seg.phdr = gelf_getphdr (elf, cnt, & mem);
seg.number = cnt;
- einfo (VERBOSE2, "%s: considering segment %lu", filename, cnt);
+ einfo (VERBOSE2, "%s: considering segment %lu", filename, (unsigned long) cnt);
for (checker = first_seg_checker; checker != NULL; checker = ((checker_internal *)(checker->internal))->next_seg)
{
ret &= checker->check_seg (& data, & seg);
}
else
- einfo (VERBOSE2, "is not interested in segment %lu", cnt);
+ einfo (VERBOSE2, "is not interested in segment %lu", (unsigned long) cnt);
pop_component ();
}
Dwarf_Line * line;
size_t indx = 1;
- einfo (VERBOSE2, "Scanning %ld lines in the DWARF line table", nlines);
+ einfo (VERBOSE2, "Scanning %ld lines in the DWARF line table", (unsigned long) nlines);
while ((line = dwarf_onesrcline (lines, indx)) != NULL)
{
Dwarf_Addr addr;
/* Set by the constructor. */
static bool disabled = false;
+static bool ignore_gaps = false;
+
/* These are initialised on a per-input-file basis by start(). */
static bool i686_found;
static bool x86_found;
fake_note.start = note_data->prev_end + 1;
fake_note.end = start;
-
- /* Note - we ignore gaps at the start and end of the file. These are
- going to be from the crt code which does not need to be chacked. */
- einfo (VERBOSE, "%s: GAP: (%s) in annobin notes",
- data->filename, get_component_name (data, sec, & fake_note, true, prefer_func_name));
- gap_detected = true;
+
+ if (! ignore_gaps)
+ {
+ /* Note - we ignore gaps at the start and end of the file. These are
+ going to be from the crt code which does not need to be chacked. */
+ einfo (VERBOSE, "%s: GAP: (%s ?) in annobin notes",
+ data->filename, get_component_name (data, sec, & fake_note, true, prefer_func_name));
+ gap_detected = true;
+ }
}
note_data->prev_end = end;
einfo (INFO, " Add a machine readable output mode");
einfo (INFO, "This tool is enabled by default. This can be changed by:");
einfo (INFO, " --disable-hardened Disables the hardening checker");
- einfo (INFO, " --enable-hardened Reenables the hardening checker");
+ einfo (INFO, " --enable-hardened Reenables the hardening checker");
+ einfo (INFO, "The following option can be used to disable some checks:");
+ einfo (INFO, " --ignore-gaps Ignores gaps in the annobin data");
}
static bool
return true;
}
+ if (streq (arg, "--ignore-gaps"))
+ {
+ ignore_gaps = true;
+ return true;
+ }
+
return false;
}
powerpc*-*-*)
target_plugin="powerpc.annobin.lo"
;;
- x86_64-*-*)
+ *86-*-* | x86_64-*-*)
target_plugin="x86_64.annobin.lo"
;;
*)
powerpc*-*-*)
target_plugin="powerpc.annobin.lo"
;;
- x86_64-*-*)
+ *86-*-* | x86_64-*-*)
target_plugin="x86_64.annobin.lo"
;;
*)
.PP
The range information is useful because it allows third parties to
examine the binary and find out if its construction was consistent.
-Ie that there are no gaps in the recorded information, and no special
+\&\s-1IE\s0 that there are no gaps in the recorded information, and no special
cases where a required feature was not active.
.PP
The system works by adding a special section to the application
* Introduction:: What is Binary Annotation ?
* Invocation:: How to add Binary Annotations to your application.
* Examining:: How to examine the information stored in the binary.
-* Annocheck:: Analyzing your applications's compilation.
+* Annocheck:: Analysing your application's compilation.
* Legacy Scripts:: Other ways to use the information stored in the binary.
* GNU FDL:: GNU Free Documentation License
was compiled with '-O0' instead.
The range information is useful because it allows third parties to
-examine the binary and find out if its construction was consistent. Ie
+examine the binary and find out if its construction was consistent. IE
that there are no gaps in the recorded information, and no special cases
where a required feature was not active.
