Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

First impression checksec-go #252

Open
teoberi opened this issue Jun 19, 2024 · 17 comments
Open

First impression checksec-go #252

teoberi opened this issue Jun 19, 2024 · 17 comments

Comments

@teoberi
Copy link
Contributor

teoberi commented Jun 19, 2024

There are small differences in the options, for example:
./checksec --file=/usr/bin/ssh
vs
./main file /usr/bin/ssh
The variant for Golang seems to me not very intuitive, that is:

  1. missing "--" or at least "-" for options;
  2. missing "=" between the option and the path to the file.

Is ASCII Art Generator for checksec a bit too big?

checksec

RELRO and FORTIFY still differ between the two versions. I only checked for /usr/bin/ssh

@slimm609
Copy link
Owner

This is a difference between using cobra as part of golang which makes several things much easier including shell completion so this will be a difference between the 2.

@slimm609
Copy link
Owner

slimm609 commented Jun 23, 2024

RELRO is partially broken at the moment (and listed in the README as broken) but FORTIFY should be pretty accurate. The count will be off a bit due to some difference in available functions but it should be more accurate. https://github.com/slimm609/checksec.sh/blob/main/pkg/checksec/fortify.go#L33. lists only functions that can actually be fortified. I have not backported this to the bash version since this is intended to replace it.

@slimm609
Copy link
Owner

RELRO is fixed in #253

@teoberi
Copy link
Contributor Author

teoberi commented Jun 24, 2024

I will test the changes!
You tried checksec ascii art in the combination of green writing on a black background? It looks more effective and inspires confidence.
checksec green
I compiled it statically with the command:
go build -tags osusergo,netgo main.go
but the file size is 6.8 M

@slimm609
Copy link
Owner

I changed the color to green in the latest MR. The file size will be larger because it is a static binary that doesn't require any external dependencies. This means it does need to include all libraries needed to perform the scans. However, today you need to install many more dependencies and requires bash, and multiple packages that are no longer needed with the golang release.

@teoberi
Copy link
Contributor Author

teoberi commented Dec 9, 2024

@slimm609 any ETA for the Golang version?

@slimm609
Copy link
Owner

slimm609 commented Dec 9, 2024

I have been fighting with brew bottles to get it working as part of the release but I think I am going to pause that and just get it released. I will try to finish this week

@teoberi
Copy link
Contributor Author

teoberi commented Dec 9, 2024

Glad to know that, I rely on checksec when compiling Linux packages and I do this quite often.

@slimm609
Copy link
Owner

3.0.0 has been released.

@teoberi
Copy link
Contributor Author

teoberi commented Dec 16, 2024

I come back with some clarification requests (exposed in the first post of this thread).
There is a good reason or technical limitation why:
1.
the options lost "--" and "=" for example
./checksec --file=/usr/bin/ssh
became
./checksec file /usr/bin/ssh
not very intuitive.
2.
./checksec --proc-all
became
./checksec procAll
capital letter creates a typing problem.
Likewise:
--fortify-file= -> fortifyFile
--fortify-proc= -> fortifyProc
These changes don't seem to me to be in the way of Linux.

@Andarwinux
Copy link

RELRO still has problems. If ELF is linked with -Wl,-Bsymbolic

Warning: Dynamic Binary found but missing libc. Fortify results will be skipped

  _____ _    _ ______ _____ _  __ _____ ______ _____
 / ____| |  | |  ____/ ____| |/ // ____|  ____/ ____|
| |    | |__| | |__ | |    | ' /| (___ | |__ | |
| |    |  __  |  __|| |    |  <  \___ \|  __|| |
| |____| |  | | |___| |____| . \ ____) | |___| |____
 \_____|_|  |_|______\_____|_|\_\_____/|______\_____|

