scripts: add MACHO PIE check to security-check.py

fanquake commented at 9:53 pm on December 21, 2019: member

This uses otool -vh to print the mach header and look for the PIE flag:

0otool -vh src/bitcoind
1Mach header
2      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
3MH_MAGIC_64  X86_64        ALL LIB64     EXECUTE    24       2544   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

From mach-o/loader.h:

0#define	MH_PIE 0x200000			/* When this bit is set, the OS will
1					   load the main executable at a
2					   random address.  Only used in
3					   MH_EXECUTE filetypes. */

fanquake added the label Scripts and tools on Dec 21, 2019

fanquake added the label Needs gitian build on Dec 21, 2019

fanquake force-pushed on Dec 21, 2019

DrahtBot commented at 4:33 pm on December 22, 2019: member

Gitian builds

File	commit 0cda5573405d75d695aba417e8f22f1301ded001(master)	commit f410d10078d12fbee4f47df9c7e29b297ba7a392(master and this pull)
bitcoin-0.19.99-aarch64-linux-gnu-debug.tar.gz	`d45b6f900ad661ea...`	`93a8059e2cdffdb3...`
bitcoin-0.19.99-aarch64-linux-gnu.tar.gz	`0d5b111c83d134bf...`	`9167487fff9ad7cc...`
bitcoin-0.19.99-arm-linux-gnueabihf-debug.tar.gz	`0f12415dcf859e8e...`	`e75a9d75a26e452d...`
bitcoin-0.19.99-arm-linux-gnueabihf.tar.gz	`0dce441a1e6df41a...`	`c5c8189b9c717c06...`
bitcoin-0.19.99-i686-pc-linux-gnu-debug.tar.gz	`c4e07651af3cb61d...`	`98ae87f16c95d144...`
bitcoin-0.19.99-i686-pc-linux-gnu.tar.gz	`087cf1d2ae102486...`	`42921990c000486d...`
bitcoin-0.19.99-osx-unsigned.dmg	`b583812828864f7d...`	`2295dfed050febcb...`
bitcoin-0.19.99-osx64.tar.gz	`83118c41a5e8ab3a...`	`8d6c99c7edbfb41e...`
bitcoin-0.19.99-riscv64-linux-gnu-debug.tar.gz	`646e482bdd697f0e...`	`98c7d4e40a60d91f...`
bitcoin-0.19.99-riscv64-linux-gnu.tar.gz	`cbb7b0cda942c159...`	`4a97a2c7253d56f7...`
bitcoin-0.19.99-win64-debug.zip	`5bf356f7bad511aa...`	`f53f54cfdaeeccfe...`
bitcoin-0.19.99-win64-setup-unsigned.exe	`97cacb675d3fb6e4...`	`370dc4026a7ccc57...`
bitcoin-0.19.99-win64.zip	`3f90fa82138f88a0...`	`b7ee9164965b83f7...`
bitcoin-0.19.99-x86_64-linux-gnu-debug.tar.gz	`7e12d1179ce41526...`	`84d615c7d0517be7...`
bitcoin-0.19.99-x86_64-linux-gnu.tar.gz	`201eae397f68469c...`	`986fedb9008c669f...`
bitcoin-0.19.99.tar.gz	`ce92e2adf12e9a24...`	`de9b2359a99ad168...`
bitcoin-core-linux-0.20-res.yml	`2c0f16463c33dd1d...`	`738a63fe32b3818a...`
bitcoin-core-osx-0.20-res.yml	`8d48bdfbe38d49f8...`	`21dca85dfab42b96...`
bitcoin-core-win-0.20-res.yml	`2036e58d9fe61d32...`	`c187ce1bed90bd44...`
linux-build.log	`a774272288af61e5...`	`f7404ecce0c8e5c3...`
osx-build.log	`d4429e97d2b77379...`	`c8f635e8973590fd...`
win-build.log	`340a0fa5f46e0f2e...`	`993803432e73b05c...`
bitcoin-core-linux-0.20-res.yml.diff		`3daa105a128c2617...`
bitcoin-core-osx-0.20-res.yml.diff		`808a87d7dcd4cadd...`
bitcoin-core-win-0.20-res.yml.diff		`77f34938030d086e...`
linux-build.log.diff		`204824b486754bbf...`
osx-build.log.diff		`d0de63551862bd45...`
win-build.log.diff		`02ffe7cdb7183fd2...`

DrahtBot removed the label Needs gitian build on Dec 22, 2019

fanquake deleted a comment on Dec 22, 2019

fanquake force-pushed on Jan 2, 2020

fanquake commented at 6:39 am on January 2, 2020: member

Fixed up some documentation, added a function to retrieve all MACH-O flags and an additional commit to check for NOUNDEFS.

fanquake added the label Needs gitian build on Jan 2, 2020

scripts: add MACHO PIE check to security-check.py 4ca92dc6d3

scripts: add MACHO NOUNDEFS check to security-check.py 7c9e821c4e

fanquake force-pushed on Jan 2, 2020

laanwj commented at 11:46 am on January 2, 2020: member

code review ACK 7c9e821c4e6cb186208ead9c8df616d1f393a49a

laanwj referenced this in commit 0655c7a94c on Jan 2, 2020

laanwj merged this on Jan 2, 2020

laanwj closed this on Jan 2, 2020

fanquake deleted the branch on Jan 2, 2020

MarcoFalke commented at 3:20 pm on January 2, 2020: member

(Ir)relevant, but related discussion from IRC:

 0[00:06] <wumpus> happy 2020 everyone
 1[00:12] <fanquake> wumpus 🎉
 2[00:12] <wumpus> lets do my first 'git pull' of the repository this decade
 3[00:15] <fanquake> Watch out for all the copyright headers 🙄
 4[00:16] <wumpus> that  causes make / ccache to forget everything resulting in a clean build for the new year!
 5[00:20] <fanquake> heh. Looking forward to another decade of bitcoind!
 6[00:21] <wumpus> yes!
 7[00:22] <wumpus> what would be cool to merge as first PR?
 8[00:23] <wumpus> [#10785](/bitcoin-bitcoin/10785/) would be nice
 9[00:23] <gribble> [#10785](/bitcoin-bitcoin/10785/) | Serialization improvements by sipa · Pull Request [#10785](/bitcoin-bitcoin/10785/) · bitcoin/bitcoin · GitHub
10[00:24] <fanquake> Right now I can probably only tell you what would not be cool to merge
11[00:24] <wumpus> very futuristic to have improved serialization for the new decade
12[00:24] <wumpus> hehe yes
13[00:26] <sipa> agree! ;)
14[00:27] <fanquake> I'll be very biased, an suggest that [#17787](/bitcoin-bitcoin/17787/) is just a tiny bit "cool"
15[00:27] <gribble> [#17787](/bitcoin-bitcoin/17787/) | scripts: add MACHO PIE check to security-check.py by fanquake · Pull Request [#17787](/bitcoin-bitcoin/17787/) · bitcoin/bitcoin · GitHub
16[00:28] <sipa> MACHO does sound very cool
17[00:30] <fanquake> Got some pie as well. Sounds like a good deal all round
18[00:31] <wumpus> MACHO PIE
19[00:32] <wumpus> it's good branding for security features
20[00:35] <fanquake> macOS has all the cool flags heh
21[00:35] <fanquake> NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

MarcoFalke removed the label Needs gitian build on Jan 2, 2020

sidhujag referenced this in commit 91fdb4cb1b on Jan 2, 2020

sidhujag referenced this in commit fe6f5c0866 on Nov 10, 2020

DrahtBot locked this on Feb 15, 2022

scripts: add MACHO PIE check to security-check.py #17787

Gitian builds