* The PIC Encoding:: Encoding Position Independence
* The GOW Encoding:: Encoding Optimization and Debugging Levels
* The CF Encoding:: Encoding Control Flow Protection
-* The CET Encoding:: Encoding Control Flow Enforcement Technology
* The ENUM Encoding:: Encoding the Size of Enumerations
\1f
they can be used in future extensions to the specification.
\1f
-File: annobin.info, Node: The CF Encoding, Next: The CET Encoding, Prev: The GOW Encoding, Up: Examining
+File: annobin.info, Node: The CF Encoding, Next: The ENUM Encoding, Prev: The GOW Encoding, Up: Examining
3.5 Encoding Control Flow Protection
====================================
stored is biased by 1.
\1f
-File: annobin.info, Node: The CET Encoding, Next: The ENUM Encoding, Prev: The CF Encoding, Up: Examining
+File: annobin.info, Node: The ENUM Encoding, Prev: The CF Encoding, Up: Examining
-3.6 Encoding Control Flow Enforcement Technology
-================================================
-
-Records the setting of the Control Flow Enforcement Technology options.
-(These are specific to the x86_64 port of gcc). The value is a sequence
-of bytes that indicate various different flags:
-
-'byte 0'
- The setting of the '-mcet' option. This is either 1 (not set) or 2
- (set).
-
-'byte 1'
- The setting of the '-mcet-switch' option. This is either 1 (not
- set) or 2 (set).
-
-'byte 2'
- The setting of the '-mibt' option. This is either 1 (not set) or 2
- (set).
-
-'byte 3'
- The setting of the '-mshstk' option. This is either 1 (not set) or
- 2 (set).
-
-\1f
-File: annobin.info, Node: The ENUM Encoding, Prev: The CET Encoding, Up: Examining
-
-3.7 Encoding the Size of Enumerations
+3.6 Encoding the Size of Enumerations
=====================================
Record the value of the '-fshort-enums' option. Possible values are:
\1f
File: annobin.info, Node: Annocheck, Next: Legacy Scripts, Prev: Examining, Up: Top
-4 Analyzing an application's compilation.
+4 Analysing an application's compilation.
*****************************************
annocheck
[-prefix=TEXT]
FILE...
- The 'annocheck' program can analyze programs and report information
+ The 'annocheck' program can analyse programs and report information
about them. It is designed to be modular, with a set of self-contained
tools providing the checking functionality. Currently the following
tools are implemented:
information.
'--version'
- Report the verion of the tool and then exit.
+ Report the version of the tool and then exit.
\1f
File: annobin.info, Node: Hardened, Next: Built-By, Up: Annocheck
execute permission bits set.
'No text relocations'
- The should be no relocations agains executable code.
+ The should be no relocations against executable code.
'Correct runpaths'
The runpath information used to locate shared libraries at runtime
'--disable-hardened'
Disable the tool.
+'--ignore-gaps'
+ Ignore gaps in the annobin data.
+
\1f
File: annobin.info, Node: Built-By, Prev: Hardened, Up: Annocheck
results will be returned.
'--tool=NAME'
- This option can be used to restict the output to only those files
+ This option can be used to restrict the output to only those files
which were built by a specific tool. This can be useful when
scanning a directory full of files searching for those built by a
particular compiler.
'--nottool=NAME'
- This option can be used to restict the output to only those files
+ This option can be used to restrict the output to only those files
which were not built by a specific tool. This can be useful when
scanning a directory full of files searching for those that were
not built by a particular compiler.
the binary information can be used.
_NOTE_: These scripts are now redundant, their functionality having
-been sussumed into the 'annocheck' program. However they are still
+been subsumed into the 'annocheck' program. However they are still
useful as examples of how the annobin data can be consumed, so they are
still included in the annobin sources.
