scripts: make security checks architecture independent

This paves the way for using and checking for architecture dependent flags like -fcf-protection on x86_64 Linux and -mbranch-protection on 64 bit ARM.
author: fanquake <fanquake@gmail.com> 2021-12-16 15:05:44 +0800
committer: fanquake <fanquake@gmail.com> 2022-01-03 21:36:55 +0800
commit: b9898aeeaa6a3db76e40f1981d0a9db80a5d82ff (patch)
tree: 8e5f5a8452dcfbc30cad378f35504a494662f598 /contrib
parent: d69af93223c4008c3255f7e4848ff05d78c514fa (diff)
1 files changed, 38 insertions, 8 deletions
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index 655f2c89c0..137fe377da 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -12,6 +12,10 @@ from typing import List
 
 import lief #type:ignore
 
+# temporary constant, to be replaced with lief.ELF.ARCH.RISCV
+# https://github.com/lief-project/LIEF/pull/562
+LIEF_ELF_ARCH_RISCV = lief.ELF.ARCH(243)
+
 def check_ELF_RELRO(binary) -> bool:
     '''
     Check for read-only relocations.
@@ -178,24 +182,24 @@ def check_control_flow(binary) -> bool:
         return True
     return False
 
-
-CHECKS = {
-lief.EXE_FORMATS.ELF: [
+BASE_ELF = [
     ('PIE', check_PIE),
     ('NX', check_NX),
     ('RELRO', check_ELF_RELRO),
     ('Canary', check_ELF_Canary),
     ('separate_code', check_ELF_separate_code),
-],
-lief.EXE_FORMATS.PE: [
+]
+
+BASE_PE = [
     ('PIE', check_PIE),
     ('DYNAMIC_BASE', check_PE_DYNAMIC_BASE),
     ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA),
     ('NX', check_NX),
     ('RELOC_SECTION', check_PE_RELOC_SECTION),
     ('CONTROL_FLOW', check_PE_control_flow),
-],
-lief.EXE_FORMATS.MACHO: [
+]
+
+BASE_MACHO = [
     ('PIE', check_PIE),
     ('NOUNDEFS', check_MACHO_NOUNDEFS),
     ('NX', check_NX),
@@ -203,6 +207,21 @@ lief.EXE_FORMATS.MACHO: [
     ('Canary', check_MACHO_Canary),
     ('CONTROL_FLOW', check_control_flow),
 ]
+
+CHECKS = {
+    lief.EXE_FORMATS.ELF: {
+        lief.ARCHITECTURES.X86: BASE_ELF,
+        lief.ARCHITECTURES.ARM: BASE_ELF,
+        lief.ARCHITECTURES.ARM64: BASE_ELF,
+        lief.ARCHITECTURES.PPC: BASE_ELF,
+        LIEF_ELF_ARCH_RISCV: BASE_ELF,
+    },
+    lief.EXE_FORMATS.PE: {
+        lief.ARCHITECTURES.X86: BASE_PE,
+    },
+    lief.EXE_FORMATS.MACHO: {
+        lief.ARCHITECTURES.X86: BASE_MACHO,
+    }
 }
 
 if __name__ == '__main__':
@@ -211,13 +230,24 @@ if __name__ == '__main__':
         try:
             binary = lief.parse(filename)
             etype = binary.format
+            arch = binary.abstract.header.architecture
+            binary.concrete
+
             if etype == lief.EXE_FORMATS.UNKNOWN:
                 print(f'{filename}: unknown executable format')
                 retval = 1
                 continue
 
+            if arch == lief.ARCHITECTURES.NONE:
+                if binary.header.machine_type == LIEF_ELF_ARCH_RISCV:
+                    arch = LIEF_ELF_ARCH_RISCV
+                else:
+                    print(f'{filename}: unknown architecture')
+                    retval = 1
+                    continue
+
             failed: List[str] = []
-            for (name, func) in CHECKS[etype]:
+            for (name, func) in CHECKS[etype][arch]:
                 if not func(binary):
                     failed.append(name)
             if failed:
author	fanquake <fanquake@gmail.com>	2021-12-16 15:05:44 +0800
committer	fanquake <fanquake@gmail.com>	2022-01-03 21:36:55 +0800
commit	b9898aeeaa6a3db76e40f1981d0a9db80a5d82ff (patch)
tree	8e5f5a8452dcfbc30cad378f35504a494662f598 /contrib
parent	d69af93223c4008c3255f7e4848ff05d78c514fa (diff)