NAME
hardening-check - check binaries for security hardening features
SYNOPSIS
Examine a given set of ELF binaries and check for several security
hardening features, failing if they are not all found.
DESCRIPTION
This utility checks a given list of ELF binaries for several security
hardening features that can be compiled into an executable. These
features are:
Position Independent Executable
This indicates that the executable was built in such a way
(PIE) that the "text" section of the program can be relocated
in memory. To take full advantage of this feature, the
executing kernel must support text Address Space Layout
Randomization (ASLR).
Stack Protected
This indicates that the executable was compiled with the gcc(1)
option -fstack-protector. The program will be resistant to
have its stack overflowed.
Fortify Source functions
This indicates that the executable was compiled with
-D_FORTIFY_SOURCE=2 and -O2 or higher. This causes certain
unsafe glibc functions with their safer counterparts (e.g.
strncpy instead of strcpy).
Read-only relocations
This indicates that the executable was build with -Wl,-z,relro
to have ELF markings (RELRO) that ask the runtime linker to
mark any regions of the relocation table as "read-only" if they
were resolved before execution begins. This reduces the
possible areas of memory in a program that can be used by an
attacker that performs a successful memory corruption exploit.
Immediate binding
This indicates that the executable was built with -Wl,-z,now to
have ELF markings (BIND_NOW) that ask the runtime linker to
resolve all relocations before starting program execution.
When combined with RELRO above, this further reduces the
regions of memory available to memory corruption attacks.
OPTIONS
-p No not require that the checked binaries be built as PIE.
-s No not require that the checked binaries be built with the
stack protector.
-f No not require that the checked binaries be built with Fority
Source.
-r No not require that the checked binaries be built with RELRO.
-b No not require that the checked binaries be built with
BIND_NOW.
-q Only report failures.
RETURN VALUE
When all checked binaries have all checkable hardening features
detected, this program will finish with an exit code of 0. If any
check fails, the exit code with be 1. Individual checks can be
disabled via command line options.
AUTHOR
Kees Cook <kees@debian.org>
COPYRIGHT AND LICENSE
Copyright 2009 Kees Cook <kees@debian.org>.
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; version 2 or later.
SEE ALSO
gcc(1), hardening-wrapper(1)