public override void Analyze(BinaryAnalyzerContext context)
{
IELF elf = context.ELFBinary().ELF;
HashSet <string> symbolNames =
new HashSet <string>
(
ELFUtility.GetAllSymbols(elf).Select <ISymbolEntry, string>(sym => sym.Name)
);
foreach (string stack_chk in stack_check_symbols)
{
if (symbolNames.Contains(stack_chk))
{
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultLevel.Pass, context, null,
nameof(RuleResources.BA3003_Pass),
context.TargetUri.GetFileName()));
return;
}
}
// If we haven't found the stack protector, we assume it wasn't used.
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultLevel.Error, context, null,
nameof(RuleResources.BA3003_Error),
context.TargetUri.GetFileName()));
}
public override void Analyze(BinaryAnalyzerContext context)
{
IELF elf = context.ELFBinary().ELF;
if (elf.Type == FileType.Executable)
{
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultLevel.Error, context, null,
nameof(RuleResources.BA3001_Error),
context.TargetUri.GetFileName()));
return;
}
else if (elf.Type == FileType.SharedObject)
{
// Check that it is an executable SO instead of a normal shared library
// Looking for a program header segment seems to work well here.
if (elf.Segments.Where(seg => seg.Type == SegmentType.ProgramHeader).Any())
{
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultLevel.Pass, context, null,
nameof(RuleResources.BA3001_Pass_Executable),
context.TargetUri.GetFileName()));
return;
}
else
{
// '{0}' does not have an imports section that is marked as executable.
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultLevel.Pass, context, null,
nameof(RuleResources.BA3001_Pass_Library),
context.TargetUri.GetFileName()));
return;
}
}
}
/// <summary>
/// Checks if Fortified functions are used--the -DFORTIFY_SOURCE=2 flag enables these when -O2 is enabled.
///
/// Check implementation:
/// -Get all function symbols in the ELF binary
/// -Check for any fortified functions--if we find any, we used the option.
/// -Check for any unfortified functions. If we only find unfortified functions, one of two things is true:
/// 1) Fortify Source wasn't used; or
/// 2) Fortify Source was used, but gcc/clang was unable to statically find anything that needed to be fortified.
/// We report on both cases.
/// -If no fortifiable functions were used at all, the rule doesn't apply.
/// </summary>
public override void Analyze(BinaryAnalyzerContext context)
{
IELF elf = context.ELFBinary().ELF;
IEnumerable <ISymbolEntry> symbols =
ELFUtility.GetAllSymbols(elf).Where(sym => sym.Type == SymbolType.Function || sym.Type == SymbolType.Object);
List <ISymbolEntry> protectedFunctions = new List <ISymbolEntry>();
List <ISymbolEntry> unprotectedFunctions = new List <ISymbolEntry>();
foreach (ISymbolEntry e in symbols)
{
if (unfortifiedFunctions.Contains(e.Name))
{
unprotectedFunctions.Add(e);
}
else if (fortifiedFunctions.Contains(e.Name))
{
protectedFunctions.Add(e);
}
}
if (protectedFunctions.Any())
{
if (unprotectedFunctions.Any())
{
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultKind.Pass, context, null,
nameof(RuleResources.BA3030_Pass_SomeFunctionsChecked),
context.TargetUri.GetFileName()));
}
else
{
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultKind.Pass, context, null,
nameof(RuleResources.BA3030_Pass_AllFunctionsChecked),
context.TargetUri.GetFileName()));
}
}
else if (unprotectedFunctions.Any())
{
context.Logger.Log(this,
RuleUtilities.BuildResult(FailureLevel.Error, context, null,
nameof(RuleResources.BA3030_Error),
context.TargetUri.GetFileName()));
}
else
{
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultKind.Pass, context, null,
nameof(RuleResources.BA3030_Pass_NoCheckableFunctions),
context.TargetUri.GetFileName()));
}
}
public sealed override AnalysisApplicability CanAnalyze(BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
{
if (context.IsELF())
{
ELFBinary target = context.ELFBinary();
return(CanAnalyzeElf(target, context.Policy, out reasonForNotAnalyzing));
}
else
{
reasonForNotAnalyzing = MetadataConditions.ImageIsNotElf;
return(AnalysisApplicability.NotApplicableToSpecifiedTarget);
}
}
public override void Analyze(BinaryAnalyzerContext context)
{
IELF elf = context.ELFBinary().ELF;
foreach (var seg in elf.Segments)
{
if (((uint)seg.Type) == GNU_RELRO_ID)
{
// Pass
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultLevel.Pass, context, null,
nameof(RuleResources.BA3010_Pass),
context.TargetUri.GetFileName()));
return;
}
}
// Fail
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultLevel.Error, context, null,
nameof(RuleResources.BA3010_Error),
context.TargetUri.GetFileName()));
}
public override void Analyze(BinaryAnalyzerContext context)
{
IELF elf = context.ELFBinary().ELF;
// Look for the GNU_STACK segment
foreach (ISegment seg in elf.Segments)
{
if (((uint)seg.Type) == GNU_STACK_ID)
{
// if we find it, we'll check if it's NX...
if ((seg.Flags & SegmentFlags.Execute) != 0)
{
// Fail -- stack seg is marked executable
context.Logger.Log(this,
RuleUtilities.BuildResult(FailureLevel.Error, context, null,
nameof(RuleResources.BA3002_Error_StackExec),
context.TargetUri.GetFileName()));
return;
}
else
{
// Pass -- stack segment isn't executable
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultKind.Pass, context, null,
nameof(RuleResources.BA3002_Pass),
context.TargetUri.GetFileName()));
return;
}
}
}
// If the GNU_STACK isn't present, the stack is probably loaded as executable
context.Logger.Log(this,
RuleUtilities.BuildResult(FailureLevel.Error, context, null,
nameof(RuleResources.BA3002_Error_NoStackSeg),
context.TargetUri.GetFileName()));
}
public override void Analyze(BinaryAnalyzerContext context)
{
IELF elf = context.ELFBinary().ELF;
if (elf.Type == FileType.Executable)
{
context.Logger.Log(this,
RuleUtilities.BuildResult(FailureLevel.Error, context, null,
nameof(RuleResources.BA3001_Error),
context.TargetUri.GetFileName()));
return;
}
else if (elf.Type == FileType.SharedObject)
{
// Check that it is an executable SO instead of a normal shared library
// Looking for a program header segment seems to work well here.
if (elf.Segments.Where(seg => seg.Type == SegmentType.ProgramHeader).Any())
{
// PIE enabled on executable '{0}'.
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultKind.Pass, context, null,
nameof(RuleResources.BA3001_Pass_Executable),
context.TargetUri.GetFileName()));
return;
}
else
{
// '{0}' is a shared object library rather than an executable,
// and is automatically position independent.
context.Logger.Log(this,
RuleUtilities.BuildResult(ResultKind.Pass, context, null,
nameof(RuleResources.BA3001_Pass_Library),
context.TargetUri.GetFileName()));
return;
}
}
}