search

LLNL / Surfactant

Modular framework for file information extraction and dependency analysis to generate accurate SBOMs
MIT License
20 stars 14 forks source link

Use LIEF for PE signature verification #35

Open slyles1001 opened 1 year ago

slyles1001 commented 1 year ago

the LIEF library can perform Windows signature checks on linux systems. It would be nice to have this functionality in Surfactant, something along the lines of their example here.

Czatar commented 4 months ago

Sadly the signature capabilities for Mach-O aren't as detailed as with PE binaries. https://lief.re/doc/stable/api/python/macho.html#code-signature

For Mach-O, LIEF provides the signature's offset, size, and signature contents. The signature contents are given as an array of bytes and a sample I'm looking at is roughly 5000 bytes. Do you think it's worth including the whole signature in the SBOM or just the offset/size?

slyles1001 commented 4 months ago

Yes, I have noticed this also. Have you had any luck parson these bytes? It seems like xcode's codesign is the best way to decode it but I would be interested in seeing if we can do it manually. Alas, Mach-O is outside my scope so I can't dedicate much help.

On Mon, May 6, 2024, 12:35 PM Carlos Zatarain @.***> wrote:

Sadly the signature capabilities for Mach-O aren't as detailed as with PE binaries. https://lief.re/doc/stable/api/python/macho.html#code-signature

For Mach-O, LIEF provides the signature's offset, size, and signature contents. The signature contents are given as an array of bytes and a sample I'm looking at is roughly 5000 bytes. Do you think it's worth including the whole signature in the SBOM or just the offset/size?

— Reply to this email directly, view it on GitHub https://github.com/LLNL/Surfactant/issues/35#issuecomment-2096766643, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEG5WKLWFOCBDYILHCKY4ZTZA7LRVAVCNFSM6AAAAAA33ZS24SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWG43DMNRUGM . You are receiving this because you authored the thread.Message ID: @.***>

nightlark commented 4 months ago

It looks like it should be possible, but complicated (many hashes of a different portions of a Mach-O file and for possible external files, and signature itself is a bit complex to parse). Since we don’t have anything that needs it right now, we are going to just going to add a flag indicating that code signing info is present.

Related information: https://developer.apple.com/documentation/technotes/tn3126-inside-code-signing-hashes - high-level deep dive… https://forums.developer.apple.com/forums/thread/702351 - older version of above linked article https://docs.rs/apple-codesign/latest/apple_codesign/specification/index.html - info from a 3rd party rust crate that implements Apple code signing, other parts of docs and source code have structs for what is in the binary