aboutsummaryrefslogtreecommitdiff
path: root/contrib/devtools/security-check.py
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/devtools/security-check.py')
-rwxr-xr-xcontrib/devtools/security-check.py15
1 files changed, 12 insertions, 3 deletions
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index f90fa5785f..f57e9abfec 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -8,7 +8,6 @@ Exit status will be 0 if successful, and the program will be silent.
Otherwise the exit status will be 1 and it will log which executables failed which checks.
'''
import sys
-from typing import List
import lief
@@ -193,6 +192,16 @@ def check_MACHO_control_flow(binary) -> bool:
return True
return False
+def check_MACHO_branch_protection(binary) -> bool:
+ '''
+ Check for branch protection instrumentation
+ '''
+ content = binary.get_content_from_virtual_address(binary.entrypoint, 4, lief.Binary.VA_TYPES.AUTO)
+
+ if content.tolist() == [95, 36, 3, 213]: # bti
+ return True
+ return False
+
BASE_ELF = [
('PIE', check_PIE),
('NX', check_NX),
@@ -232,7 +241,7 @@ CHECKS = {
lief.ARCHITECTURES.X86: BASE_MACHO + [('PIE', check_PIE),
('NX', check_NX),
('CONTROL_FLOW', check_MACHO_control_flow)],
- lief.ARCHITECTURES.ARM64: BASE_MACHO,
+ lief.ARCHITECTURES.ARM64: BASE_MACHO + [('BRANCH_PROTECTION', check_MACHO_branch_protection)],
}
}
@@ -255,7 +264,7 @@ if __name__ == '__main__':
retval = 1
continue
- failed: List[str] = []
+ failed: list[str] = []
for (name, func) in CHECKS[etype][arch]:
if not func(binary):
failed.append(name)
generated by cgit v1.2.3 (git 2.26.2) at 2024-08-25 15:02:55 +0000