Advanced Binary Security Analysis & Mitigation Detection
A comprehensive binary security analysis tool that detects and reports on security mitigations enabled in ELF executables. Designed as a feature-rich alternative to checksec with enhanced detection capabilities and modern security feature support.
elfsec provides a clean, color-coded table showing all detected security mitigations:
- π’ Green: Security feature enabled/good configuration
- π‘ Yellow: Partial protection or unknown status
- π΄ Red: Security feature disabled or dangerous configuration
| Feature | elfsec | checksec |
|---|---|---|
| Basic Mitigations | ||
| RELRO | β Full/Partial detection | β Full/Partial detection |
| Stack Canaries | β Advanced detection via disassembly + symbols | β Basic symbol detection |
| NX/DEP | β PT_GNU_STACK analysis | β PT_GNU_STACK analysis |
| PIE/ASLR | β ELF header analysis | β ELF header analysis |
| RPATH/RUNPATH | β Both detected separately | β Basic detection |
| FORTIFY_SOURCE | β Symbol table analysis | β Basic detection |
| Advanced Features | ||
| Control Flow Integrity (CFI) | β Unique to elfsec | β Not supported |
| Intel CET (IBT/SHSTK) | β Hardware-assisted CFI detection | β Not supported |
| UBSan Detection | β Comprehensive sanitizer analysis | β Not supported |
| ASAN Detection | β Memory sanitizer detection | β Not supported |
| Stack Clash Protection | β Modern stack attack prevention | β Not supported |
| Heap Hardening | β Heap corruption detection | β Not supported |
| Integer Overflow Protection | β Arithmetic safety detection | β Not supported |
| SECCOMP Detection | β System call filtering analysis | β Not supported |
| Technical Advantages | ||
| Detection Method | Static analysis + disassembly | Symbol table only |
| Performance | Optimized C implementation | Shell script |
| Architecture Support | x86/x86_64 with Capstone engine | readelf-dependent |
| Output Format | Structured colored table | Text-based |
elfsec analyzes ELF binaries for the following security mitigations:
- RELRO (Relocation Read-Only) - Full/Partial/None detection
- Stack Canaries - Stack smashing protection via compiler-generated canaries
- NX Bit (No-eXecute) - Non-executable stack/heap protection
- PIE (Position Independent Executable) - Address space layout randomization support
- RPATH/RUNPATH - Dynamic library search path security analysis
- FORTIFY_SOURCE - Enhanced bounds checking for standard library functions
- Symbol Stripping - Binary obfuscation and debugging information removal
- UBSan (Undefined Behavior Sanitizer) - Runtime undefined behavior detection
- ASAN (Address Sanitizer) - Memory error detection
- Control Flow Integrity (CFI) - Modern ROP/JOP attack prevention
- Intel CET (Control-flow Enforcement Technology) - Hardware-assisted CFI
- Stack Clash Protection - Large stack allocation attack prevention
- Heap Hardening - Heap corruption detection mechanisms
- Integer Overflow Protection - Arithmetic overflow detection
- SECCOMP (Secure Computing Mode) - System call filtering
Download the latest compiled binaries from the Releases page:
- Standard Binary:
elfsec-x86_64-linux-gnu.tar.gz- Requires system libraries - Static Binary:
elfsec-x86_64-linux-musl-static.tar.gz- No dependencies, runs anywhere
# Download and extract (replace with latest version)
curl -L https://github.com/username/elfsec/releases/download/v1.0.0/elfsec-x86_64-linux-gnu.tar.gz | tar -xz
cd release && ./elfsec-x86_64-linux-gnu /bin/bash# Ubuntu/Debian
sudo apt install libelf-dev libcapstone-dev build-essential
# Red Hat/CentOS/Fedora
sudo dnf install elfutils-libelf-devel capstone-devel gcc make
# Arch Linux
sudo pacman -S libelf capstone gcc make# Build the tool
make
# Install system-wide (optional)
sudo make install# Analyze a single binary
./elfsec /bin/bash
# Check a custom application
./elfsec ./myappRun comprehensive tests to validate detection accuracy:
# Run all security mitigation tests
make test
# Test individual features
cd tests/stack-clash && make test
cd tests/heap-cookies && make test
cd tests/integer-overflow && make test
cd tests/seccomp && make test- Static ELF Analysis: Parses program headers, sections, and symbol tables
- Disassembly Engine: Uses Capstone for instruction-level analysis
- Multi-Architecture: Supports both 32-bit and 64-bit ELF binaries
- Comprehensive Symbol Analysis: Checks both static and dynamic symbol tables
- Core Engine:
detect.c- Security feature detection logic - Table Rendering:
table.c- Formatted output with color coding - Main Driver:
main.c- ELF parsing and detection orchestration
All listed security mitigations are fully implemented and tested.
- MacOS port with XNU specific mitigation detection.
- Shadow Stack analysis improvements
- JSON/XML output formats
- Directory scanning mode
- Process analysis capabilities
Disclaimer: Not all system binaries are built equal on Linux. Some distribution vendors compile them with different flags. For example, on Arch Linux most system binaries have stack clash protection baked in (the system this binary was checked on), but not on others. This can cause tests to fail or produce different results depending on your distribution and how system binaries were compiled.
This is a security-focused tool designed for defensive analysis. Contributions should maintain focus on legitimate security research and system hardening applications.
Released under open source license for security research and system administration use.
Built with β€οΈ for the security community
