.. title: checksec
.. slug: checksec
.. date: 2019-01-02 00:48:31 UTC+01:00
.. tags: linux, security, shell, checksec
.. category:
.. link:
.. description:
.. type: text
It is not a coincidence that the first post in this still young year
is about security. Since I realized last year how far the current
internet with its "data capitalism" has strayed from its beginnings, I
did a lot of reading to understand the situation in more detail.
`Data and Goliath `_
by the renowned security expert Bruce Schneier was a depressing eye
opener and I am currently still reading his new book `Click Here to
Kill Everybody `_ which
reiterates the problems in light of more recent events. If you are
looking for more in depth information from somebody with a long track
record, I can strongly recommend those books as a starting point.
.. image:: /images/Linux-Security.jpg
:width: 250
:align: center
:alt: Linux Security
One of the lessons I recently learned is that real security is
extremely hard to achieve - even by the best in the field. It is also
pretty much impossible for a non-specialist to evaluate the security
of any given solution without much more transparency into the security
design process (threat models) and the implementation methods used to
avoid them (protocols, etc.).
The Linux kernel and the GNU tool chains on the other hand offer a
variety of hardening features to protect a GNU/Linux system from
certain vulnerabilities. Having a tool to quickly evaluation which of
those methods are in effect on a given system would be a welcome tool
in the toolbox, especially when custom build systems are involved
rather than the well known distributions.
The application security expert Tobias Klein provides a nice `shell
script `_ to do exactly
that. As ``checksec.sh`` only requires the Bourne Again Shell (bash), it is
immediately usable on pretty much every GNU/Linux system out there.
.. TEASER_END
To give you a quick glimpse of what the script does, here is a
screenshot of running the kernel checks on a stock Debian 9 GNU/Linux
system on an x86_64 system:
.. image:: /images/checksec-kernel.png
:alt: checksec.sh --kernel
:align: center
Below are the first few items of checking all running processes. It
is run through sudo to also check system processes:
.. image:: /images/checksec-proc-all.png
:alt: checksec.sh --proc-all
:align: center
It seems that Debian has a somewhat lax approach to using the
available mechanisms.
Of course it is trivial to also quickly check packages not installed
from official distribution repositories by whatever means. For
example the nice free `Teamviewer `_
remote control solution is available through a separate Debian
repository:
.. image:: /images/checksec-teamviewerd.png
:alt: checksec.sh --proc teamviewerd
:align: center
So this binary does not use stack smash protection nor position
independent code (PIE). Unfortunately the latter disables the address
space layout randomization (ASLR) as can be seen by checking the
virtual address space of the process. Especially for such an internet
facing service I would love to see those features enabled.
In case you are not familiar with the used terms like "RELRO" and
"stack canaries", there is already a good short blog post containing
`more detailed explanations
`_
of the underlying concepts.