diff options
| author | fanquake <fanquake@gmail.com> | 2024-01-03 17:16:16 +0000 |
|---|---|---|
| committer | fanquake <fanquake@gmail.com> | 2024-01-03 17:28:39 +0000 |
| commit | 5335e454c0889c8a1bb05aa09435883322133974 (patch) | |
| tree | 6264887be44a7bf7601ae2cdfc68bc9b16015bab /contrib | |
| parent | 65c05db660b2ca1d0076b0d8573a6760b3228068 (diff) | |
contrib: add macho branch protection check
Diffstat (limited to 'contrib')
| -rwxr-xr-x | contrib/devtools/security-check.py | 12 | ||||
| -rwxr-xr-x | contrib/devtools/test-security-check.py | 8 |
2 files changed, 15 insertions, 5 deletions
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py index 590c2ed87d..f57e9abfec 100755 --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -192,6 +192,16 @@ def check_MACHO_control_flow(binary) -> bool: return True return False +def check_MACHO_branch_protection(binary) -> bool: + ''' + Check for branch protection instrumentation + ''' + content = binary.get_content_from_virtual_address(binary.entrypoint, 4, lief.Binary.VA_TYPES.AUTO) + + if content.tolist() == [95, 36, 3, 213]: # bti + return True + return False + BASE_ELF = [ ('PIE', check_PIE), ('NX', check_NX), @@ -231,7 +241,7 @@ CHECKS = { lief.ARCHITECTURES.X86: BASE_MACHO + [('PIE', check_PIE), ('NX', check_NX), ('CONTROL_FLOW', check_MACHO_control_flow)], - lief.ARCHITECTURES.ARM64: BASE_MACHO, + lief.ARCHITECTURES.ARM64: BASE_MACHO + [('BRANCH_PROTECTION', check_MACHO_branch_protection)], } } diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py index 64daabad4e..48823c7e45 100755 --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -137,12 +137,12 @@ class TestSecurityChecks(unittest.TestCase): else: # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-no_fixup_chains']), - (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains']), + (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS BRANCH_PROTECTION')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains', '-mbranch-protection=bti']), (1, executable+': failed NOUNDEFS Canary')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains', '-mbranch-protection=bti']), (1, executable+': failed NOUNDEFS')) - self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']), + self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains', '-mbranch-protection=bti']), (0, '')) |