search

slimm609 / checksec

Checksec
https://slimm609.github.io/checksec
Other
2.03k stars 305 forks source link

checksec-2.7.1 FORTIFY detection for processes #241

Closed teoberi closed 5 months ago

teoberi commented 6 months ago

As detailed in #236, couldn't the "N/A" and "Partial" cases also apply to running processes? Example applied to checksec-2.7.1: ./checksec --proc=update-notifier

* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)
  Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
  This, among other things, implies that shared libraries will be loaded to random 
  addresses. Also for PIE-linked binaries, the location of code start is randomized.
  See the kernel file 'Documentation/admin-guide/sysctl/kernel.rst' for more details.
* Does the CPU support NX: Yes
         COMMAND    PID RELRO           STACK CANARY            SECCOMP          NX/PaX        PIE                     FORTIFY

 update-notifier   3066 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes

readlink /proc/3066/exe

/usr/bin/update-notifier

./checksec --fortify-file=/usr/bin/update-notifier

* FORTIFY_SOURCE support available (libc)    : Yes
* Binary compiled with FORTIFY_SOURCE support: Yes
 ------ EXECUTABLE-FILE ------- . -------- LIBC --------
 Fortifiable library functions | Checked function names
 -------------------------------------------------------
 fgets                          | __fgets_chk
 fprintf_chk                    | __fprintf_chk
 fread                          | __fread_chk
 getgroups_chk                  | __getgroups_chk
 read                           | __read_chk
 strncpy                        | __strncpy_chk
SUMMARY:
* Number of checked functions in libc                : 79
* Total number of library functions in the executable: 286
* Number of Fortifiable functions in the executable : 6
* Number of checked functions in the executable      : 2
* Number of unchecked functions in the executable    : 4

./checksec --file=/usr/bin/update-notifier

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH  Symbols     FORTIFY Fortified   Fortifiable FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols  Partial 2       6       /usr/bin/update-notifier

There is a discrepancy for Fortify in the results in case of options: 1) --proc=update-notifier -> Yes (wrong) 2) --file=/usr/bin/update-notifier -> Partial (correct) also validated with the result of the --fortify-file=/usr/bin/update-notifier option.

In src/functions/proccheck.sh, replace the code from the section

check for Fortify source support

with the code from filecheck.sh

search_libc
  libc_found="false"
  if ${readelf} -d "$(readlink "${1}"/exe)" 2> /dev/null | grep 'NEEDED' | grep -q 'libc\.so'; then
    libc_found="true"
  fi
  Proc_FS_filechk_func_libc="$(${readelf} -s "${use_dynamic}" "${FS_libc}" 2> /dev/null | sed -ne 's/.*__\(.*_chk\)@@.*/\1/p')"
  Proc_FS_func_libc="${Proc_FS_filechk_func_libc//_chk/}"
  Proc_FS_func="$(${readelf} -s "${use_dynamic}" "${1}/exe" 2> /dev/null | awk '{ print $8 }' | sed -e 's/_*//' -e 's/@.*//' -e '/^$/d')"
  Proc_FS_cnt_checked=$(grep -cFxf <(sort -u <<< "${Proc_FS_filechk_func_libc}") <(sort -u <<< "${Proc_FS_func}"))
  Proc_FS_cnt_unchecked=$(grep -cFxf <(sort -u <<< "${Proc_FS_func_libc}") <(sort -u <<< "${Proc_FS_func}"))
  Proc_FS_cnt_total=$((Proc_FS_cnt_unchecked + Proc_FS_cnt_checked))
  if [[ "${libc_found}" == "false" ]] || [[ "${Proc_FS_cnt_total}" == "0" ]]; then
    echo_message "\033[32mN/A\033[m" "N/A," ' fortify_source="n/a">' '"fortify_source":"n/a" }'
  else
    if [[ $Proc_FS_cnt_checked -eq $Proc_FS_cnt_total ]]; then
      echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes">' '"fortify_source":"yes" }'
    else
      if [[ "${Proc_FS_cnt_checked}" == "0" ]]; then
        echo_message "\033[31mNo\033[m" "No," ' fortify_source="no">' '"fortify_source":"no" }'
      else
        echo_message "\033[33mPartial\033[m" "Partial," ' fortify_source="partial">' '"fortify_source":"partial" }'
      fi
    fi
  fi

with only 2 changes, that is: line 3 (adapted to find the path to executables)

readlink ${1}/exe

and line 8 (adapted for processes) ${1}/exe The new result is: ./checksec --proc=update-notifier

* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)
  Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
  This, among other things, implies that shared libraries will be loaded to random 
  addresses. Also for PIE-linked binaries, the location of code start is randomized.
  See the kernel file 'Documentation/admin-guide/sysctl/kernel.rst' for more details.
* Does the CPU support NX: Yes
         COMMAND    PID RELRO           STACK CANARY            SECCOMP          NX/PaX        PIE                     FORTIFY
 update-notifier   3066 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
teoberi commented 6 months ago

The new code is working: sudo ./checksec --proc-all

* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)
  Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
  This, among other things, implies that shared libraries will be loaded to random 
  addresses. Also for PIE-linked binaries, the location of code start is randomized.
  See the kernel file 'Documentation/admin-guide/sysctl/kernel.rst' for more details.
* Does the CPU support NX: Yes
* Core-Dumps access to all users: Not Restricted
         COMMAND    PID RELRO           STACK CANARY            SECCOMP          NX/PaX        PIE                     FORTIFY
         systemd      1 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
   VBoxDRMClient   1212 Partial RELRO   No canary found         No Seccomp       NX enabled    No PIE                  No
     VBoxService   1215 Partial RELRO   No canary found         No Seccomp       NX enabled    No PIE                  No
            gdm3   1237 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
    rtkit-daemon   1278 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
         upowerd   1363 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Partial
     packagekitd   1367 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
          colord   1522 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
 gdm-session-wor   1619 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
         systemd   1628 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
        (sd-pam)   1630 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
        pipewire   1636 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Yes
 pipewire-media-   1637 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Partial
      pulseaudio   1638 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Yes
 gnome-keyring-d   1646 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
 gdm-wayland-ses   1655 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
     dbus-daemon   1657 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
 gnome-session-b   1664 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
 xdg-document-po   1672 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
 xdg-permission-   1685 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
     fusermount3   1695 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
 gnome-session-c   1728 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             No
           gvfsd   1738 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             No
      gvfsd-fuse   1747 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
 gnome-session-b   1748 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
 at-spi-bus-laun   1775 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
     gnome-shell   1782 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
     dbus-daemon   1791 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
 gnome-shell-cal   1828 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 evolution-sourc   1834 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
      goa-daemon   1841 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 snapd-desktop-i   1843 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             N/A
 evolution-calen   1853 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 gvfs-udisks2-vo   1855 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 goa-identity-se   1873 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             No
 gvfs-afc-volume   1891 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 gvfs-mtp-volume   1899 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
   dconf-service   1911 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             No
 evolution-addre   1914 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 systemd-journal    192 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Partial
 gvfs-gphoto2-vo   1920 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 gvfs-goa-volume   1933 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 snapd-desktop-i   1950 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             N/A
     gvfsd-trash   1972 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 at-spi2-registr   1985 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
             gjs   1987 Full RELRO      No canary found         No Seccomp       NX enabled    PIE enabled             N/A
              sh   1997 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
     ibus-daemon   1999 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             No
 gsd-a11y-settin   2000 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
       gsd-color   2005 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
    gsd-datetime   2006 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
 gsd-housekeepin   2007 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
    gsd-keyboard   2013 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
  gsd-media-keys   2014 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
       gsd-power   2019 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
 gsd-print-notif   2021 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
      gsd-rfkill   2022 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
 gsd-screensaver   2023 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
     gsd-sharing   2027 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
   gsd-smartcard   2029 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
       gsd-sound   2035 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
       gsd-wacom   2038 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
 gsd-disk-utilit   2056 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 evolution-alarm   2071 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
     gsd-printer   2081 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
      ibus-dconf   2084 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 ibus-extension-   2085 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
     ibus-portal   2087 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
      VBoxClient   2144 Partial RELRO   No canary found         No Seccomp       NX enabled    No PIE                  Partial
      VBoxClient   2145 Partial RELRO   No canary found         No Seccomp       NX enabled    No PIE                  Partial
        Xwayland   2162 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
      snap-store   2163 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             N/A
 ibus-engine-sim   2191 Full RELRO      No canary found         No Seccomp       NX enabled    PIE enabled             N/A
   systemd-udevd    222 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Partial
 tracker-miner-f   2261 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             N/A
 xdg-desktop-por   2262 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
 xdg-desktop-por   2267 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
             gjs   2283 Full RELRO      No canary found         No Seccomp       NX enabled    PIE enabled             N/A
   gsd-xsettings   2310 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
        ibus-x11   2343 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
             gjs   2348 Full RELRO      No canary found         No Seccomp       NX enabled    PIE enabled             N/A
 xdg-desktop-por   2378 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
      VBoxClient   2381 Partial RELRO   No canary found         No Seccomp       NX enabled    No PIE                  Partial
      VBoxClient   2382 Partial RELRO   No canary found         No Seccomp       NX enabled    No PIE                  Partial
      VBoxClient   2389 Partial RELRO   No canary found         No Seccomp       NX enabled    No PIE                  Partial
      VBoxClient   2390 Partial RELRO   No canary found         No Seccomp       NX enabled    No PIE                  Partial
      VBoxClient   2398 Partial RELRO   No canary found         No Seccomp       NX enabled    No PIE                  Partial
      VBoxClient   2399 Partial RELRO   No canary found         No Seccomp       NX enabled    No PIE                  Partial
           fwupd   2449 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             N/A
  gvfsd-metadata   2451 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             No
 gnome-terminal-   2876 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             No
            bash   2961 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
            sudo   3120 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
            sudo   3243 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
    systemd-oomd    403 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Partial
 systemd-resolve    404 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Partial
 systemd-timesyn    563 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Yes
 accounts-daemon    689 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Partial
           acpid    693 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
    avahi-daemon    697 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
            cron    701 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
     dbus-daemon    704 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
  NetworkManager    705 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
      irqbalance    715 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Partial
 networkd-dispat    718 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
         polkitd    719 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes
 power-profiles-    722 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Yes
        rsyslogd    728 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
           snapd    732 Partial RELRO   Canary found            No Seccomp       NX enabled    PIE enabled             Yes
 switcheroo-cont    737 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             N/A
  systemd-logind    739 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Partial
         udisksd    744 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
  wpa_supplicant    755 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
    avahi-daemon    766 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
    ModemManager    783 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Partial
           cupsd    787 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
            sshd    812 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
 unattended-upgr    823 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
    cups-browsed    852 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
      kerneloops    871 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial
      kerneloops    875 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Partial

