joshua/dash-docs
1
0
Fork 0
mirror of https://github.com/seigler/dash-docs synced 2025-07-27 09:46:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
dash-docs/en/doxygen/html/security-check_8py_source.html

116 lines
39 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.8.14"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>Dash Core: contrib/devtools/security-check.py Source File</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="navtree.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="resize.js"></script>
<script type="text/javascript" src="navtreedata.js"></script>
<script type="text/javascript" src="navtree.js"></script>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
$(document).ready(initResizable);
/* @license-end */</script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/searchdata.js"></script>
<script type="text/javascript" src="search/search.js"></script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 56px;">
<td id="projectlogo"><img alt="Logo" src="bitcoin_logo_doxygen.png"/></td>
<td id="projectalign" style="padding-left: 0.5em;">
<div id="projectname">Dash Core
&#160;<span id="projectnumber">0.12.2.1</span>
</div>
<div id="projectbrief">P2P Digital Currency</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.8.14 -->
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
var searchBox = new SearchBox("searchBox", "search",false,'Search');
/* @license-end */
</script>
<script type="text/javascript" src="menudata.js"></script>
<script type="text/javascript" src="menu.js"></script>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
$(function() {
initMenu('',true,false,'search.php','Search');
$(document).ready(function() { init_search(); });
});
/* @license-end */</script>
<div id="main-nav"></div>
</div><!-- top -->
<div id="side-nav" class="ui-resizable side-nav-resizable">
<div id="nav-tree">
<div id="nav-tree-contents">
<div id="nav-sync" class="sync"></div>
</div>
</div>
<div id="splitbar" style="-moz-user-select:none;"
class="ui-resizable-handle">
</div>
</div>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
$(document).ready(function(){initNavTree('security-check_8py_source.html','');});
/* @license-end */
</script>
<div id="doc-content">
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
</div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<div class="header">
<div class="headertitle">
<div class="title">security-check.py</div> </div>
</div><!--header-->
<div class="contents">
<a href="security-check_8py.html">Go to the documentation of this file.</a><div class="fragment"><div class="line"><a name="l00001"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html"> 1</a></span>&#160;<span class="comment">#!/usr/bin/python2</span></div><div class="line"><a name="l00002"></a><span class="lineno"> 2</span>&#160;<span class="stringliteral">&#39;&#39;&#39;</span></div><div class="line"><a name="l00003"></a><span class="lineno"> 3</span>&#160;<span class="stringliteral">Perform basic ELF security checks on a series of executables.</span></div><div class="line"><a name="l00004"></a><span class="lineno"> 4</span>&#160;<span class="stringliteral">Exit status will be 0 if succesful, and the program will be silent.</span></div><div class="line"><a name="l00005"></a><span class="lineno"> 5</span>&#160;<span class="stringliteral">Otherwise the exit status will be 1 and it will log which executables failed which checks.</span></div><div class="line"><a name="l00006"></a><span class="lineno"> 6</span>&#160;<span class="stringliteral">Needs `readelf` (for ELF) and `objdump` (for PE).</span></div><div class="line"><a name="l00007"></a><span class="lineno"> 7</span>&#160;<span class="stringliteral">&#39;&#39;&#39;</span></div><div class="line"><a name="l00008"></a><span class="lineno"> 8</span>&#160;<span class="keyword">from</span> __future__ <span class="keyword">import</span> division,print_function</div><div class="line"><a name="l00009"></a><span class="lineno"> 9</span>&#160;<span class="keyword">import</span> subprocess</div><div class="line"><a name="l00010"></a><span class="lineno"> 10</span>&#160;<span class="keyword">import</span> sys</div><div class="line"><a name="l00011"></a><span class="lineno"> 11</span>&#160;<span class="keyword">import</span> os</div><div class="line"><a name="l00012"></a><span class="lineno"> 12</span>&#160;</div><div class="line"><a name="l00013"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#abaaf3e3152673b05f39e37ab560cacc7"> 13</a></span>&#160;READELF_CMD = os.getenv(<span class="stringliteral">&#39;READELF&#39;</span>, <span