Page 1 of 1

Verifying RELRO/SSP/PIE/ASLR/NX support on your distro

PostPosted: Fri Apr 17, 2009 3:59 pm
by spender
Tobias Klein recently released version 1.2 of his checksec.sh script. It's a very useful tool for quickly surveying the mitigation technologies in use by processes on your system.

You can download it here:
http://www.trapkit.de/tools/checksec.html

-Brad

Re: Verifying RELRO support on your distro

PostPosted: Fri Apr 17, 2009 7:24 pm
by cormander
The distro I use currently does not have any RELRO support. What file(s) do I have to modify to make things I compile there have RELRO support?

Re: Verifying RELRO support on your distro

PostPosted: Fri Apr 17, 2009 8:43 pm
by cormander
OK so after an hour of digging, here we go:

First off you need a specs file. You can check that by passing -v to the gcc command. If you're like me, you have:

gcc -v
Using built-in specs.

If that's the case, you simply need to create one. You can do so like this: (this was done on a CentOS 5.3 x86_64 machine)

gcc -dumpspecs > /usr/lib/gcc/x86_64-redhat-linux/4.1.2/specs

The directory specs goes in changes from system to system depending on distro, arch, and gcc version.

Now edit this file and find the line that says:

Code: Select all
*link:


and add this to the end of the stuff on the next line:

Code: Select all
%{!norelro: -z relro} %{relro: } %{!nonow: -z now} %{now: }


my full line looks like this:

Code: Select all
*link:
%{!static:--eh-frame-hdr} %{!m32:-m elf_x86_64} %{m32:-m elf_i386} --hash-style=gnu   %{shared:-shared}   %{!shared:     %{!static:       %{rdynamic:-export-dynamic}       %{m32:%{!dynamic-linker:-dynamic-linker /lib/ld-linux.so.2}}       %{!m32:%{!dynamic-linker:-dynamic-linker /lib64/ld-linux-x86-64.so.2}}}     %{static:-static}} %{!norelro: -z relro} %{relro: } %{!nonow: -z now} %{now: }


I got the info on how to modify the specs file from the gentoo wiki:

http://www.gentoo.org/proj/en/hardened/ ... lchain.xml

Re: Verifying RELRO support on your distro

PostPosted: Wed Jun 03, 2009 9:41 am
by Dwokfur
cormander wrote:OK so after an hour of digging, here we go:

First off you need a specs file. You can check that by passing -v to the gcc command. If you're like me, you have:

gcc -v
Using built-in specs.

If that's the case, you simply need to create one. You can do so like this: (this was done on a CentOS 5.3 x86_64 machine)


Take a look at on Hardened Gentoo. They got far with custom spec files. But that requires modification to the whole toolchain and a method to introduce exceptions.

Regards:
Dw.

Re: Verifying RELRO/SSP/PIE/ASLR/NX support on your distro

PostPosted: Tue Aug 07, 2012 9:02 pm
by GBit
What's checksec referring to with these two?

* grsecurity / PaX: Custom GRKERNSEC

Non-executable kernel pages
Prevent userspace pointer deref

Re: Verifying RELRO/SSP/PIE/ASLR/NX support on your distro

PostPosted: Tue Oct 29, 2013 4:06 pm
by sfs6dzs
GBit wrote:What's checksec referring to with these two?

* grsecurity / PaX: Custom GRKERNSEC

Non-executable kernel pages
Prevent userspace pointer deref


I know it's a bit late but here's an article about this:
Code: Select all
http://hypervion.blogspot.com/2012/07/differences-in-security-between-fedora.html

Re: Verifying RELRO/SSP/PIE/ASLR/NX support on your distro

PostPosted: Sun Feb 16, 2014 1:56 am
by slimm609
I have submitted patches to tobias for checksec in the past but it seems like he is no longer updating/maintaining it. I have updated the grsecurity checks as well as some other features including JSON, XML and CSV output.

https://github.com/slimm609/checksec.sh