From 236fd879f8282ab86332626666110f477fee7633 Mon Sep 17 00:00:00 2001 From: Patrick Lodder Date: Thu, 12 Jan 2023 19:41:56 +0100 Subject: [PATCH] devtools: disable currently unsupported security checks Disables checks from Bitcoin 24.0.1 security-check.py code that we currently cannot support on Dogecoin Core without changes to the build process - separate-code needs linking using binutils 2.31 and/or explicit linking with -z,separate-code on binutils 2.30+ - CONTROL_FLOW can be enabled after building with gcc-8 or later. This would require at least a Ubuntu Focal Gitian implementation, and -fcf-protection enabled on the boost dependency. - HIGH_ENTROPY_VA and RELOC_SECTION checks for Windows binaries need fixes for dogecoin-cli, dogecoin-tx and test binaries, so that ASLR can be used for these binaries the same way it was done for dogecoind and dogecoin-qt. These checks can be re-enabled once these security features are enabled on release binaries (i.e. those built with Gitian) --- contrib/devtools/security-check.py | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py index 05c0af029..e4e96c30f 100755 --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -193,16 +193,25 @@ BASE_ELF = [ ('NX', check_NX), ('RELRO', check_ELF_RELRO), ('Canary', check_ELF_Canary), - ('separate_code', check_ELF_separate_code), + #('separate_code', check_ELF_separate_code), + # Note: separate_code can be enabled once release binaries are + # created with binutils 2.31 or explicitly configured on + # binutils 2.30 with -z,separate-code, + # see Bitcoin Core commit 2e9e6377 ] BASE_PE = [ ('PIE', check_PIE), ('DYNAMIC_BASE', check_PE_DYNAMIC_BASE), - ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA), + #('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA), + # Note: HIGH_ENTROPY_VA can be enabled when all issues with RELOC_SECTION + # are solved. ('NX', check_NX), - ('RELOC_SECTION', check_PE_RELOC_SECTION), - ('CONTROL_FLOW', check_PE_control_flow), + #('RELOC_SECTION', check_PE_RELOC_SECTION), + # Note: RELOC_SECTION is newer than our source and currently doesn't pass + # on cli tools and tests, but does work for dogecoind / dogecoin-qt + #('CONTROL_FLOW', check_PE_control_flow), + # Note: CONTROL_FLOW can be re-enabled when we build with gcc8 or higher ] BASE_MACHO = [ @@ -213,7 +222,10 @@ BASE_MACHO = [ CHECKS = { lief.EXE_FORMATS.ELF: { - lief.ARCHITECTURES.X86: BASE_ELF + [('CONTROL_FLOW', check_ELF_control_flow)], + #lief.ARCHITECTURES.X86: BASE_ELF + [('CONTROL_FLOW', check_ELF_control_flow)], + # Note: until gcc8 or higher is used for release binaries, + # do not check for CONTROL_FLOW + lief.ARCHITECTURES.X86: BASE_ELF, lief.ARCHITECTURES.ARM: BASE_ELF, lief.ARCHITECTURES.ARM64: BASE_ELF, lief.ARCHITECTURES.PPC: BASE_ELF, @@ -225,7 +237,9 @@ CHECKS = { lief.EXE_FORMATS.MACHO: { lief.ARCHITECTURES.X86: BASE_MACHO + [('PIE', check_PIE), ('NX', check_NX), - ('CONTROL_FLOW', check_MACHO_control_flow)], + #('CONTROL_FLOW', check_MACHO_control_flow) + # Note: Needs change in boost for -fcf-protection + ], lief.ARCHITECTURES.ARM64: BASE_MACHO, } } @@ -260,4 +274,3 @@ if __name__ == '__main__': print(f'{filename}: cannot open') retval = 1 sys.exit(retval) -