\1f
Tag Table:
Node: Top\7f698
-Node: Introduction\7f1675
-Node: Invocation\7f3758
-Node: Examining\7f7994
-Node: The Version Encoding\7f10467
-Node: The STACK Encoding\7f10858
-Node: The PIC Encoding\7f11456
-Node: The GOW Encoding\7f12084
-Node: The CF Encoding\7f13532
-Node: The CET Encoding\7f14603
-Node: The ENUM Encoding\7f15398
-Node: Annocheck\7f15756
-Node: Hardened\7f17413
-Node: Built-By\7f19554
-Node: Legacy Scripts\7f20804
-Node: Who Built Me\7f21571
-Node: ABI Checking\7f24331
-Node: Hardening Checks\7f26445
-Node: Checking Archives\7f30531
-Node: GNU FDL\7f32953
+Node: Introduction\7f1674
+Node: Invocation\7f3757
+Node: Examining\7f7993
+Node: The Version Encoding\7f10395
+Node: The STACK Encoding\7f10786
+Node: The PIC Encoding\7f11384
+Node: The GOW Encoding\7f12012
+Node: The CF Encoding\7f13460
+Node: The ENUM Encoding\7f14532
+Node: Annocheck\7f14889
+Node: Hardened\7f16547
+Node: Built-By\7f18744
+Node: Legacy Scripts\7f19996
+Node: Who Built Me\7f20763
+Node: ABI Checking\7f23523
+Node: Hardening Checks\7f25637
+Node: Checking Archives\7f29723
+Node: GNU FDL\7f32145
\1f
End Tag Table
* Introduction:: What is Binary Annotation ?
* Invocation:: How to add Binary Annotations to your application.
* Examining:: How to examine the information stored in the binary.
-* Annocheck:: Analyzing your applications's compilation.
+* Annocheck:: Analysing your application's compilation.
* Legacy Scripts:: Other ways to use the information stored in the binary.
* GNU FDL:: GNU Free Documentation License
@end menu
The range information is useful because it allows third parties to
examine the binary and find out if its construction was consistent.
-Ie that there are no gaps in the recorded information, and no special
+IE that there are no gaps in the recorded information, and no special
cases where a required feature was not active.
The system works by adding a special section to the application
* The PIC Encoding:: Encoding Position Independence
* The GOW Encoding:: Encoding Optimization and Debugging Levels
* The CF Encoding:: Encoding Control Flow Protection
-* The CET Encoding:: Encoding Control Flow Enforcement Technology
* The ENUM Encoding:: Encoding the Size of Enumerations
@end menu
be confused with a NUL-byte to indicate the end of a string), the
value stored is biased by 1.
-@c -----------------------------------------------------------------
-@node The CET Encoding
-@section Encoding Control Flow Enforcement Technology
-Records the setting of the Control Flow Enforcement Technology
-options. (These are specific to the x86_64 port of gcc). The value
-is a sequence of bytes that indicate various different flags:
-
-@table @code
-@item byte 0
-The setting of the @option{-mcet} option. This is either 1 (not set)
-or 2 (set).
-
-@item byte 1
-The setting of the @option{-mcet-switch} option. This is either 1
-(not set) or 2 (set).
-
-@item byte 2
-The setting of the @option{-mibt} option. This is either 1 (not set)
-or 2 (set).
-
-@item byte 3
-The setting of the @option{-mshstk} option. This is either 1 (not
-set) or 2 (set).
-@end table
-
@c -----------------------------------------------------------------
@node The ENUM Encoding
@section Encoding the Size of Enumerations
@c -----------------------------------------------------------------
@node Annocheck
-@chapter Analyzing an application's compilation.
+@chapter Analysing an application's compilation.
-@c man title annocheck Analyzing an application's compilation.
+@c man title annocheck Analysing an application's compilation.
@smallexample
@c man begin SYNOPSIS annocheck
@c man begin DESCRIPTION annocheck
-The @command{annocheck} program can analyze programs and report
+The @command{annocheck} program can analyse programs and report
information about them. It is designed to be modular, with a set of
self-contained tools providing the checking functionality.
Currently the following tools are implemented:
information.
@item --version
-Report the verion of the tool and then exit.
+Report the version of the tool and then exit.
@end table
execute permission bits set.
@item No text relocations
-The should be no relocations agains executable code.
+The should be no relocations against executable code.
