RELEASE: checksec.py 🐍
A cross-platform checksec tool for Windows and Linux.
➡️ pip install checksec.py
➡️ windows: get checksec.exe on Github release
➡️ demo: asciinema.org/a/363216
➡️ Github: github.com/Wenzel/checkse
cc
5
174
474
Conversation
It's hard to grade fortify support since it can only work for statically sized buffers and avoids checks in cases where the compiler can see it never overflows.
Some implementations primarily (or only) use inline checks and won't be detected. Some also cover more libc functions.
1
1
Bionic's covers buffer reads rather than only writes, as do others, unlike glibc. The glibc implementation also doesn't support Clang.
Type-based CFI (clang.llvm.org/docs/ControlFl) and ShadowCallStack (arm64-only clang.llvm.org/docs/ShadowCal) are others thing to check. Both by Android.
1
1
Thanks, I opened 2 new issues to detect these mitigations.
1
There's also SafeStack but the LLVM implementation is a bit half-baked and there isn't production integration into the runtime for Linux. Android ended up using ShadowCallStack instead due to SafeStack limitations / issues. Could still detect it being used though.
Also worth noting that stack canaries can still be used alongside either of those. ShadowCallStack just protects return addresses and SafeStack tries to put anything that cannot have overflows (no references to it) on a separate safe stack so unsafe stack can still have canaries.
1
1
Can probably detect ShadowCallStack and SafeStack via the presence of related symbols. Clang CFI could be detected via the CFI metadata. It has subsets that can be enabled (clang.llvm.org/docs/ControlFl) and protects all indirect calls when fully enabled.
1