Add a check for BTI and PAC
jvoisin opened this issue · comments
Issue
BTI and PAC (on ARM) aren't detected by checksec.sh
$ checksec --file=/bin/ssh
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols Yes 12 23 /bin/ssh
$ readelf -d /bin/ssh | grep BTI
0x0000000070000001 (AARCH64_BTI_PLT)
$ ~ readelf -n /bin/ssh | grep PAC -m 1
Properties: AArch64 feature: BTI, PAC
$Debug Report
$ checksec --debug_report
***** Checksec debug *****
uid=1000(jvoisin) gid=1000(jvoisin) groups=1000(jvoisin),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Linux xxx yyy #1 SMP PREEMPT_DYNAMIC Sun Mar 24 19:44:17 UTC 2024 aarch64 GNU/Linux
checksec version: 2.6.0 -- 2022052701
OS=zzz
VER=39
-rwxr-xr-x. 1 root root 200696 Jan 18 01:00 /usr/bin/cat
/usr/bin/cat: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=75a7332c0bd530cd7854870a0f90e8322800d4d2, for GNU/Linux 3.7.0, stripped
lrwxrwxrwx. 1 root root 4 Jul 19 2023 /usr/bin/awk -> gawk
-rwxr-xr-x. 1 root root 866208 Jul 19 2023 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=b38d9159b0ab74a2f19307ac36791947ab1f3522, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 201144 Nov 14 01:00 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=98be88d321b6307e2cec22d993c1ca8cb839e882, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200656 Jan 18 01:00 /usr/bin/uname
/usr/bin/uname: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=55f54df31bf2f88053d0c2254531c0f0d787d36d, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200728 Jan 18 01:00 /usr/bin/mktemp
/usr/bin/mktemp: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=512824cab65253b01c6631eacc09e8797549d8a7, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 1024112 Aug 31 2023 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=d0747b1b66a1c41a545ed2a16e74997d16d70a48, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 268104 Jul 20 2023 /usr/bin/grep
/usr/bin/grep: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=2b88fea571b2728bf2ea3b75019cd64a76455f07, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 201024 Jan 18 01:00 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=ba7a4b682c859ed4f41a0aa8cf67db7cd3a40809, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200720 Jul 19 2023 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=65d98d4c5176b60681cfc97bf4cf763bfa714725, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 270560 Jul 19 2023 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=37dfc3a5716f6dab8698cdb8c0c2c9bbb71efd6f, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200808 Jan 18 01:00 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=08e2b539cc3970b414b559a95dad8e3af9b5e700, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 269040 Nov 14 01:00 /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=3d4b73ea80973c755b1ad4c82f805489c1f12d29, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200784 Jan 18 01:00 /usr/bin/readlink
/usr/bin/readlink: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=1af588d6dd41a0a1c2dd36b34e5acd65cca11a64, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200672 Jan 18 01:00 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=6d13d9fc75f9de1f5d98e2dc737b1f2ef3778136, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200720 Jan 18 01:00 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=dfa21d1b422e3d49d86500e73fa87ec6a0f4b24e, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200976 Jul 22 2023 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=849a8536c030cc976d78180554b4599be06dad2e, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 615608 Mar 5 01:00 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=2a797dd26b6cd863a8a1d9f9d4b5b329a3538d40, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 398480 Dec 6 01:00 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=9b1be3c23af0227ab9a1952c5e1f62356620a5a1, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 934664 Jan 25 01:00 /usr/bin/readelf
/usr/bin/readelf: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=99a28750433912984e4aa87a0a577cb56a329a7b, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 729872 Mar 4 01:00 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=00d0ac9de6bc04a2b8a9fcca544b1fe6218cd003, for GNU/Linux 3.7.0, stripped
[1]
$
Command run to produce the error
$ checksec --file=/bin/sshOS version and Kernel version
- Fedora
- 6.6.3
Debug output
$ checksec --debug --file=/bin/ssh
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols Yes 12 23 /bin/ssh
$
Please provide additional context as to what "BTI" and "PAC" are?
Sure:
- PAC: Pointer Authentication is a feature, available for Armv8.3-A and Armv9.0-A (and later) Arm architectures, to provide some protection against ROP. A Pointer Authentication Code (PAC) is generated from the value of a given pointer, and is used to verify pointers before using them. If attackers attempt to modify such a pointer in memory they will also need to compute the right PAC signature for it. For example, to ROP, if the return address stored in the stack is signed and verified before returning to it, the attacker will not be able to control the program flow and an exception is raised.
- BTI: Branch Target Identification (BTI) can mitigate against some JOP attacks by creating an architectural dependency between certain indirect branch instructions and the instructions that they target. Indirect branches are vulnerable to JOP attacks as the pointers are frequently stored on the stack and if the stack is compromised then these pointers can be manipulated. In AArch64, the CPU can be configured so that indirect branch instructions only target valid “landing pad” instructions within a select memory region, which is specified by the Guarded Page (GP) bit in the translation tables. The architecture can record the type of branch that targeted the landing pad, and both direct and indirect branches can be tracked.
ARM published a nice and accessible blogpost on both PAC and BTI.
Thanks. I will take a look at this and see if it can be implemented