View previous topic :: View next topic |
Author |
Message |
noloader n00b
Joined: 12 Aug 2012 Posts: 7
|
Posted: Wed Aug 15, 2012 3:30 am Post subject: Audit Binary for No-Exec Heap? |
|
|
Hi All,
I'm attempting to audit a binary for compliance with no-exec heaps on Gentoo. The binary was compiled with -z,noexecheap (-z,noexecheap is a Gentoo extension). GCC and LD took the switch with no complaints (LD usually complains on lesser systems).
I've tried using readelf and '-l', '-s' and '-d': Code: | readelf -l sample.exe | grep -i "HEAP" | , but I get no hits.
A similar search for a no-exec stack with "GNU_STACK" does return a hit:
Code: | $ readelf -l sample.exe | grep -i "GNU_STACK"
$ GNU_STACK 0x00000000 0x00000000 0x00000000 |
From above, I know the executable is marked with PT_GNU_STACK and its size is 0. Therefore, its a no-exec stack (http://www.airs.com/blog/archives/518).
Searching has also failed me (perhaps my Google-fu is off).
How does Gentoo mark a binary for no-exec heaps? How does one audit it?
Thanks in advance,
Jeff |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10587 Location: Somewhere over Atlanta, Georgia
|
Posted: Sun Aug 19, 2012 1:42 am Post subject: |
|
|
Moved from Other Things Gentoo to Portage & Programming at OP's request.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
noloader n00b
Joined: 12 Aug 2012 Posts: 7
|
Posted: Mon Aug 20, 2012 2:04 am Post subject: |
|
|
Hi All,
I'm making progress here - I found the Gentoo patches to BinUtils which added the -z,noexecheap option. The option causes BinUtils to create a PT_PAX_FLAGS segment. The segment can be inspected with "readelf -l sample.exe | grep -A 2 -i "PAX_FLAGS".
The problem I am now seeing is both -z,execheap and -z,noexecheap produce the same segment. One or the other must be wrong.
No-Exec Heap:
Code: | gentoo@Gentoo-2012 ~ $ g++ -g3 -O0 -Wall -Wextra -Wconversion -fPIE -pie -fstack-protector-all sample.cpp -o sample.exe -Wl,-z,noexecstack -Wl,-z,noexecheap -Wl,-z,relro -Wl,-z,now
gentoo@Gentoo-2012 ~ $ readelf -l sample.exe | grep -A 1 -i "PAX_FLAGS"
PAX_FLAGS 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 8 |
Exec Heap:
Code: | gentoo@Gentoo-2012 ~ $ g++ -g3 -O0 -Wall -Wextra -Wconversion -fPIE -pie -fstack-protector-all sample.cpp -o sample.exe -Wl,-z,noexecstack -Wl,-z,execheap -Wl,-z,relro -Wl,-z,now
gentoo@Gentoo-2012 ~ $ readelf -l sample.exe | grep -A 1 -i "PAX_FLAGS"
PAX_FLAGS 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 8 |
It seems to me a non-executable heap should be adding RW and an executable heap should be adding RWX (data execution is the norm under Linux).
Any ideas what is going wrong here?
Jeff |
|
Back to top |
|
|
noloader n00b
Joined: 12 Aug 2012 Posts: 7
|
Posted: Mon Aug 20, 2012 6:04 am Post subject: |
|
|
Gentoo's readelf appears broken. From the changes in 63-all-binutils-2.23...patch, there was one change to get_segment_type; and no code to display the PAX_FLAGS information.
Code: | --- binutils-2.23.51.0.1/binutils/readelf.c
+++ binutils-2.23.51.0.1/binutils/readelf.c
@@ -2740,6 +2740,7 @@ get_segment_type (unsigned long p_type)
return "GNU_EH_FRAME";
case PT_GNU_STACK: return "GNU_STACK";
case PT_GNU_RELRO: return "GNU_RELRO";
+ case PT_PAX_FLAGS: return "PAX_FLAGS";
default:
if ((p_type >= PT_LOPROC) && (p_type <= PT_HIPROC)) |
https://bugs.gentoo.org/show_bug.cgi?id=432026. |
|
Back to top |
|
|
noloader n00b
Joined: 12 Aug 2012 Posts: 7
|
Posted: Mon Aug 20, 2012 6:02 pm Post subject: |
|
|
From spanKY (https://bugs.gentoo.org/show_bug.cgi?id=432026):
Quote: | use `scanelf -x` to analyze settings.
we're in the process of deprecating PT_PAX_FLAGS, so not much point in extending support for it further. |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|