Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Audit Binary for No-Exec Heap?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
noloader
n00b
n00b


Joined: 12 Aug 2012
Posts: 7

PostPosted: Wed Aug 15, 2012 3:30 am    Post subject: Audit Binary for No-Exec Heap? Reply with quote

Hi All,

I'm attempting to audit a binary for compliance with no-exec heaps on Gentoo. The binary was compiled with -z,noexecheap (-z,noexecheap is a Gentoo extension). GCC and LD took the switch with no complaints (LD usually complains on lesser systems).

I've tried using readelf and '-l', '-s' and '-d':
Code:
readelf -l sample.exe | grep -i "HEAP"
, but I get no hits.

A similar search for a no-exec stack with "GNU_STACK" does return a hit:
Code:
    $ readelf -l sample.exe | grep -i "GNU_STACK"
    $   GNU_STACK    0x00000000    0x00000000    0x00000000


From above, I know the executable is marked with PT_GNU_STACK and its size is 0. Therefore, its a no-exec stack (http://www.airs.com/blog/archives/518).

Searching has also failed me (perhaps my Google-fu is off).

How does Gentoo mark a binary for no-exec heaps? How does one audit it?

Thanks in advance,
Jeff
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10587
Location: Somewhere over Atlanta, Georgia

PostPosted: Sun Aug 19, 2012 1:42 am    Post subject: Reply with quote

Moved from Other Things Gentoo to Portage & Programming at OP's request.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
noloader
n00b
n00b


Joined: 12 Aug 2012
Posts: 7

PostPosted: Mon Aug 20, 2012 2:04 am    Post subject: Reply with quote

Hi All,

I'm making progress here - I found the Gentoo patches to BinUtils which added the -z,noexecheap option. The option causes BinUtils to create a PT_PAX_FLAGS segment. The segment can be inspected with "readelf -l sample.exe | grep -A 2 -i "PAX_FLAGS".

The problem I am now seeing is both -z,execheap and -z,noexecheap produce the same segment. One or the other must be wrong.

No-Exec Heap:
Code:
gentoo@Gentoo-2012 ~ $ g++ -g3 -O0 -Wall -Wextra -Wconversion -fPIE -pie -fstack-protector-all sample.cpp -o sample.exe -Wl,-z,noexecstack -Wl,-z,noexecheap -Wl,-z,relro -Wl,-z,now
gentoo@Gentoo-2012 ~ $ readelf -l sample.exe | grep -A 1 -i "PAX_FLAGS"
  PAX_FLAGS      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000         8


Exec Heap:
Code:
gentoo@Gentoo-2012 ~ $ g++ -g3 -O0 -Wall -Wextra -Wconversion -fPIE -pie -fstack-protector-all sample.cpp -o sample.exe -Wl,-z,noexecstack -Wl,-z,execheap -Wl,-z,relro -Wl,-z,now
gentoo@Gentoo-2012 ~ $ readelf -l sample.exe | grep -A 1 -i "PAX_FLAGS"
  PAX_FLAGS      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000         8


It seems to me a non-executable heap should be adding RW and an executable heap should be adding RWX (data execution is the norm under Linux).

Any ideas what is going wrong here?

Jeff
Back to top
View user's profile Send private message
noloader
n00b
n00b


Joined: 12 Aug 2012
Posts: 7

PostPosted: Mon Aug 20, 2012 6:04 am    Post subject: Reply with quote

Gentoo's readelf appears broken. From the changes in 63-all-binutils-2.23...patch, there was one change to get_segment_type; and no code to display the PAX_FLAGS information.

Code:
--- binutils-2.23.51.0.1/binutils/readelf.c
+++ binutils-2.23.51.0.1/binutils/readelf.c
@@ -2740,6 +2740,7 @@ get_segment_type (unsigned long p_type)
          return "GNU_EH_FRAME";
     case PT_GNU_STACK:   return "GNU_STACK";
     case PT_GNU_RELRO:  return "GNU_RELRO";
+    case PT_PAX_FLAGS:  return "PAX_FLAGS";
 
     default:
       if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC))


https://bugs.gentoo.org/show_bug.cgi?id=432026.
Back to top
View user's profile Send private message
noloader
n00b
n00b


Joined: 12 Aug 2012
Posts: 7

PostPosted: Mon Aug 20, 2012 6:02 pm    Post subject: Reply with quote

From spanKY (https://bugs.gentoo.org/show_bug.cgi?id=432026):

Quote:
use `scanelf -x` to analyze settings.

we're in the process of deprecating PT_PAX_FLAGS, so not much point in extending support for it further.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum