Skip to content

gracecondition/elfsec

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

13 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

DEMITIGATOR

elfsec

Advanced Binary Security Analysis & Mitigation Detection

License Security Platform

A comprehensive binary security analysis tool that detects and reports on security mitigations enabled in ELF executables. Designed as a feature-rich alternative to checksec with enhanced detection capabilities and modern security feature support.


πŸ“Έ What It Looks Like

DEMITIGATOR Output Example

elfsec provides a clean, color-coded table showing all detected security mitigations:

  • 🟒 Green: Security feature enabled/good configuration
  • 🟑 Yellow: Partial protection or unknown status
  • πŸ”΄ Red: Security feature disabled or dangerous configuration

βš–οΈ Comparison with Checksec

Feature elfsec checksec
Basic Mitigations
RELRO βœ… Full/Partial detection βœ… Full/Partial detection
Stack Canaries βœ… Advanced detection via disassembly + symbols βœ… Basic symbol detection
NX/DEP βœ… PT_GNU_STACK analysis βœ… PT_GNU_STACK analysis
PIE/ASLR βœ… ELF header analysis βœ… ELF header analysis
RPATH/RUNPATH βœ… Both detected separately βœ… Basic detection
FORTIFY_SOURCE βœ… Symbol table analysis βœ… Basic detection
Advanced Features
Control Flow Integrity (CFI) βœ… Unique to elfsec ❌ Not supported
Intel CET (IBT/SHSTK) βœ… Hardware-assisted CFI detection ❌ Not supported
UBSan Detection βœ… Comprehensive sanitizer analysis ❌ Not supported
ASAN Detection βœ… Memory sanitizer detection ❌ Not supported
Stack Clash Protection βœ… Modern stack attack prevention ❌ Not supported
Heap Hardening βœ… Heap corruption detection ❌ Not supported
Integer Overflow Protection βœ… Arithmetic safety detection ❌ Not supported
SECCOMP Detection βœ… System call filtering analysis ❌ Not supported
Technical Advantages
Detection Method Static analysis + disassembly Symbol table only
Performance Optimized C implementation Shell script
Architecture Support x86/x86_64 with Capstone engine readelf-dependent
Output Format Structured colored table Text-based

πŸ” Features

elfsec analyzes ELF binaries for the following security mitigations:

Core Memory Protection Features

  • RELRO (Relocation Read-Only) - Full/Partial/None detection
  • Stack Canaries - Stack smashing protection via compiler-generated canaries
  • NX Bit (No-eXecute) - Non-executable stack/heap protection
  • PIE (Position Independent Executable) - Address space layout randomization support

Path and Runtime Security

  • RPATH/RUNPATH - Dynamic library search path security analysis
  • FORTIFY_SOURCE - Enhanced bounds checking for standard library functions
  • Symbol Stripping - Binary obfuscation and debugging information removal

Advanced Modern Mitigations

  • UBSan (Undefined Behavior Sanitizer) - Runtime undefined behavior detection
  • ASAN (Address Sanitizer) - Memory error detection
  • Control Flow Integrity (CFI) - Modern ROP/JOP attack prevention
  • Intel CET (Control-flow Enforcement Technology) - Hardware-assisted CFI
  • Stack Clash Protection - Large stack allocation attack prevention
  • Heap Hardening - Heap corruption detection mechanisms
  • Integer Overflow Protection - Arithmetic overflow detection
  • SECCOMP (Secure Computing Mode) - System call filtering

πŸ“¦ Installation

Pre-built Releases

Download the latest compiled binaries from the Releases page:

  • Standard Binary: elfsec-x86_64-linux-gnu.tar.gz - Requires system libraries
  • Static Binary: elfsec-x86_64-linux-musl-static.tar.gz - No dependencies, runs anywhere
# Download and extract (replace with latest version)
curl -L https://github.com/username/elfsec/releases/download/v1.0.0/elfsec-x86_64-linux-gnu.tar.gz | tar -xz
cd release && ./elfsec-x86_64-linux-gnu /bin/bash

Build from Source

Dependencies

# Ubuntu/Debian
sudo apt install libelf-dev libcapstone-dev build-essential

# Red Hat/CentOS/Fedora
sudo dnf install elfutils-libelf-devel capstone-devel gcc make

# Arch Linux
sudo pacman -S libelf capstone gcc make

Build and Install

# Build the tool
make

# Install system-wide (optional)
sudo make install

πŸš€ Usage

# Analyze a single binary
./elfsec /bin/bash

# Check a custom application
./elfsec ./myapp

πŸ§ͺ Testing

Run comprehensive tests to validate detection accuracy:

# Run all security mitigation tests
make test

# Test individual features
cd tests/stack-clash && make test
cd tests/heap-cookies && make test
cd tests/integer-overflow && make test
cd tests/seccomp && make test

βš™οΈ Technical Implementation

Detection Methods

  • Static ELF Analysis: Parses program headers, sections, and symbol tables
  • Disassembly Engine: Uses Capstone for instruction-level analysis
  • Multi-Architecture: Supports both 32-bit and 64-bit ELF binaries
  • Comprehensive Symbol Analysis: Checks both static and dynamic symbol tables

Architecture

  • Core Engine: detect.c - Security feature detection logic
  • Table Rendering: table.c - Formatted output with color coding
  • Main Driver: main.c - ELF parsing and detection orchestration

🚧 Development Status

Current Features

All listed security mitigations are fully implemented and tested.

Planned Enhancements

  • MacOS port with XNU specific mitigation detection.
  • Shadow Stack analysis improvements
  • JSON/XML output formats
  • Directory scanning mode
  • Process analysis capabilities

❓ FAQ

Why might some tests fail?

Disclaimer: Not all system binaries are built equal on Linux. Some distribution vendors compile them with different flags. For example, on Arch Linux most system binaries have stack clash protection baked in (the system this binary was checked on), but not on others. This can cause tests to fail or produce different results depending on your distribution and how system binaries were compiled.

🀝 Contributing

This is a security-focused tool designed for defensive analysis. Contributions should maintain focus on legitimate security research and system hardening applications.

πŸ“„ License

Released under open source license for security research and system administration use.


Built with ❀️ for the security community

Report Issues β€’ Request Features

About

Like checksec, but better

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Contributors