Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a check for BTI and PAC #237

Open
jvoisin opened this issue Apr 22, 2024 · 3 comments
Open

Add a check for BTI and PAC #237

jvoisin opened this issue Apr 22, 2024 · 3 comments

Comments

@jvoisin
Copy link

jvoisin commented Apr 22, 2024
edited
Loading

Issue

BTI and PAC (on ARM) aren't detected by checksec.sh

$ checksec --file=/bin/ssh
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols	 Yes	12		23		/bin/ssh
$ readelf -d /bin/ssh | grep BTI
 0x0000000070000001 (AARCH64_BTI_PLT)    
$ ~ readelf -n /bin/ssh  | grep PAC -m 1
      Properties: AArch64 feature: BTI, PAC
$

Debug Report

$ checksec --debug_report
***** Checksec debug *****
uid=1000(jvoisin) gid=1000(jvoisin) groups=1000(jvoisin),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Linux xxx yyy #1 SMP PREEMPT_DYNAMIC Sun Mar 24 19:44:17 UTC 2024 aarch64 GNU/Linux
checksec version: 2.6.0 -- 2022052701
OS=zzz
VER=39
-rwxr-xr-x. 1 root root 200696 Jan 18 01:00 /usr/bin/cat
/usr/bin/cat: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=75a7332c0bd530cd7854870a0f90e8322800d4d2, for GNU/Linux 3.7.0, stripped
lrwxrwxrwx. 1 root root 4 Jul 19  2023 /usr/bin/awk -> gawk
-rwxr-xr-x. 1 root root 866208 Jul 19  2023 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=b38d9159b0ab74a2f19307ac36791947ab1f3522, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 201144 Nov 14 01:00 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=98be88d321b6307e2cec22d993c1ca8cb839e882, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200656 Jan 18 01:00 /usr/bin/uname
/usr/bin/uname: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=55f54df31bf2f88053d0c2254531c0f0d787d36d, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200728 Jan 18 01:00 /usr/bin/mktemp
/usr/bin/mktemp: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=512824cab65253b01c6631eacc09e8797549d8a7, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 1024112 Aug 31  2023 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=d0747b1b66a1c41a545ed2a16e74997d16d70a48, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 268104 Jul 20  2023 /usr/bin/grep
/usr/bin/grep: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=2b88fea571b2728bf2ea3b75019cd64a76455f07, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 201024 Jan 18 01:00 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=ba7a4b682c859ed4f41a0aa8cf67db7cd3a40809, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200720 Jul 19  2023 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=65d98d4c5176b60681cfc97bf4cf763bfa714725, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 270560 Jul 19  2023 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=37dfc3a5716f6dab8698cdb8c0c2c9bbb71efd6f, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200808 Jan 18 01:00 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=08e2b539cc3970b414b559a95dad8e3af9b5e700, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 269040 Nov 14 01:00 /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=3d4b73ea80973c755b1ad4c82f805489c1f12d29, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200784 Jan 18 01:00 /usr/bin/readlink
/usr/bin/readlink: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=1af588d6dd41a0a1c2dd36b34e5acd65cca11a64, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200672 Jan 18 01:00 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=6d13d9fc75f9de1f5d98e2dc737b1f2ef3778136, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200720 Jan 18 01:00 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=dfa21d1b422e3d49d86500e73fa87ec6a0f4b24e, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 200976 Jul 22  2023 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=849a8536c030cc976d78180554b4599be06dad2e, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 615608 Mar  5 01:00 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=2a797dd26b6cd863a8a1d9f9d4b5b329a3538d40, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 398480 Dec  6 01:00 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=9b1be3c23af0227ab9a1952c5e1f62356620a5a1, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 934664 Jan 25 01:00 /usr/bin/readelf
/usr/bin/readelf: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=99a28750433912984e4aa87a0a577cb56a329a7b, for GNU/Linux 3.7.0, stripped
-rwxr-xr-x. 1 root root 729872 Mar  4 01:00 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=00d0ac9de6bc04a2b8a9fcca544b1fe6218cd003, for GNU/Linux 3.7.0, stripped
[1]
$

Command run to produce the error

$ checksec --file=/bin/ssh

OS version and Kernel version

  • Fedora
  • 6.6.3

Debug output

$ checksec --debug --file=/bin/ssh
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols	 Yes	12		23		/bin/ssh
$
@jvoisin jvoisin changed the title Add a check for IBT/BTI Add a check for BTI and PAC Apr 22, 2024
@slimm609
Copy link
Owner

Please provide additional context as to what "BTI" and "PAC" are?

@jvoisin
Copy link
Author

jvoisin commented Apr 22, 2024

Sure:

  • PAC: Pointer Authentication is a feature, available for Armv8.3-A and Armv9.0-A (and later) Arm architectures, to provide some protection against ROP. A Pointer Authentication Code (PAC) is generated from the value of a given pointer, and is used to verify pointers before using them. If attackers attempt to modify such a pointer in memory they will also need to compute the right PAC signature for it. For example, to ROP, if the return address stored in the stack is signed and verified before returning to it, the attacker will not be able to control the program flow and an exception is raised.
  • BTI: Branch Target Identification (BTI) can mitigate against some JOP attacks by creating an architectural dependency between certain indirect branch instructions and the instructions that they target. Indirect branches are vulnerable to JOP attacks as the pointers are frequently stored on the stack and if the stack is compromised then these pointers can be manipulated. In AArch64, the CPU can be configured so that indirect branch instructions only target valid “landing pad” instructions within a select memory region, which is specified by the Guarded Page (GP) bit in the translation tables. The architecture can record the type of branch that targeted the landing pad, and both direct and indirect branches can be tracked.

ARM published a nice and accessible blogpost on both PAC and BTI.

@slimm609
Copy link
Owner

Thanks. I will take a look at this and see if it can be implemented

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jvoisin @slimm609