|
version 1.4, 2016/03/17 03:19:17
|
version 1.5, 2016/03/17 03:41:21
|
|
Line 91 for part or all of the build.
|
Line 91 for part or all of the build.
|
| Again, this feature may cause some programs to crash, usually indicating an |
Again, this feature may cause some programs to crash, usually indicating an |
| actual bug in the program. Patching the original program is then required. |
actual bug in the program. Patching the original program is then required. |
| |
|
| |
# Auditing the system |
| |
|
| |
The illusion of security is worse than having no security at all. This section |
| |
lists a number of ways to ensure the security features requested are actually |
| |
effective. |
| |
|
| |
_These instructions were obtained and tested on a system derived from NetBSD 7 |
| |
(amd64). YMMV._ |
| |
|
| |
## Checking for PIE |
| |
|
| |
The ELF executable type in use changes for binaries built as PIE; without: |
| |
|
| |
$ file /path/to/bin/ary |
| |
/path/to/bin/ary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped |
| |
|
| |
as opposed to the following binary, built as PIE: |
| |
|
| |
$ file /path/to/pie/bin/ary |
| |
/path/to/pie/bin/ary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 7.0, not stripped |
| |
|
| |
The latter result is then what is expected. |
| |
|
| |
## Checking for RELRO |
| |
|
| |
The following command should list a section called `RELRO`: |
| |
|
| |
$ objdump -p /path/to/bin/ary |
| |
|
| |
/path/to/bin/ary: file format elf64-x86-64 |
| |
|
| |
Program Header: |
| |
[...] |
| |
RELRO off 0x0000000000000d78 vaddr 0x0000000000600d78 paddr 0x0000000000600d78 align 2**0 |
![[BACK]](/icons/back.gif){kind=icon}
Return to hardening.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / pkgsrc