class="stringliteral">&#39;/usr/bin/readelf&#39;</span>)</div><div class="line"><a name="l00014"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#a5b50d59d8783fb8c11c3ce0e6eb7f802"> 14</a></span>&#160;OBJDUMP_CMD = os.getenv(<span class="stringliteral">&#39;OBJDUMP&#39;</span>, <span class="stringliteral">&#39;/usr/bin/objdump&#39;</span>)</div><div class="line"><a name="l00015"></a><span class="lineno"> 15</span>&#160;</div><div class="line"><a name="l00016"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#a236dea8c85a7df5137bb71adbb2e626c"> 16</a></span>&#160;<span class="keyword">def </span><a class="code" href="namespacesecurity-check.html#a236dea8c85a7df5137bb71adbb2e626c">check_ELF_PIE</a>(executable):</div><div class="line"><a name="l00017"></a><span class="lineno"> 17</span>&#160; <span class="stringliteral">&#39;&#39;&#39;</span></div><div class="line"><a name="l00018"></a><span class="lineno"> 18</span>&#160;<span class="stringliteral"> Check for position independent executable (PIE), allowing for address space randomization.</span></div><div class="line"><a name="l00019"></a><span class="lineno"> 19</span>&#160;<span class="stringliteral"> &#39;&#39;&#39;</span></div><div class="line"><a name="l00020"></a><span class="lineno"> 20</span>&#160; p = subprocess.Popen([READELF_CMD, <span class="stringliteral">&#39;-h&#39;</span>, <span class="stringliteral">&#39;-W&#39;</span>, executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)</div><div class="line"><a name="l00021"></a><span class="lineno"> 21</span>&#160; (stdout, stderr) = p.communicate()</div><div class="line"><a name="l00022"></a><span class="lineno"> 22</span>&#160; <span class="keywordflow">if</span> p.returncode:</div><div class="line"><a name="l00023"></a><span class="lineno"> 23</span>&#160; <span class="keywordflow">raise</span> IOError(<span class="stringliteral">&#39;Error opening file&#39;</span>)</div><div class="line"><a name="l00024"></a><span class="lineno"> 24</span>&#160;</div><div class="line"><a name="l00025"></a><span class="lineno"> 25</span>&#160; ok = <span class="keyword">False</span></div><div class="line"><a name="l00026"></a><span class="lineno"> 26</span>&#160; <span class="keywordflow">for</span> line <span class="keywordflow">in</span> stdout.split(<span class="stringliteral">&#39;\n&#39;</span>):</div><div class="line"><a name="l00027"></a><span class="lineno"> 27</span>&#160; line = line.split()</div><div class="line"><a name="l00028"></a><span class="lineno"> 28</span>&#160; <span class="keywordflow">if</span> len(line)&gt;=2 <span class="keywordflow">and</span> line[0] == <span class="stringliteral">&#39;Type:&#39;</span> <span class="keywordflow">and</span> line[1] == <span class="stringliteral">&#39;DYN&#39;</span>:</div><div class="line"><a name="l00029"></a><span class="lineno"> 29</span>&#160; ok = <span class="keyword">True</span></div><div class="line"><a name="l00030"></a><span class="lineno"> 30</span>&#160; <span class="keywordflow">return</span> ok</div><div class="line"><a name="l00031"></a><span class="lineno"> 31</span>&#160;</div><div class="line"><a name="l00032"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#a2986e2737cc965723e6e738f57250af8"> 32</a></span>&#160;<span class="keyword">def </span><a class="code" href="namespacesecurity-check.html#a2986e2737cc965723e6e738f57250af8">get_ELF_program_headers</a>(executable):</div><div class="line"><a name="l00033"></a><span class="lineno"> 33</span>&#160; <span class="stringliteral">&#39;&#39;&#39;Return type and flags for ELF program headers&#39;&#39;&#39;</span></div><div class="line"><a name="l00034"></a><span class="lineno"> 34</span>&#160; p = subprocess.Popen([READELF_CMD, <span class="stringliteral">&#39;-l&#39;</span>, <span class="stringliteral">&#39;-W&#39;</span>, executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)</div><div class="line"><a name="l00035"></a><span class="lineno"> 35</span>&#160; (stdout, stderr) = p.communicate()</div><div class="line"><a name="l00036"></a><span class="lineno"> 36</span>&#160; <span class="keywordflow">if</span> p.returncode:</div><div class="line"><a name="l00037"></a><span class="lineno"> 37</span>&#160; <span class="keywordflow">raise</span> IOError(<span class="stringliteral">&#39;Error opening file&#39;</span>)</div><div class="line"><a name="l00038"></a><span class="lineno"> 38</span>&#160; in_headers = <span class="keyword">False</span></div><div class="line"><a name="l00039"></a><span class="lineno"> 39</span>&#160; count = 0</div><div class="line"><a name="l00040"></a><span class="lineno"> 40</span>&#160; headers = []</div><div class="line"><a name="l00041"></a><span class="lineno"> 41</span>&#160; <span class="keywordflow">for</span> line <span class="keywordflow">in</span> stdout.split(<span class="stringliteral">&#39;\n&#39;</span>):</div><div class="line"><a name="l00042"></a><span class="lineno"> 42</span>&#160; <span class="keywordflow">if</span> line.startswith(<span class="stringliteral">&#39;Program Headers:&#39;</span>):</div><div class="line"><a name="l00043"></a><span class="lineno"> 43</span>&#160; in_headers = <span class="keyword">True</span></div><div class="line"><a name="l00044"></a><span class="lineno"> 44</span>&#160; <span class="keywordflow">if</span> line == <span class="stringliteral">&#39;&#39;</span>:</div><div class="line"><a name="l00045"></a><span class="lineno"> 45</span>&#160; in_headers = <span class="keyword">False</span></div><div class="line"><a name="l00046"></a><span class="lineno"> 46</span>&#160; <span class="keywordflow">if</span> in_headers:</div><div class="line"><a name="l00047"></a><span class="lineno"> 47</span>&#160; <span class="keywordflow">if</span> count == 1: <span class="comment"># header line</span></div><div class="line"><a name="l00048"></a><span class="lineno"> 48</span>&#160; ofs_typ = line.find(<span class="stringliteral">&#39;Type&#39;</span>)</div><div class="line"><a name="l00049"></a><span class="lineno"> 49</span>&#160; ofs_offset = line.find(<span class="stringliteral">&#39;Offset&#39;</span>)</div><div class="line"><a name="l00050"></a><span class="lineno"> 50</span>&#160; ofs_flags = line.find(<span class="stringliteral">&#39;Flg&#39;</span>)</div><div class="line"><a name="l00051"></a><span class="lineno"> 51</span>&#160; ofs_align = line.find(<span class="stringliteral">&#39;Align&#39;</span>)</div><div class="line"><a name="l00052"></a><span class="lineno"> 52</span>&#160; <span class="keywordflow">if</span> ofs_typ == -1 <span class="keywordflow">or</span> ofs_offset == -1 <span class="keywordflow">or</span> ofs_flags == -1 <span class="keywordflow">or</span> ofs_align == -1:</div><div class="line"><a name="l00053"></a><span class="lineno"> 53</span>&#160; <span class="keywordflow">raise</span> ValueError(<span class="stringliteral">&#39;Cannot parse elfread -lW output&#39;</span>)</div><div class="line"><a name="l00054"></a><span class="lineno"> 54</span>&#160; <span class="keywordflow">elif</span> count &gt; 1:</div><div class="line"><a name="l00055"></a><span class="lineno"> 55</span>&#160; typ = line[ofs_typ:ofs_offset].rstrip()</div><div class="line"><a name="l00056"></a><span class="lineno"> 56</span>&#160; flags = line[ofs_flags:ofs_align].rstrip()</div><div class="line"><a name="l00057"></a><span class="lineno"> 57</span>&#160; headers.append((typ, flags))</div><div class="line"><a name="l00058"></a><span class="lineno"> 58</span>&#160; count += 1</div><div class="line"><a name="l00059"></a><span class="lineno"> 59</span>&#160; <span class="keywordflow">return</span> headers</div><div class="line"><a name="l00060"></a><span class="lineno"> 60</span>&#160;</div><div class="line"><a name="l00061"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#af5e2c57b1b809fd45a0ab9cb8f477346"> 61</a></span>&#160;<span class="keyword">def </span><a class="code" href="namespacesecurity-check.html#af5e2c57b1b809fd45a0ab9cb8f477346">check_ELF_NX</a>(executable):</div><div class="line"><a name="l00062"></a><span class="lineno"> 62</span>&#160; <span class="stringliteral">&#39;&#39;&#39;</span></div><div class="line"><a name="l00063"></a><span class="lineno"> 63</span>&#160;<span class="stringliteral"> Check that no sections are writable and executable (including the stack)</span></div><div class="line"><a name="l00064"></a><span class="lineno"> 64</span>&#160;<span class="stringliteral"> &#39;&#39;&#39;</span></div><div class="line"><a name="l00065"></a><span class="lineno"> 65</span>&#160; have_wx = <span class="keyword">False</span></div><div class="line"><a name="l00066"></a><span class="lineno"> 66</span>&#160; have_gnu_stack = <span class="keyword">False</span></div><div class="line"><a name="l00067"></a><span class="lineno"> 67</span>&#160; <span class="keywordflow">for</span> (typ, flags) <span class="keywordflow">in</span> <a class="code" href="namespacesecurity-check.html#a2986e2737cc965723e6e738f57250af8">get_ELF_program_headers</a>(executable):</div><div class="line"><a name="l00068"></a><span class="lineno"> 68</span>&#160; <span class="keywordflow">if</span> typ == <span class="stringliteral">&#39;GNU_STACK&#39;</span>:</div><div class="line"><a name="l00069"></a><span class="lineno"> 69</span>&#160; have_gnu_stack = <span class="keyword">True</span></div><div class="line"><a name="l00070"></a><span class="lineno"> 70</span>&#160; <span class="keywordflow">if</span> <span class="stringliteral">&#39;W&#39;</span> <span class="keywordflow">in</span> flags <span class="keywordflow">and</span> <span class="stringliteral">&#39;E&#39;</span> <span class="keywordflow">in</span> flags: <span class="comment"># section is both writable and executable</span></div><div class="line"><a name="l00071"></a><span class="lineno"> 71</span>&#160; have_wx = <span class="keyword">True</span></div><div class="line"><a name="l00072"></a><span class="lineno"> 72</span>&#160; <span class="keywordflow">return</span> have_gnu_stack <span class="keywordflow">and</span> <span class="keywordflow">not</span> have_wx</div><div class="line"><a name="l00073"></a><span class="lineno"> 73</span>&#160;</div><div class="line"><a name="l00074"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#a11360cbeb06ad3b03b995aa1517972b3"> 74</a></span>&#160;<span class="keyword">def </span><a class="code" href="namespacesecurity-check.html#a11360cbeb06ad3b03b995aa1517972b3">check_ELF_RELRO</a>(executable):</div><div class="line"><a name="l00075"></a><span class="lineno"> 75</span>&#160; <span class="stringliteral">&#39;&#39;&#39;</span></div><div class="line"><a name="l00076"></a><span class="lineno"> 76</span>&#160;<span class="stringliteral"> Check for read-only relocations.</span></div><div class="line"><a name="l00077"></a><span class="lineno"> 77</span>&#160;<span class="stringliteral"> GNU_RELRO program header must exist</span></div><div class="line"><a name="l00078"></a><span class="lineno"> 78</span>&#160;<span class="stringliteral"> Dynamic section must have BIND_NOW flag</span></div><div class="line"><a name="l00079"></a><span class="lineno"> 79</span>&#160;<span class="stringliteral"> &#39;&#39;&#39;</span></div><div class="line"><a name="l00080"></a><span class="lineno"> 80</span>&#160; have_gnu_relro = <span class="keyword">False</span></div><div class="line"><a name="l00081"></a><span class="lineno"> 81</span>&#160; <span class="keywordflow">for</span> (typ, flags) <span class="keywordflow">in</span> <a class="code" href="namespacesecurity-check.html#a2986e2737cc965723e6e738f57250af8">get_ELF_program_headers</a>(executable):</div><div class="line"><a name="l00082"></a><span class="lineno"> 82</span>&#160; <span class="comment"># Note: not checking flags == &#39;R&#39;: here as linkers set the permission differently</span></div><div class="line"><a name="l00083"></a><span class="lineno"> 83</span>&#160; <span class="comment"># This does not affect security: the permission flags of the GNU_RELRO program header are ignored, the PT_LOAD header determines the effective permissions.</span></div><div class="line"><a name="l00084"></a><span class="lineno"> 84</span>&#160; <span class="comment"># However, the dynamic linker need to write to this area so these are RW.</span></div><div class="line"><a name="l00085"></a><span class="lineno"> 85</span>&#160; <span class="comment"># Glibc itself takes care of mprotecting this area R after relocations are finished.</span></div><div class="line"><a name="l00086"></a><span class="lineno"> 86</span>&#160; <span class="comment"># See also http://permalink.gmane.org/gmane.comp.gnu.binutils/71347</span></div><div class="line"><a name="l00087"></a><span class="lineno"> 87</span>&#160; <span class="keywordflow">if</span> typ == <span class="stringliteral">&#39;GNU_RELRO&#39;</span>:</div><div class="line"><a name="l00088"></a><span class="lineno"> 88</span>&#160; have_gnu_relro = <span class="keyword">True</span></div><div class="line"><a name="l00089"></a><span class="lineno"> 89</span>&#160;</div><div class="line"><a name="l00090"></a><span class="lineno"> 90</span>&#160; have_bindnow = <span class="keyword">False</span></div><div class="line"><a name="l00091"></a><span class="lineno"> 91</span>&#160; p = subprocess.Popen([READELF_CMD, <span class="stringliteral">&#39;-d&#39;</span>, <span class="stringliteral">&#39;-W&#39;</span>, executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)</div><div class="line"><a name="l00092"></a><span class="lineno"> 92</span>&#160; (stdout, stderr) = p.communicate()</div><div class="line"><a name="l00093"></a><span class="lineno"> 93</span>&#160; <span class="keywordflow">if</span> p.returncode:</div><div class="line"><a name="l00094"></a><span class="lineno"> 94</span>&#160; <span class="keywordflow">raise</span> IOError(<span class="stringliteral">&#39;Error opening file&#39;</span>)</div><div