Also in tests/hardening-checks.sh the code for Fortify "Partial" case works:

# Partial
for bin in partial partial32 partial_cl partial_cl32; do
  "${DIR}"/binaries/output/${bin} > /dev/null &
  if [[ $("${PARENT}"/checksec --proc=${bin} --format=csv | cut -d, -f8) != "Partial" ]]; then
    echo "No Fortify process validation failed on \"${bin}\": $("${PARENT}"/checksec --proc=${bin} --format=csv | cut -d, -f8)"
    exit 1
  fi
done

I can't find yet a solution to test the Fortify "N/A" case as well, although in the above result when testing the system for processes there are many N/A cases.

teoberi commented 6 months ago

I found a solution to test the Fortify "N/A" case, the second half, i.e. Proc_FS_cnt_total=0 by adding a sleep() in the helloworld.c source file:

#include <stdio.h>
#include <unistd.h>
int main()
{
    printf("Hello World\n");
    sleep(2);
    return 0;
}

and now make test works for fszero fszero_cl fszero32 fszero_cl32 The first half libc_found=false remains to be solved I still can't add a sleep().

teoberi commented 6 months ago

I found a solution to generate the nolibc/nolibc_cl test files usable for "Fortify" testing in the case of libc_found=false both for files and processes (tests/hardening-checks.sh). An nolibc.asm file written in NASM:

  1. display the message "Hello, World!" (usable in the # file checks section);
  2. suspend the execution of the program (after displaying the message) for approximately 2 seconds (usable and necessary in the # process checks section). 
    
section .data
    msg db 'Hello, World!', 0ah ;note the newline (Line Feed-LF) at the end (hex:0ah; decimal:10)
    len equ $ - msg             ;calculate the length of the message
    delay dq 2, 100000000       ;define delay with Timespec structure members tv_sec, tv_nsec (qwords, 64-bit integer values)

section .text global _start ;must be declared for linker (ld)

_start: ;tells linker entry point mov rax, 1 ;system call for write (sys_write 1) mov rdi, 1 ;file descriptor (1 is stdout) mov rsi, msg ;address of string to output mov rdx, len ;message length syscall ;invoke operating system to do the write

    mov rax, 35                 ;system call for nanosleep (sys_nanosleep 35)
    mov rdi, delay              ;load the pointer to our delay
    mov rsi, 0                  ;exit code 0
    syscall                     ;invoke operating system to do the delay

    mov rax, 60                 ;system call for exit (sys_exit 60)
    xor rdi, rdi                ;exit code 0
    syscall                     ;invoke operating system to exit
There are 2 options for compilation:
1. **NASM** will be a requirement, it will be installed and these commands will be run:

nasm -f elf64 -o nolibc.o nolibc.asm gcc -o nolibc nolibc.o -w -nostdlib -no-pie -s clang -o nolibc_cl nolibc.o -w -nostdlib -no-pie -s

2. The file .o (object file) **nolibc.o** will be delivered directly (**as source file**) and only these commands will be run:

gcc -o nolibc nolibc.o -w -nostdlib -no-pie -s clang -o nolibc_cl nolibc.o -w -nostdlib -no-pie -s


**@slimm609** here I need your decision, I would opt for the first option with NASM installation but it will become a requirement (among many others) for running the tests.

It remains to write an .asm file for **x86 assembly** (different syntax compared to x86-64 presented previously) to complete the **Fortify** test files for the **nolibc** case.
teoberi commented 6 months ago

And the solution for nolibc32/nolibc_cl32 test files: nolibc32.asm

section .data
        msg db "Hello, world!", 0xa ;note the newline (Line Feed-LF) at the end (hex:0ah; decimal:10)
        len equ $ - msg             ;calculate the length of the message
        delay dd 2, 100000000       ;define delay with Timespec structure members tv_sec, tv_nsec (dwords, 32-bit integer values)

section .text
        global _start               ;must be declared for linker (ld)

_start:                             ;tells linker entry point
        mov eax,4                   ;system call for write (sys_write 4)
        mov ebx,1                   ;file descriptor (1 is stdout)
        mov ecx,msg                 ;address of string to output
        mov edx,len                 ;message length
        int 0x80                    ;invoke operating system to do the write

        mov eax, 162                ;system call for nanosleep (sys_nanosleep 162)
        mov ebx, delay              ;load the pointer to our delay
        mov ecx, 0                  ;exit code 0
        int 0x80                    ;invoke operating system to do the delay

        mov eax,1                   ;system call for exit (sys_exit 1)
        xor ebx, ebx                ;exit code 0
        int 0x80                    ;invoke operating system to exit

Compilation commands:

nasm -f elf32 -o nolibc32.o nolibc32.asm
gcc -m32 -o nolibc32 nolibc32.o -w -nostdlib -no-pie -s
clang -m32 -o nolibc_cl32 nolibc32.o -w -nostdlib -no-pie -s
slimm609 commented 6 months ago

These are all for tests so adding dependencies to the test images is completely fine. These are rather difficult to test int he different scenarios so the more tests we can add, the more reliable the tests will be.

There is also a full rewrite/port to golang in progress so these tests will be vital in validating the 2 versions side by side.

petervas commented 6 months ago

I found a solution to generate the nolibc/nolibc_cl test files usable for "Fortify" testing in the case of libc_found=false both for files and processes (tests/hardening-checks.sh). An nolibc.asm file written in NASM:

Why not simply compile a regular helloworld.c with the -static flag? That one will also pass the N/A test because the external libc dependency will be gone.

teoberi commented 6 months ago

Hi, It can be done! Pros/cons here.

The advantage is that if library changes, or is not present on a system, the program will run fine, because it has the functions and other stuff with it already.
The disadvantage is large memory footprint, large file size, and no fixing of bugs, no updates of the library code without recompiling.

Example in our case (existing fszero and nolibc) and fszero-static compiled with the command: gcc -o fszero-static fszero.c -static -w -D_FORTIFY_SOURCE=0 -O2 -s nolibc -> 8,4K fszero -> 15K fszero-static -> 801K This was the recommended solution for "Hello, world!" without libc using assembler.