contrib: consolidate PIE and NX security checks

2025-02-02 09:46:52 -05:00 · 2021-04-12 11:19:44 +08:00 · 2021-04-12 11:19:44 +08:00 · 955140b326
commit 955140b326
parent 2aa1631822
1 changed files with 19 additions and 31 deletions
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@ -134,14 +134,6 @@ def check_ELF_separate_code(executable):
                return False
    return True

-def check_PE_PIE(executable) -> bool:
-    '''
-    Check for position independent executable (PIE),
-    allowing for address space randomization.
-    '''
-    binary = lief.parse(executable)
-    return binary.is_pie
-
 def check_PE_DYNAMIC_BASE(executable) -> bool:
    '''PIE: DllCharacteristics bit 0x40 signifies dynamicbase (ASLR)'''
    binary = lief.parse(executable)
@ -159,18 +151,6 @@ def check_PE_RELOC_SECTION(executable) -> bool:
    binary = lief.parse(executable)
    return binary.has_relocations

-def check_PE_NX(executable) -> bool:
-    '''NX: DllCharacteristics bit 0x100 signifies nxcompat (DEP)'''
-    binary = lief.parse(executable)
-    return binary.has_nx
-
-def check_MACHO_PIE(executable) -> bool:
-    '''
-    Check for position independent executable (PIE), allowing for address space randomization.
-    '''
-    binary = lief.parse(executable)
-    return binary.is_pie
-
 def check_MACHO_NOUNDEFS(executable) -> bool:
    '''
    Check for no undefined references.
@ -178,13 +158,6 @@ def check_MACHO_NOUNDEFS(executable) -> bool:
    binary = lief.parse(executable)
    return binary.header.has(lief.MachO.HEADER_FLAGS.NOUNDEFS)

-def check_MACHO_NX(executable) -> bool:
-    '''
-    Check for no stack execution
-    '''
-    binary = lief.parse(executable)
-    return binary.has_nx
-
 def check_MACHO_LAZY_BINDINGS(executable) -> bool:
    '''
    Check for no lazy bindings.
@ -200,6 +173,21 @@ def check_MACHO_Canary(executable) -> bool:
    binary = lief.parse(executable)
    return binary.has_symbol('___stack_chk_fail')

+def check_PIE(executable) -> bool:
+    '''
+    Check for position independent executable (PIE),
+    allowing for address space randomization.
+    '''
+    binary = lief.parse(executable)
+    return binary.is_pie
+
+def check_NX(executable) -> bool:
+    '''
+    Check for no stack execution
+    '''
+    binary = lief.parse(executable)
+    return binary.has_nx
+
 CHECKS = {
 'ELF': [
    ('PIE', check_ELF_PIE),
@ -209,16 +197,16 @@ CHECKS = {
    ('separate_code', check_ELF_separate_code),
 ],
 'PE': [
-    ('PIE', check_PE_PIE),
+    ('PIE', check_PIE),
    ('DYNAMIC_BASE', check_PE_DYNAMIC_BASE),
    ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA),
-    ('NX', check_PE_NX),
+    ('NX', check_NX),
    ('RELOC_SECTION', check_PE_RELOC_SECTION)
 ],
 'MACHO': [
-    ('PIE', check_MACHO_PIE),
+    ('PIE', check_PIE),
    ('NOUNDEFS', check_MACHO_NOUNDEFS),
-    ('NX', check_MACHO_NX),
+    ('NX', check_NX),
    ('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS),
    ('Canary', check_MACHO_Canary)
 ]