class="line"><a name="l00095"></a><span class="lineno"> 95</span>&#160; <span class="keywordflow">for</span> line <span class="keywordflow">in</span> stdout.split(<span class="stringliteral">&#39;\n&#39;</span>):</div><div class="line"><a name="l00096"></a><span class="lineno"> 96</span>&#160; tokens = line.split()</div><div class="line"><a name="l00097"></a><span class="lineno"> 97</span>&#160; <span class="keywordflow">if</span> len(tokens)&gt;1 <span class="keywordflow">and</span> tokens[1] == <span class="stringliteral">&#39;(BIND_NOW)&#39;</span> <span class="keywordflow">or</span> (len(tokens)&gt;2 <span class="keywordflow">and</span> tokens[1] == <span class="stringliteral">&#39;(FLAGS)&#39;</span> <span class="keywordflow">and</span> <span class="stringliteral">&#39;BIND_NOW&#39;</span> <span class="keywordflow">in</span> tokens[2]):</div><div class="line"><a name="l00098"></a><span class="lineno"> 98</span>&#160; have_bindnow = <span class="keyword">True</span></div><div class="line"><a name="l00099"></a><span class="lineno"> 99</span>&#160; <span class="keywordflow">return</span> have_gnu_relro <span class="keywordflow">and</span> have_bindnow</div><div class="line"><a name="l00100"></a><span class="lineno"> 100</span>&#160;</div><div class="line"><a name="l00101"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#a51140ce3094b3267f5631eed4b2ee865"> 101</a></span>&#160;<span class="keyword">def </span><a class="code" href="namespacesecurity-check.html#a51140ce3094b3267f5631eed4b2ee865">check_ELF_Canary</a>(executable):</div><div class="line"><a name="l00102"></a><span class="lineno"> 102</span>&#160; <span class="stringliteral">&#39;&#39;&#39;</span></div><div class="line"><a name="l00103"></a><span class="lineno"> 103</span>&#160;<span class="stringliteral"> Check for use of stack canary</span></div><div class="line"><a name="l00104"></a><span class="lineno"> 104</span>&#160;<span class="stringliteral"> &#39;&#39;&#39;</span></div><div class="line"><a name="l00105"></a><span class="lineno"> 105</span>&#160; p = subprocess.Popen([READELF_CMD, <span class="stringliteral">&#39;--dyn-syms&#39;</span>, <span class="stringliteral">&#39;-W&#39;</span>, executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)</div><div class="line"><a name="l00106"></a><span class="lineno"> 106</span>&#160; (stdout, stderr) = p.communicate()</div><div class="line"><a name="l00107"></a><span class="lineno"> 107</span>&#160; <span class="keywordflow">if</span> p.returncode:</div><div class="line"><a name="l00108"></a><span class="lineno"> 108</span>&#160; <span class="keywordflow">raise</span> IOError(<span class="stringliteral">&#39;Error opening file&#39;</span>)</div><div class="line"><a name="l00109"></a><span class="lineno"> 109</span>&#160; ok = <span class="keyword">False</span></div><div class="line"><a name="l00110"></a><span class="lineno"> 110</span>&#160; <span class="keywordflow">for</span> line <span class="keywordflow">in</span> stdout.split(<span class="stringliteral">&#39;\n&#39;</span>):</div><div class="line"><a name="l00111"></a><span class="lineno"> 111</span>&#160; <span class="keywordflow">if</span> <span class="stringliteral">&#39;__stack_chk_fail&#39;</span> <span class="keywordflow">in</span> line:</div><div class="line"><a name="l00112"></a><span class="lineno"> 112</span>&#160; ok = <span class="keyword">True</span></div><div class="line"><a name="l00113"></a><span class="lineno"> 113</span>&#160; <span class="keywordflow">return</span> ok</div><div class="line"><a name="l00114"></a><span class="lineno"> 114</span>&#160;</div><div class="line"><a name="l00115"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#a0840acf01fbbdf1923cd3f4bebe25664"> 115</a></span>&#160;<span class="keyword">def </span><a class="code" href="namespacesecurity-check.html#a0840acf01fbbdf1923cd3f4bebe25664">get_PE_dll_characteristics</a>(executable):</div><div class="line"><a name="l00116"></a><span class="lineno"> 116</span>&#160; <span class="stringliteral">&#39;&#39;&#39;</span></div><div class="line"><a name="l00117"></a><span class="lineno"> 117</span>&#160;<span class="stringliteral"> Get PE DllCharacteristics bits</span></div><div class="line"><a name="l00118"></a><span class="lineno"> 118</span>&#160;<span class="stringliteral"> &#39;&#39;&#39;</span></div><div class="line"><a name="l00119"></a><span class="lineno"> 119</span>&#160; p = subprocess.Popen([OBJDUMP_CMD, <span class="stringliteral">&#39;-x&#39;</span>, executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)</div><div class="line"><a name="l00120"></a><span class="lineno"> 