Add a check for BTI and PAC

jvoisin commented 4 months ago

Issue

BTI and PAC (on ARM) aren't detected by checksec.sh

$ checksec --file=/bin/ssh
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH  Symbols     FORTIFY Fortified   Fortifiable FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols   Yes    12      23      /bin/ssh
$ readelf -d /bin/ssh | grep BTI
 0x0000000070000001 (AARCH64_BTI_PLT)    
$ ~ readelf -n /bin/ssh  | grep PAC -m 1
      Properties: AArch64 feature: BTI, PAC
$

Debug Report

$ checksec --debug_report
***** Checksec debug *****
uid=1000(jvoisin) gid=1000(jvoisin) groups=1000(jvoisin),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Linux xxx yyy #1 SMP PREEMPT_DYNAMIC Sun Mar 24 19:44:17 UTC 2024 aarch64 GNU/Linux
checksec version: 2.6.0 -- 2022052701
OS=zzz
VER=39
-rwxr-xr-x. 1 root root 200696 Jan 18 01:00 /usr/bin/cat
/usr/bin/cat: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=75a7332c0bd530cd7854870a0f90e8322800d4d2, for GNU/Linux 3.7.0, stripped
lrwxrwxrwx. 1 root root 4 Jul 19  2023 /usr/bin/awk -> gawk
-rwxr-xr-x. 1 root root 866208 Jul 19  2023 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=b38d9159b0ab74a2f19307ac36791947ab1f3522, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 201144 Nov 14 01:00 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=98be88d321b6307e2cec22d993c1ca8cb839e882, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200656 Jan 18 01:00 /usr/bin/uname
/usr/bin/uname: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=55f54df31bf2f88053d0c2254531c0f0d787d36d, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200728 Jan 18 01:00 /usr/bin/mktemp
/usr/bin/mktemp: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=512824cab65253b01c6631eacc09e8797549d8a7, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 1024112 Aug 31  2023 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=d0747b1b66a1c41a545ed2a16e74997d16d70a48, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 268104 Jul 20  2023 /usr/bin/grep
/usr/bin/grep: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=2b88fea571b2728bf2ea3b75019cd64a76455f07, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 201024 Jan 18 01:00 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=ba7a4b682c859ed4f41a0aa8cf67db7cd3a40809, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200720 Jul 19  2023 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=65d98d4c5176b60681cfc97bf4cf763bfa714725, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 270560 Jul 19  2023 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=37dfc3a5716f6dab8698cdb8c0c2c9bbb71efd6f, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200808 Jan 18 01:00 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=08e2b539cc3970b414b559a95dad8e3af9b5e700, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 269040 Nov 14 01:00 /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=3d4b73ea80973c755b1ad4c82f805489c1f12d29, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200784 Jan 18 01:00 /usr/bin/readlink
/usr/bin/readlink: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=1af588d6dd41a0a1c2dd36b34e5acd65cca11a64, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200672 Jan 18 01:00 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=6d13d9fc75f9de1f5d98e2dc737b1f2ef3778136, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200720 Jan 18 01:00 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=dfa21d1b422e3d49d86500e73fa87ec6a0f4b24e, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200976 Jul 22  2023 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=849a8536c030cc976d78180554b4599be06dad2e, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 615608 Mar  5 01:00 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=2a797dd26b6cd863a8a1d9f9d4b5b329a3538d40, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 398480 Dec  6 01:00 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=9b1be3c23af0227ab9a1952c5e1f62356620a5a1, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 934664 Jan 25 01:00 /usr/bin/readelf
/usr/bin/readelf: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=99a28750433912984e4aa87a0a577cb56a329a7b, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 729872 Mar  4 01:00 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=00d0ac9de6bc04a2b8a9fcca544b1fe6218cd003, for GNU/Linux 3.7.0, stripped
[1]
$

Command run to produce the error

$ checksec --file=/bin/ssh

OS version and Kernel version

Fedora
6.6.3

Debug output

$ checksec --debug --file=/bin/ssh
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH  Symbols     FORTIFY Fortified   Fortifiable FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols   Yes    12      23      /bin/ssh
$

slimm609 commented 4 months ago

Please provide additional context as to what "BTI" and "PAC" are?

jvoisin commented 4 months ago

Sure:

PAC: Pointer Authentication is a feature, available for Armv8.3-A and Armv9.0-A (and later) Arm architectures, to provide some protection against ROP. A Pointer Authentication Code (PAC) is generated from the value of a given pointer, and is used to verify pointers before using them. If attackers attempt to modify such a pointer in memory they will also need to compute the right PAC signature for it. For example, to ROP, if the return address stored in the stack is signed and verified before returning to it, the attacker will not be able to control the program flow and an exception is raised.
BTI: Branch Target Identification (BTI) can mitigate against some JOP attacks by creating an architectural dependency between certain indirect branch instructions and the instructions that they target. Indirect branches are vulnerable to JOP attacks as the pointers are frequently stored on the stack and if the stack is compromised then these pointers can be manipulated. In AArch64, the CPU can be configured so that indirect branch instructions only target valid “landing pad” instructions within a select memory region, which is specified by the Guarded Page (GP) bit in the translation tables. The architecture can record the type of branch that targeted the landing pad, and both direct and indirect branches can be tracked.

ARM published a nice and accessible blogpost on both PAC and BTI.

slimm609 commented 4 months ago

Thanks. I will take a look at this and see if it can be implemented

slimm609 / checksec.sh

Add a check for BTI and PAC #237

Issue

Debug Report

Command run to produce the error

OS version and Kernel version

Debug output