@item Correct runpaths
The runpath information used to locate shared libraries at runtime
@item --disable-hardened
Disable the tool.
+
+@item --ignore-gaps
+Ignore gaps in the annobin data.
@end table
@c man end
be returned.
@item --tool=@var{name}
-This option can be used to restict the output to only those files
+This option can be used to restrict the output to only those files
which were built by a specific tool. This can be useful when scanning
a directory full of files searching for those built by a particular
compiler.
@item --nottool=@var{NAME}
-This option can be used to restict the output to only those files
+This option can be used to restrict the output to only those files
which were not built by a specific tool. This can be useful when
scanning a directory full of files searching for those that were not
built by a particular compiler.
demonstrate how the binary information can be used.
@emph{NOTE}: These scripts are now redundant, their functionality
-having been sussumed into the @command{annocheck} program. However
+having been subsumed into the @command{annocheck} program. However
they are still useful as examples of how the annobin data can be
consumed, so they are still included in the annobin sources.
.if n .ad l
.nh
.SH "NAME"
-annocheck \- Analyzing an application's compilation.
+annocheck \- Analysing an application's compilation.
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
annocheck
\fIfile\fR...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
-The \fBannocheck\fR program can analyze programs and report
+The \fBannocheck\fR program can analyse programs and report
information about them. It is designed to be modular, with a set of
self-contained tools providing the checking functionality.
Currently the following tools are implemented:
.ie n .IP """\-\-version""" 4
.el .IP "\f(CW\-\-version\fR" 4
.IX Item "--version"
-Report the verion of the tool and then exit.
+Report the version of the tool and then exit.
.PP
This tool checks that the specified files were compiled with the
required security hardening options, as outlined in the elf-policy
.ie n .IP """No text relocations""" 4
.el .IP "\f(CWNo text relocations\fR" 4
.IX Item "No text relocations"
-The should be no relocations agains executable code.
+The should be no relocations against executable code.
.ie n .IP """Correct runpaths""" 4
.el .IP "\f(CWCorrect runpaths\fR" 4
.IX Item "Correct runpaths"
.el .IP "\f(CW\-\-disable\-hardened\fR" 4
.IX Item "--disable-hardened"
Disable the tool.
+.ie n .IP """\-\-ignore\-gaps""" 4
+.el .IP "\f(CW\-\-ignore\-gaps\fR" 4
+.IX Item "--ignore-gaps"
+Ignore gaps in the annobin data.
.PP
The \fIbuilt-by\fR tool is disabled by default, but it can be enabled
by the command line option \fB\-\-enable\-builtby\fR. The tool
.ie n .IP """\-\-tool=\fIname\fP""" 4
.el .IP "\f(CW\-\-tool=\f(CIname\f(CW\fR" 4
.IX Item "--tool=name"
-This option can be used to restict the output to only those files
+This option can be used to restrict the output to only those files
which were built by a specific tool. This can be useful when scanning
a directory full of files searching for those built by a particular
compiler.
.ie n .IP """\-\-nottool=\fINAME\fP""" 4
.el .IP "\f(CW\-\-nottool=\f(CINAME\f(CW\fR" 4
.IX Item "--nottool=NAME"
-This option can be used to restict the output to only those files
+This option can be used to restrict the output to only those files
which were not built by a specific tool. This can be useful when
scanning a directory full of files searching for those that were not
built by a particular compiler.
PLUGIN=../plugin/.libs/annobin.so
-OPTS="-c -O2 -D_FORTIFY_SOURCE=2 -fpie -Wall -fstack-protector-strong -D_GLIBCXX_ASSERTIONS -fstack-clash-protection -fcf-protection"
+OPTS="-c -O2 -D_FORTIFY_SOURCE=2 -fpie -Wall -fstack-protector-strong -D_GLIBCXX_ASSERTIONS -fstack-clash-protection"
+EXTRA_OPTS="-fcf-protection -mstackrealign"
-$GCC -fplugin=$PLUGIN -g $OPTS $srcdir/hello_hard.c
+$GCC -fplugin=$PLUGIN -g $OPTS $EXTRA_OPTS $srcdir/hello_hard.c
if [ $? != 0 ];
then
echo "Compiler might not support -fcf-protection, retrying without it"
- OPTS="-c -O2 -D_FORTIFY_SOURCE=2 -fpie -Wall -fstack-protector-strong -D_GLIBCXX_ASSERTIONS -fstack-clash-protection"
- $GCC -fplugin=$PLUGIN -g $OPTS $srcdir/hello_hard.c
+ EXTRA_OPTS="-mstackrealign"
+ $GCC -fplugin=$PLUGIN -g $OPTS $EXTRA_OPTS $srcdir/hello_hard.c
if [ $? != 0 ];
then
- exit 0
+ echo "Compiler might not support -mstackrealign, retrying without it"
+ EXTRA_OPTS="-fcf-protection"
+ $GCC -fplugin=$PLUGIN -g $OPTS $EXTRA_OPTS $srcdir/hello_hard.c
+ if [ $? != 0 ];
+ then
+ echo "Compiler might not support either -fcf-protection or -mstackrealign, retrying without both"
+ EXTRA_OPTS=""
+ $GCC -fplugin=$PLUGIN -g $OPTS $EXTRA_OPTS $srcdir/hello_hard.c
+ if [ $? != 0 ];
+ then
+ echo "Failed :-("
+ exit 1
+ fi
+ fi
fi
fi
-$GCC -fplugin=$PLUGIN -O3 $OPTS $srcdir/hello2.c
+$GCC -fplugin=$PLUGIN -O3 $OPTS $EXTRA_OPTS $srcdir/hello2.c
-$GCC -fplugin=$PLUGIN -g3 $OPTS $srcdir/hello3.c
+$GCC -fplugin=$PLUGIN -g3 $OPTS $EXTRA_OPTS $srcdir/hello3.c
-$GCC -fplugin=$PLUGIN $OPTS -shared $srcdir/hello_lib.c -o libhello.so
+$GCC -fplugin=$PLUGIN $OPTS $EXTRA_OPTS -shared $srcdir/hello_lib.c -o libhello.so
-$GCC -fplugin=$PLUGIN -nostartfiles -e 0 \
+# Link without system files as these may not have been hardened.
+$GCC -fplugin=$PLUGIN \
+ -nostartfiles -nostdlib -Wl,-e,0 \
+ -Wl,--defsym=__stack_chk_fail=0 \
+ -Wl,--defsym=__stack_chk_fail_local=0 \
+ -Wl,--defsym=__stack_chk_guard=0 \
+ -Wl,--defsym=__printf_chk=0 \
-L . -pie \
-Wl,-z,now,-z,relro \
hello_hard.o hello2.o hello3.o -lhello -o hardening-test.exe
# $OBJCOPY --merge-notes hardening-test.exe hardening-test-merged.exe
-# The --skip=... options are here to skip the checks that require a version
-# 2.30 (or later) readelf, and which were generated by a plugin attached to
-# a version 8 (or later) gcc. Since neither of these versions of the tools
-# are in common use (yet) the checks are disabled.
-# The other hardening properties can be deduced by the hardened script
-# without needing the notes produced by annobin, so that is why the test is
-# allowed to proceed.
-# FIXME: Remove the --skip= options once readelf and gcc have been updated.
-#
-# The --skip-pic and --skip-stack options are here because /usr/lib64/libc_nonshared.a(elf-init.oS)
-# is built with -fPIC and -fno-stack-protection. /usr/lib64/Scrti.o is built
-# with -fpie which makes the pic test impossible.
-
-# $srcdir/../scripts/hardened --readelf=$READELF \
-# --skip=fort -k=operator --skip=clash --skip=cf -k=cet \
-# --skip=pic --skip=stack --skip=realign \
-# hardening-test.exe
+# The s390 and PPC targets always create some gaps. Have not found out why...
-../annocheck/annocheck hardening-test.exe
+../annocheck/annocheck -v --ignore-gaps hardening-test.exe
git://sourceware.org / annobin.git / commitdiff