120</span>&#160; (stdout, stderr) = p.communicate()</div><div class="line"><a name="l00121"></a><span class="lineno"> 121</span>&#160; <span class="keywordflow">if</span> p.returncode:</div><div class="line"><a name="l00122"></a><span class="lineno"> 122</span>&#160; <span class="keywordflow">raise</span> IOError(<span class="stringliteral">&#39;Error opening file&#39;</span>)</div><div class="line"><a name="l00123"></a><span class="lineno"> 123</span>&#160; <span class="keywordflow">for</span> line <span class="keywordflow">in</span> stdout.split(<span class="stringliteral">&#39;\n&#39;</span>):</div><div class="line"><a name="l00124"></a><span class="lineno"> 124</span>&#160; tokens = line.split()</div><div class="line"><a name="l00125"></a><span class="lineno"> 125</span>&#160; <span class="keywordflow">if</span> len(tokens)&gt;=2 <span class="keywordflow">and</span> tokens[0] == <span class="stringliteral">&#39;DllCharacteristics&#39;</span>:</div><div class="line"><a name="l00126"></a><span class="lineno"> 126</span>&#160; <span class="keywordflow">return</span> int(tokens[1],16)</div><div class="line"><a name="l00127"></a><span class="lineno"> 127</span>&#160; <span class="keywordflow">return</span> 0</div><div class="line"><a name="l00128"></a><span class="lineno"> 128</span>&#160;</div><div class="line"><a name="l00129"></a><span class="lineno"> 129</span>&#160;</div><div class="line"><a name="l00130"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#acd31e9bb6490ee27768b61b76f806280"> 130</a></span>&#160;<span class="keyword">def </span><a class="code" href="namespacesecurity-check.html#acd31e9bb6490ee27768b61b76f806280">check_PE_PIE</a>(executable):</div><div class="line"><a name="l00131"></a><span class="lineno"> 131</span>&#160; <span class="stringliteral">&#39;&#39;&#39;PIE: DllCharacteristics bit 0x40 signifies dynamicbase (ASLR)&#39;&#39;&#39;</span></div><div class="line"><a name="l00132"></a><span class="lineno"> 132</span>&#160; <span class="keywordflow">return</span> bool(<a class="code" href="namespacesecurity-check.html#a0840acf01fbbdf1923cd3f4bebe25664">get_PE_dll_characteristics</a>(executable) &amp; 0x40)</div><div class="line"><a name="l00133"></a><span class="lineno"> 133</span>&#160;</div><div class="line"><a name="l00134"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#a61ffd8c0f3c99152884349e69ec01a09"> 134</a></span>&#160;<span class="keyword">def </span><a class="code" href="namespacesecurity-check.html#a61ffd8c0f3c99152884349e69ec01a09">check_PE_NX</a>(executable):</div><div class="line"><a name="l00135"></a><span class="lineno"> 135</span>&#160; <span class="stringliteral">&#39;&#39;&#39;NX: DllCharacteristics bit 0x100 signifies nxcompat (DEP)&#39;&#39;&#39;</span></div><div class="line"><a name="l00136"></a><span class="lineno"> 136</span>&#160; <span class="keywordflow">return</span> bool(<a class="code" href="namespacesecurity-check.html#a0840acf01fbbdf1923cd3f4bebe25664">get_PE_dll_characteristics</a>(executable) &amp; 0x100)</div><div class="line"><a name="l00137"></a><span class="lineno"> 137</span>&#160;</div><div class="line"><a name="l00138"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#ab37201df6aba2d7ce0c7ac7f64f5b670"> 138</a></span>&#160;CHECKS = {</div><div class="line"><a name="l00139"></a><span class="lineno"> 139</span>&#160;<span class="stringliteral">&#39;ELF&#39;</span>: [</div><div class="line"><a name="l00140"></a><span class="lineno"> 140</span>&#160; (<span class="stringliteral">&#39;PIE&#39;</span>, check_ELF_PIE),</div><div class="line"><a name="l00141"></a><span class="lineno"> 141</span>&#160; (<span class="stringliteral">&#39;NX&#39;</span>, check_ELF_NX),</div><div class="line"><a name="l00142"></a><span class="lineno"> 142</span>&#160; (<span class="stringliteral">&#39;RELRO&#39;</span>, check_ELF_RELRO),</div><div class="line"><a name="l00143"></a><span class="lineno"> 143</span>&#160; (<span class="stringliteral">&#39;Canary&#39;</span>, check_ELF_Canary)</div><div class="line"><a name="l00144"></a><span class="lineno"> 144</span>&#160;],</div><div class="line"><a name="l00145"></a><span class="lineno"> 145</span>&#160;<span class="stringliteral">&#39;PE&#39;</span>: [</div><div class="line"><a name="l00146"></a><span class="lineno"> 146</span>&#160; (<span class="stringliteral">&#39;PIE&#39;</span>, check_PE_PIE),</div><div class="line"><a name="l00147"></a><span class="lineno"> 147</span>&#160; (<span class="stringliteral">&#39;NX&#39;</span>, check_PE_NX)</div><div class="line"><a name="l00148"></a><span class="lineno"> 148</span>&#160;]</div><div class="line"><a name="l00149"></a><span class="lineno"> 149</span>&#160;}</div><div class="line"><a name="l00150"></a><span class="lineno"> 150</span>&#160;</div><div class="line"><a name="l00151"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#afbcd4f121af609450f8234b38ae4d39a"> 151</a></span>&#160;<span class="keyword">def </span><a class="code" href="namespacesecurity-check.html#afbcd4f121af609450f8234b38ae4d39a">identify_executable</a>(executable):</div><div class="line"><a name="l00152"></a><span class="lineno"> 152</span>&#160; with open(filename, <span class="stringliteral">&#39;rb&#39;</span>) <span class="keyword">as</span> f:</div><div class="line"><a name="l00153"></a><span class="lineno"> 153</span>&#160; magic = f.read(4)</div><div class="line"><a name="l00154"></a><span class="lineno"> 154</span>&#160; <span class="keywordflow">if</span> magic.startswith(b<span class="stringliteral">&#39;MZ&#39;</span>):</div><div class="line"><a name="l00155"></a><span class="lineno"> 155</span>&#160; <span class="keywordflow">return</span> <span class="stringliteral">&#39;PE&#39;</span></div><div class="line"><a name="l00156"></a><span class="lineno"> 156</span>&#160; <span class="keywordflow">elif</span> magic.startswith(b<span class="stringliteral">&#39;\x7fELF&#39;</span>):</div><div class="line"><a name="l00157"></a><span class="lineno"> 157</span>&#160; <span class="keywordflow">return</span> <span class="stringliteral">&#39;ELF&#39;</span></div><div class="line"><a name="l00158"></a><span class="lineno"> 158</span>&#160; <span class="keywordflow">return</span> <span class="keywordtype">None</span></div><div class="line"><a name="l00159"></a><span class="lineno"> 159</span>&#160;</div><div class="line"><a name="l00160"></a><span class="lineno"> 160</span>&#160;<span class="keywordflow">if</span> __name__ == <span class="stringliteral">&#39;__main__&#39;</span>:</div><div class="line"><a name="l00161"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#af0c95486c2889d88fc49183ccc29c459"> 161</a></span>&#160; retval = 0</div><div class="line"><a name="l00162"></a><span class="lineno"> 162</span>&#160; <span class="keywordflow">for</span> filename <span class="keywordflow">in</span> sys.argv[1:]:</div><div class="line"><a name="l00163"></a><span class="lineno"> 163</span>&#160; <span class="keywordflow">try</span>:</div><div class="line"><a name="l00164"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#a045299778a2c5b7abec0210a5ff8e4c4"> 164</a></span>&#160; etype = <a class="code" href="namespacesecurity-check.html#afbcd4f121af609450f8234b38ae4d39a">identify_executable</a>(filename)</div><div class="line"><a name="l00165"></a><span class="lineno"> 165</span>&#160; <span class="keywordflow">if</span> etype <span class="keywordflow">is</span> <span class="keywordtype">None</span>:</div><div class="line"><a name="l00166"></a><span class="lineno"> 166</span>&#160; print(<span class="stringliteral">&#39;%s: unknown format&#39;</span> % filename)</div><div class="line"><a name="l00167"></a><span class="lineno"> 167</span>&#160; retval = 1</div><div class="line"><a name="l00168"></a><span class="lineno"> 168</span>&#160; <span class="keywordflow">continue</span></div><div class="line"><a name="l00169"></a><span class="lineno"> 169</span>&#160;</div><div class="line"><a name="l00170"></a><span class="lineno"><a class="line" href="namespacesecurity-check.html#aeb5c7edc24ed521a9c6128c78d780ba9"> 170</a></span>&#160; failed = []</div><div class="line"><a name="l00171"></a><span class="lineno"> 171</span>&#160; <span class="keywordflow">for</span> (name, func) <span class="keywordflow">in</span> CHECKS[etype]:</div><div class="line"><a name="l00172"></a><span class="lineno"> 172</span>&#160; <span class="keywordflow">if</span> <span class="keywordflow">not</span> func(filename):</div><div class="line"><a name="l00173"></a><span class="lineno"> 173</span>&#160; failed.append(name)</div><div class="line"><a name="l00174"></a><span class="lineno"> 174</span>&#160; <span class="keywordflow">if</span> failed:</div><div class="line"><a name="l00175"></a><span class="lineno"> 175</span>&#160; print(<span class="stringliteral">&#39;%s: failed %s&#39;</span> % (filename, <span class="stringliteral">&#39; &#39;</span>.join(failed)))</div><div class="line"><a name="l00176"></a><span class="lineno"> 176</span>&#160; retval = 1</div><div class="line"><a name="l00177"></a><span class="lineno"> 177</span>&#160; <span class="keywordflow">except</span> IOError:</div><div class="line"><a name="l00178"></a><span class="lineno"> 178</span>&#160; print(<span class="stringliteral">&#39;%s: cannot open&#39;</span> % filename)</div><div class="line"><a name="l00179"></a><span class="lineno"> 179</span>&#160; retval = 1</div><div class="line"><a name="l00180"></a><span class="lineno"> 180</span>&#160; exit(retval)</div><div class="line"><a name="l00181"></a><span class="lineno"> 181</span>&#160;</div><div class="ttc" id="namespacesecurity-check_html_af5e2c57b1b809fd45a0ab9cb8f477346"><div class="ttname"><a href="namespacesecurity-check.html#af5e2c57b1b809fd45a0ab9cb8f477346">security-check.check_ELF_NX</a></div><div class="ttdeci">def check_ELF_NX(executable)</div><div class="ttdef"><b>Definition:</b> <a href="security-check_8py_source.html#l00061">security-check.py:61</a></div></div>
<div class="ttc" id="namespacesecurity-check_html_a0840acf01fbbdf1923cd3f4bebe25664"><div class="ttname"><a href="namespacesecurity-check.html#a0840acf01fbbdf1923cd3f4bebe25664">security-check.get_PE_dll_characteristics</a></div><div class="ttdeci">def get_PE_dll_characteristics(executable)</div><div class="ttdef"><b>Definition:</b> <a href="security-check_8py_source.html#l00115">security-check.py:115</a></div></div>
<div class="ttc" id="namespacesecurity-check_html_afbcd4f121af609450f8234b38ae4d39a"><div class="ttname"><a href="namespacesecurity-check.html#afbcd4f121af609450f8234b38ae4d39a">security-check.identify_executable</a></div><div class="ttdeci">def identify_executable(executable)</div><div class="ttdef"><b>Definition:</b> <a href="security-check_8py_source.html#l00151">security-check.py:151</a></div></div>
<div class="ttc" id="namespacesecurity-check_html_a61ffd8c0f3c99152884349e69ec01a09"><div class="ttname"><a href="namespacesecurity-check.html#a61ffd8c0f3c99152884349e69ec01a09">security-check.check_PE_NX</a></div><div class="ttdeci">def check_PE_NX(executable)</div><div class="ttdef"><b>Definition:</b> <a href="security-check_8py_source.html#l00134">security-check.py:134</a></div></div>
<div class="ttc" id="namespacesecurity-check_html_a2986e2737cc965723e6e738f57250af8"><div class="ttname"><a href="namespacesecurity-check.html#a2986e2737cc965723e6e738f57250af8">security-check.get_ELF_program_headers</a></div><div class="ttdeci">def get_ELF_program_headers(executable)</div><div class="ttdef"><b>Definition:</b> <a href="security-check_8py_source.html#l00032">security-check.py:32</a></div></div>
<div class="ttc" id="namespacesecurity-check_html_a11360cbeb06ad3b03b995aa1517972b3"><div class="ttname"><a href="namespacesecurity-check.html#a11360cbeb06ad3b03b995aa1517972b3">security-check.check_ELF_RELRO</a></div><div class="ttdeci">def check_ELF_RELRO(executable)</div><div class="ttdef"><b>Definition:</b> <a href="security-check_8py_source.html#l00074">security-check.py:74</a></div></div>
<div class="ttc" id="namespacesecurity-check_html_acd31e9bb6490ee27768b61b76f806280"><div class="ttname"><a href="namespacesecurity-check.html#acd31e9bb6490ee27768b61b76f806280">security-check.check_PE_PIE</a></div><div class="ttdeci">def check_PE_PIE(executable)</div><div class="ttdef"><b>Definition:</b> <a href="security-check_8py_source.html#l00130">security-check.py:130</a></div></div>
<div class="ttc" id="namespacesecurity-check_html_a51140ce3094b3267f5631eed4b2ee865"><div class="ttname"><a href="namespacesecurity-check.html#a51140ce3094b3267f5631eed4b2ee865">security-check.check_ELF_Canary</a></div><div class="ttdeci">def check_ELF_Canary(executable)</div><div class="ttdef"><b>Definition:</b> <a href="security-check_8py_source.html#l00101">security-check.py:101</a></div></div>
<div class="ttc" id="namespacesecurity-check_html_a236dea8c85a7df5137bb71adbb2e626c"><div class="ttname"><a href="namespacesecurity-check.html#a236dea8c85a7df5137bb71adbb2e626c">security-check.check_ELF_PIE</a></div><div class="ttdeci">def check_ELF_PIE(executable)</div><div class="ttdef"><b>Definition:</b> <a href="security-check_8py_source.html#l00016">security-check.py:16</a></div></div>
</div><!-- fragment --></div><!-- contents -->
</div><!-- doc-content -->
<!-- start footer part -->
<div id="nav-path" class="navpath"><!-- id is needed for treeview function! -->
<ul>
<li class="navelem"><a class="el" href="dir_3847941dc22744d30c1d316a1f1a60e2.html">contrib</a></li><li class="navelem"><a class="el" href="dir_37d1fea5042680bd15e1881fba32bbab.html">devtools</a></li><li class="navelem"><a class="el" href="security-check_8py.html">security-check.py</a></li>
<li class="footer">Generated on Thu Dec 14 2017 13:15:01 for Dash Core by
<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.8.14 </li>
</ul>
</div>
</body>
</html>
Reference in a new issue View git blame Copy permalink