version 1.4, 2016/03/17 03:19:17
|
version 1.5, 2016/03/17 03:41:21
|
Line 91 for part or all of the build.
|
Line 91 for part or all of the build.
|
Again, this feature may cause some programs to crash, usually indicating an |
Again, this feature may cause some programs to crash, usually indicating an |
actual bug in the program. Patching the original program is then required. |
actual bug in the program. Patching the original program is then required. |
|
|
|
# Auditing the system |
|
|
|
The illusion of security is worse than having no security at all. This section |
|
lists a number of ways to ensure the security features requested are actually |
|
effective. |
|
|
|
_These instructions were obtained and tested on a system derived from NetBSD 7 |
|
(amd64). YMMV._ |
|
|
|
## Checking for PIE |
|
|
|
The ELF executable type in use changes for binaries built as PIE; without: |
|
|
|
$ file /path/to/bin/ary |
|
/path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped |
|
|
|
as opposed to the following binary, built as PIE: |
|
|
|
$ file /path/to/pie/bin/ary |
|
/path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped |
|
|
|
The latter result is then what is expected. |
|
|
|
## Checking for RELRO |
|
|
|
The following command should list a section called `RELRO`: |
|
|
|
$ objdump -p /path/to/bin/ary |
|
|
|
/path/to/bin/ary: file format elf64-x86-64 |
|
|
|
Program Header: |
|
[...] |
|
RELRO off 0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0 |