zstd
zstd copied to clipboard
facebook
Use checksec for auditing artifacts
Is your feature request related to a problem? Please describe. I think Zstd might be able to benefit from Checksec. Checksec is a tool to examine output artifacts for hardening, like relro and nxstacks. Checksec was originally written by a fellow named Tobias Klein. Another fellow forked it and put it on GitHub after Klein ran out of spare cycles to maintain it. The one I use nowadays is at https://github.com/slimm609/checksec.sh.
Describe the solution you'd like
After make is run, examine the output artifacts for hardening, like relro and nxstacks. If you don't see them, then there's an opportunity for improvement in the build process. That is, there are some flags that can be applied but may be missing. Missing flags can include CFLAGS += -fstack-protector-strong and LDFLAGS += -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack. And output programs like zstd should probably use -fPIC and -fpie for ASLR.
Describe alternatives you've considered None really. Leaving output artifacts unhardened is the old way of doing things. It is playing with fire nowadays.
Additional context Let me show you what it might look like.
cd zstd-1.5.1
wget -O checksec https://raw.githubusercontent.com/slimm609/checksec.sh/master/checksec
chmod +x checksec
make
...
./audit-zstd.sh
****************************************
./lib/obj/conf_03191427055b63abb996cb13948f877b/dynamic/libzstd.so.1.5.1:
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO No canary found NX enabled DSO No RPATH RW-RUNPATH 1136) Symbols No 0 4 ./lib/obj/conf_03191427055b63abb996cb13948f877b/dynamic/libzstd.so.1.5.1
****************************************
./lib/libzstd.so.1.5.1:
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO No canary found NX enabled DSO No RPATH RW-RUNPATH 1136) Symbols No 0 4 ./lib/libzstd.so.1.5.1
****************************************
./programs/obj/conf_29d7c58f592486d72c632f830214ae44/zstd:
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO No canary found NX enabled No PIE No RPATH RW-RUNPATH 1439) Symbols No 0 8 ./programs/obj/conf_29d7c58f592486d72c632f830214ae44/zstd
****************************************
./programs/zstd:
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO No canary found NX enabled No PIE No RPATH RW-RUNPATH 1439) Symbols No 0 8 ./programs/zstd
****************************************
As you can see, some hardening is present, like full relro (due to my LDFLAGS) and nxstacks (due to my ASFLAGS and LDFLAGS). But some other hardening appears to be missing, like fortified sources.
Here's the script I used for the audit:
cat audit-zstd.sh
#!/usr/bin/env bash
IFS= find "." -type f -name '*' -print | while read -r file
do
if [[ ! $(file -ibh "${file}" | grep -E 'application/x-sharedlib|application/x-executable') ]]; then continue; fi
echo "****************************************"
echo "${file}:"
echo ""
./checksec --file="${file}"
done
echo "****************************************"
And things only get worse on the BSDs. The BSD are legendary for their security, but they often lack flags applied by default by Debian and Red Hat.
Note that we have to use checksec because the Binutil folks don't provide us with an auditelf program to do this for us. I'd much rather have a program from Binutils to do this. (And I know Checksec has some gaps, but it will have to do for the moment).
If you don't mind me saying, Facebook should be auditing forward facing binaries like this. In US Financial this is often a security gate I put in place. If a program is going to opening a listening socket, then it must be hardened or it does not get released to production.
