* [gentoo-user] How to check for PIE-code ?
@ 2017-12-03 18:06 tuxic
2017-12-03 18:30 ` ckard
0 siblings, 1 reply; 3+ messages in thread
From: tuxic @ 2017-12-03 18:06 UTC (permalink / raw
To: Gentoo
Hi,
is there any way to check, whether a compilated binary is using
the position-independant-code feature or is still build according
to old standards?
Cheers
Meino
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] How to check for PIE-code ?
2017-12-03 18:06 [gentoo-user] How to check for PIE-code ? tuxic
@ 2017-12-03 18:30 ` ckard
2017-12-04 14:17 ` David Haller
0 siblings, 1 reply; 3+ messages in thread
From: ckard @ 2017-12-03 18:30 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 337 bytes --]
You can use app-admin/checksec to see if different security features are
enabled or not.
On Sun, Dec 3, 2017 at 8:06 PM, <tuxic@posteo.de> wrote:
> Hi,
>
> is there any way to check, whether a compilated binary is using
> the position-independant-code feature or is still build according
> to old standards?
>
> Cheers
> Meino
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 679 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] How to check for PIE-code ?
2017-12-03 18:30 ` ckard
@ 2017-12-04 14:17 ` David Haller
0 siblings, 0 replies; 3+ messages in thread
From: David Haller @ 2017-12-04 14:17 UTC (permalink / raw
To: gentoo-user
Hello,
On Sun, 03 Dec 2017, ckard wrote:
>On Sun, Dec 3, 2017 at 8:06 PM, <tuxic@posteo.de> wrote:
>> is there any way to check, whether a compilated binary is using
>> the position-independant-code feature or is still build according
>> to old standards?
>
>You can use app-admin/checksec to see if different security features are
>enabled or not.
Nice. For this special use-case (what has been rebuilt with PIE and
what not), I've extracted a (faster) variant from checksec, though
it's unclear to me how to discern libs built with PIE and without[1].
I guess the linker'll tell me.
==== ~/bin/check-pie ====
#!/bin/bash
for arg; do
re=$(readelf -h "$arg" 2>/dev/null)
if printf '%s' -- "$re" | grep -q 'Type:[[:space:]]*EXEC'; then
pie="no pie"
elif printf '%s' -- "$re" | grep -q 'Type:[[:space:]]*DYN'; then
pie=$(readelf -d "$arg" | awk -F':' '
$1 ~ /\(FLAGS.*Flags$/ && $2 ~ / PIE/ { print "PIE"; }
$1 ~ /\(SONAME/ { print "DSO"; }')
else
printf "Not an executable: %s\n" "$arg" >&2
continue;
fi
printf "%s\t%s\n" "$arg" "$pie"
done
====
USAGE is check-pie FILE[S...]
e.g.:
# check-pie /usr/bin/* 2>/dev/null | \
awk '/PIE/{PIE++;}
/no pie/{nopie++};
END{ printf("PIE: %i, no PIE:%i\n", PIE, nopie); }'
HTH,
-dnh
[1] I've built a lib of my own both with -fpie/-fno-pie and compared
readelf -a outputs, and there's not difference besides offsets.
--
Any sufficiently advanced technology is indistinguishable from magic.
-- Arthur C. Clarke
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-12-04 14:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-03 18:06 [gentoo-user] How to check for PIE-code ? tuxic
2017-12-03 18:30 ` ckard
2017-12-04 14:17 ` David Haller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox