Verifying RELRO/SSP/PIE/ASLR/NX support on your distro

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Verifying RELRO/SSP/PIE/ASLR/NX support on your distro

Postby spender » Fri Apr 17, 2009 3:59 pm

Tobias Klein recently released version 1.2 of his checksec.sh script. It's a very useful tool for quickly surveying the mitigation technologies in use by processes on your system.

You can download it here:
http://www.trapkit.de/tools/checksec.html

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Verifying RELRO support on your distro

Postby cormander » Fri Apr 17, 2009 7:24 pm

The distro I use currently does not have any RELRO support. What file(s) do I have to modify to make things I compile there have RELRO support?
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: Verifying RELRO support on your distro

Postby cormander » Fri Apr 17, 2009 8:43 pm

OK so after an hour of digging, here we go:

First off you need a specs file. You can check that by passing -v to the gcc command. If you're like me, you have:

gcc -v
Using built-in specs.

If that's the case, you simply need to create one. You can do so like this: (this was done on a CentOS 5.3 x86_64 machine)

gcc -dumpspecs > /usr/lib/gcc/x86_64-redhat-linux/4.1.2/specs

The directory specs goes in changes from system to system depending on distro, arch, and gcc version.

Now edit this file and find the line that says:

Code: Select all
*link:


and add this to the end of the stuff on the next line:

Code: Select all
%{!norelro: -z relro} %{relro: } %{!nonow: -z now} %{now: }


my full line looks like this:

Code: Select all
*link:
%{!static:--eh-frame-hdr} %{!m32:-m elf_x86_64} %{m32:-m elf_i386} --hash-style=gnu   %{shared:-shared}   %{!shared:     %{!static:       %{rdynamic:-export-dynamic}       %{m32:%{!dynamic-linker:-dynamic-linker /lib/ld-linux.so.2}}       %{!m32:%{!dynamic-linker:-dynamic-linker /lib64/ld-linux-x86-64.so.2}}}     %{static:-static}} %{!norelro: -z relro} %{relro: } %{!nonow: -z now} %{now: }


I got the info on how to modify the specs file from the gentoo wiki:

http://www.gentoo.org/proj/en/hardened/ ... lchain.xml
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: Verifying RELRO support on your distro

Postby Dwokfur » Wed Jun 03, 2009 9:41 am

cormander wrote:OK so after an hour of digging, here we go:

First off you need a specs file. You can check that by passing -v to the gcc command. If you're like me, you have:

gcc -v
Using built-in specs.

If that's the case, you simply need to create one. You can do so like this: (this was done on a CentOS 5.3 x86_64 machine)


Take a look at on Hardened Gentoo. They got far with custom spec files. But that requires modification to the whole toolchain and a method to introduce exceptions.

Regards:
Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am

Re: Verifying RELRO/SSP/PIE/ASLR/NX support on your distro

Postby GBit » Tue Aug 07, 2012 9:02 pm

What's checksec referring to with these two?

* grsecurity / PaX: Custom GRKERNSEC

Non-executable kernel pages
Prevent userspace pointer deref
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: Verifying RELRO/SSP/PIE/ASLR/NX support on your distro

Postby sfs6dzs » Tue Oct 29, 2013 4:06 pm

GBit wrote:What's checksec referring to with these two?

* grsecurity / PaX: Custom GRKERNSEC

Non-executable kernel pages
Prevent userspace pointer deref


I know it's a bit late but here's an article about this:
Code: Select all
http://hypervion.blogspot.com/2012/07/differences-in-security-between-fedora.html
sfs6dzs
 
Posts: 11
Joined: Thu Jul 12, 2012 11:47 am

Re: Verifying RELRO/SSP/PIE/ASLR/NX support on your distro

Postby slimm609 » Sun Feb 16, 2014 1:56 am

I have submitted patches to tobias for checksec in the past but it seems like he is no longer updating/maintaining it. I have updated the grsecurity checks as well as some other features including JSON, XML and CSV output.

https://github.com/slimm609/checksec.sh
slimm609
 
Posts: 12
Joined: Sun Apr 01, 2007 6:36 am


Return to grsecurity support