RELRO                   Stack Canary              NX                    PIE                     RPATH              RUNPATH              Symbols                 FORTIFY            Fortified           Fortifiable              Name                                    
Partial RELRO            No Canary Found            NX enabled             PIE Enabled              No RPATH            No RUNPATH            No Symbols               N/A                 0                   0                        llvm                                    
Dynamic section at offset 0x2398 contains 29 entries:
  Tag                Type           Name/Value
  0x0000000000000001 (NEEDED)       Shared library: [libm.so.6]
  0x0000000000000001 (NEEDED)       Shared library: [libc.so.6]
  0x000000000000001e (FLAGS)        SYMBOLIC BIND_NOW 
  0x000000006ffffffb (FLAGS_1)      NOW PIE 
  0x0000000000000007 (RELA)         0x3288
  0x0000000000000008 (RELASZ)       672 (bytes)
  0x0000000000000009 (RELAENT)      24 (bytes)
  0x0000000000000024 (RELR)         0x3528
  0x0000000000000023 (RELRSZ)       66288 (bytes)
  0x0000000000000025 (RELRENT)      8 (bytes)
  0x0000000000000017 (JMPREL)       0x13818
  0x0000000000000002 (PLTRELSZ)     6216 (bytes)
  0x0000000000000003 (PLTGOT)       0x5ff4c68
  0x0000000000000014 (PLTREL)       RELA
  0x0000000000000006 (SYMTAB)       0x3c8
  0x000000000000000b (SYMENT)       24 (bytes)
  0x0000000000000005 (STRTAB)       0x2568
  0x000000000000000a (STRSZ)        3359 (bytes)
  0x000000006ffffef5 (GNU_HASH)     0x2300
  0x0000000000000019 (INIT_ARRAY)   0x5ff3bd0
  0x000000000000001b (INIT_ARRAYSZ) 3880 (bytes)
  0x000000000000001a (FINI_ARRAY)   0x5ff4af8
  0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
  0x000000000000000c (INIT)         0x6c3ab1e
  0x000000000000000d (FINI)         0x6a65c1a
  0x000000006ffffff0 (VERSYM)       0x1f70
  0x000000006ffffffe (VERNEED)      0x21c0
  0x000000006fffffff (VERNEEDNUM)   2
  0x0000000000000000 (NULL)         0x0

@teoberi
Copy link
Contributor Author

teoberi commented Dec 20, 2024

checksec file asmc

Warning: Dynamic Binary found but missing libc. Fortify results will be skipped
RELRO Stack Canary NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Name
Full RELRO No Canary Found NX enabled PIE Enabled No RPATH No RUNPATH No Symbols N/A 0 0 asmc

Source file:
https://github.com/nidud/asmc_linux

@hartwork
Copy link

hartwork commented Dec 21, 2024

@slimm609 FYI I've been maintaining Bash-based checksec 2.x.x in Gentoo but am not at home in the Golang ecosystem enough to be a good maintainer of Go-based >=3.0.0 and so have reached out to fellow Gentoo developers to find someone taking over a Golang-remake of the Gentoo package for >=3.0.0 at https://bugs.gentoo.org/946784 and also via mailing list gentoo-dev at https://public-inbox.gentoo.org/gentoo-dev/[email protected]/T/#u . All the best for checksec 3! 🙏

@slimm609
Copy link
Owner

@slimm609 FYI I've been maintaining Bash-based checksec 2.x.x in Gentoo but am not at home in the Golang ecosystem enough to be a good maintainer of Go-based >=3.0.0 and so have reached out to fellow Gentoo developers to find someone taking over a Golang-remake of the Gentoo package for >=3.0.0 at https://bugs.gentoo.org/946784 and also via mailing list gentoo-dev at https://public-inbox.gentoo.org/gentoo-dev/[email protected]/T/#u . All the best for checksec 3! 🙏

Can you share details for the code that builds the package that exists now? I am not familiar with the gentoo build process but it should be fairly easy to adapt and can see what I can do to help

@hartwork
Copy link

hartwork commented Dec 21, 2024

@slimm609 the hard part are the Golang dependencies, so the ebuild targetting the Bash version will likely not help much with the actual task (but it's at https://gitweb.gentoo.org/repo/gentoo.git/tree/app-admin/checksec/checksec-2.7.1-r1.ebuild if you're curious, still).

@slimm609
Copy link
Owner

slimm609 commented Dec 21, 2024

@hartwork yea, I understand. I wasn’t familiar with the gentoo sources but kubectx(https://gitweb.gentoo.org/repo/gentoo.git/tree/app-admin/kubectx/kubectx-0.9.4.ebuild) is a similar process to build as the new golang checksec

@hartwork
Copy link

@slimm609 kubectx-0.9.4.ebuild may look easy but there is a deps tarball (line 10) involved and so on. It will need someone at home with the matter to produce a high quality ebuild and be a good maintainer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants