static unsigned long min_x86_isa = 0;
+static unsigned long max_x86_isa = 0;
+static int global_stack_realign = 0;
#ifdef flag_cet
static int global_cet = -1;
"numeric: ABI", NULL, NULL, OPEN);
annobin_inform (1, "Record global isa of %lx", global_x86_isa);
+ {
+ global_stack_realign = ix86_force_align_arg_pointer;
+
+ char buffer [128];
+ unsigned len = sprintf (buffer, "GA%cstack_realign", global_stack_realign ? BOOL_T : BOOL_F);
+ annobin_output_static_note (buffer, len + 1, true, "bool: -mstackrealign status",
+ NULL, NULL, OPEN);
+ annobin_inform (1, "Record global stack realign setting of %s", global_stack_realign ? "false" : "true");
+ }
+
#ifdef flag_cet
global_cet = flag_cet;
global_set_switch = flag_cet_switch;
max_x86_isa = ix86_isa_flags;
}
+ if (ix86_force_align_arg_pointer != global_stack_realign)
+ {
+ char buffer [128];
+ unsigned len = sprintf (buffer, "GA%cstack_realign", ix86_force_align_arg_pointer ? BOOL_T : BOOL_F);
+ annobin_output_static_note (buffer, len + 1, true, "bool: -mstackrealign status",
+ aname, aname_end, FUNC);
+ annobin_inform (1, "Record function specific stack realign setting of %s for %s",
+ ix86_force_align_arg_pointer ? "false" : "true", aname);
+ }
+
#ifdef flag_cet
if (global_cet != flag_cet)
fprintf (stderr, "1\n");
# * Allow arguments to command line options to be separated from the
# the option name by a space. Eg: --readelf foobar
-version=3.1
+version=3.2
help ()
{
-D_GLIBCXX_ASSERTIONS
-fstack-clash-protection
+
+Plus for x86 binaries:
+ -mstackrealign
+
+Plus for x86_64 binaries:
-fcf-protection=full
-mcet
-k=clash --skip=clash Skip check for stack clash protection.
-k=cf --skip=cf Skip check for control flow protection.
-k=cet --skip-cet Skip check for control flow enforcement technology.
- [These options stack]
+ -k=realign --skip-realign Skip check for stack realignment.
+ [These options accumulate]
-i --ignore-unknown Silently skip any file that is not an ELF binary.
skip_clash=0
skip_cf=0
skip_cet=0
+ skip_realign=0
ignore_unknown=0
scanner=readelf
cet)
skip_cet=1;
;;
+ realign)
+ skip_realign=1;
+ ;;
*)
report "unknown argument to $optname: $sk"
;;
scan_file ()
{
local file
+ local is_x86_64
+ local is_i686
# Paranoia checks - the user should never encounter these.
if test "x$1" = "x" ;
return
fi
- file $file | grep --silent -e ELF
+ file $file > $tmpfile
+
+ grep --silent -e ELF $tmpfile
if [ $? != 0 ];
then
if [ $ignore_unknown -eq 0 ];
return
fi
+ grep --silent -e x86-64 $tmpfile
+ if [ $? != 0 ];
+ then
+ is_x86_64=0;
+ else
+ is_x86_64=1;
+ fi
+
+ grep --silent -e 80386 $tmpfile
+ if [ $? != 0 ];
+ then
+ is_i686=0;
+ else
+ is_i686=1;
+ fi
+
$scanner --wide --notes --debug-dump=info --dynamic --segments $file > $tmpfile 2>&1
if [ $? != 0 ];
then
check_stack_clash
fi
- if [ $skip_cf -eq 0 ];
+ if [ $is_i686 -ne 0 ];
then
- check_control_flow_protection
+ if [ $skip_realign -eq 0 ];
+ then
+ check_stack_realign
+ fi
fi
- # FIXME: This check should only be applied to x86_64 binaries...
- if [ $skip_cet -eq 0 ];
+ if [ $is_x86_64 -ne 0 ];
then
- check_control_flow_enforcement_technology
+ if [ $skip_cf -eq 0 ];
+ then
+ check_control_flow_protection
+ fi
+
+ if [ $skip_cet -eq 0 ];
+ then
+ check_control_flow_enforcement_technology
+ fi
fi
# If we found a vulnerable file then consider the check to have failed.
check_for_bind_now ()
{
# Look for the DT_BIND_NOW dynamic tag
- eval hard='($(grep -e BIND_NOW $tmpfile))'
+ eval hard='($(grep -e NOW $tmpfile))'
verbose "BIND_NOW tags: ${hard[*]}"
fi
}
+check_stack_realign ()
+{
+ # Turn:
+ # GA+stack_realign:true 0x00000000 OPEN Applies to region from 0 to 0x3a
+ # into:
+ # true
+ eval 'hard=($(grep -e "stack_realign" $tmpfile | cut -f 2 -d ":" | cut -f 1 -d " " | sort -u))'
+
+ verbose "Stack Realign Info: ${hard[*]}"
+
+ if [ ${#hard[*]} -lt 1 ];
+ then
+ maybe "does not record stack realignment setting"
+ else
+ if [ ${#hard[*]} -gt 1 ];
+ then
+ fail "some parts built without stack realignment enabled"
+ else
+ if [ "x${hard[0]}" == "xtrue" ];
+ then
+ pass "compiled with stack realignment enabled"
+ else
+ fail "compiled with stack realignment disabled"
+ fi
+ fi
+ fi
+}
+
# Invoke main
main ${1+"$@"}
git://sourceware.org / annobin.git / commitdiff