Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creates BA3011 check for presence of BIND_NOW flag AKA full RELRO #363

Merged
merged 6 commits into from Apr 15, 2021
Merged

Creates BA3011 check for presence of BIND_NOW flag AKA full RELRO #363

merged 6 commits into from Apr 15, 2021

Conversation

toshipiazza
Copy link
Member

@toshipiazza toshipiazza commented Apr 12, 2021
edited

Fixes #355

@michaelcfanning
Copy link
Member

michaelcfanning commented Apr 12, 2021
edited by eddynaka

Toshi, thanks for this, we will review asap. #Closed

@toshipiazza toshipiazza mentioned this pull request Apr 12, 2021
Closed
eddynaka
eddynaka reviewed Apr 12, 2021
View reviewed changes
src/BinSkim.Rules/ELFRules/BA3011.EnableBindNow.cs Outdated
{
// Fail
context.Logger.Log(this,
RuleUtilities.BuildResult(FailureLevel.Error, context, null,
Copy link
Contributor

@eddynaka eddynaka Apr 12, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FailureLevel.Error [](start = 42, length = 18)

@michaelcfanning , should we set this to note? and in the next release, we change to error based on Matt's feedback. #WontFix

michaelcfanning
michaelcfanning reviewed Apr 15, 2021
View reviewed changes
src/BinSkim.Rules/ELFRules/BA3011.EnableBindNow.cs
}
}
}
catch (InvalidCastException)
Copy link
Member

@michaelcfanning michaelcfanning Apr 15, 2021
edited by eddynaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

InvalidCastException [](start = 19, length = 20)

Just curious, what's producing these exceptions? #Closed

Copy link
Member Author

@toshipiazza toshipiazza Apr 15, 2021
edited by eddynaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The project I'm working on separates executables into two files like in this post. The .dbg file contains only debug info, and therefore isn't even executable. But since it's an ELF, it gets parsed by binskim analyze. Since the file contains no executable code, the output of binskim is meaningless, so I was happy to just silence the exception.

I haven't seen any other case where this happens. #Closed

michaelcfanning
michaelcfanning reviewed Apr 15, 2021
View reviewed changes
src/BinSkim.Rules/RuleIds.cs
@@ -48,8 +48,8 @@ internal static class RuleIds

// Skipping some check namespace (BA3004-3009) for future checks
public const string EnableReadOnlyRelocations = "BA3010";
public const string EnableBindNow = "BA3011";
Copy link
Member

@michaelcfanning michaelcfanning Apr 15, 2021
edited by eddynaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EnableBindNow [](start = 28, length = 13)

Good names! Let's add test cases for this rule, @eddynaka. #Closed

Copy link
Member Author

@toshipiazza toshipiazza Apr 15, 2021
edited by eddynaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI there are some test cases for this already:

binskim/src/BuildSamples/ELF/build-test-binaries.sh

Line 59 in d9afb65

$C_COMPILER empty.c -o $OUTPUT_DIR/$C_COMPILER.relocationsrw -Wl,-z,norelro

binskim/src/BuildSamples/ELF/build-test-binaries.sh

Line 60 in d9afb65

$C_COMPILER empty.c -o $OUTPUT_DIR/$C_COMPILER.relocationsro -Wl,-z,relro

binskim/src/BuildSamples/ELF/build-test-binaries.sh

Line 73 in d9afb65

$C_COMPILER empty.c -o $OUTPUT_DIR/$C_COMPILER.immediate_binding -Wl,-z,relro,-z,now

Spoke offline with Eddy, and it may be helpful to update the no_immediate_binding test to explicitly use RTLD_LAZY binding: -Wl,-z,lazy

binskim/src/BuildSamples/ELF/build-test-binaries.sh

Line 74 in d9afb65

$C_COMPILER empty.c -o $OUTPUT_DIR/$C_COMPILER.no_immediate_binding
#Closed

@michaelcfanning
Copy link
Member

michaelcfanning commented Apr 15, 2021
edited by eddynaka

Every new rule needs to either be added as 'Note' in the current release, or we need to add it to a major version revision. @eddynaka can you take care of this? Also, we need to document this great new check in our release notes. Finally, can you ensure that our comprehensive rules docs includes this check. #Closed

michaelcfanning
michaelcfanning approved these changes Apr 15, 2021
View reviewed changes
Copy link
Member

@michaelcfanning michaelcfanning left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@eddynaka eddynaka merged commit 33c56f5 into microsoft:main Apr 15, 2021
@eddynaka eddynaka deleted the BA3011-bind-now branch April 15, 2021 21:20
@toshipiazza toshipiazza mentioned this pull request Jul 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eddynaka eddynaka eddynaka left review comments

@michaelcfanning michaelcfanning michaelcfanning approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

BA3010 doesn't distinguish between Full and Partial RELRO
3 participants
@toshipiazza @michaelcfanning @eddynaka