4

On a Linux, is there any way to tell if a binary file has been compiled with stack-smashing on/off from the command-line?

I am pretty sure that I have the protection on, but just for the sake of sanity, I'd like to write some tests for my binaries in case there ever comes a day when everything goes wrong and the protection is off... for some reason.

ldanielw1
  • 331
  • 5
  • 15
  • Can you disassemble it and look at some functions to see if they look like there's stack protection code in there? – Carl Norum Jun 20 '13 at 16:53
  • 2
    If you go for the disassembly route, you should check for [stack-smashing protection prologues and epilogues](http://www.drdobbs.com/security/anatomy-of-a-stack-smashing-attack-and-h/240001832?pgno=2). – Vilhelm Gray Jun 20 '13 at 17:15
  • PS: The above link is broken, but you can find it on web.archive.org. e.g. [20180727](http://web.archive.org/web/20180727001715/https://www.drdobbs.com/security/anatomy-of-a-stack-smashing-attack-and-h/240001832?pgno=2) – kuga Jun 09 '22 at 15:17

2 Answers2

7

If your your executable file format is ELF, and it happens to have been compiled by GCC v4.3 or greater, which just happened to be passed the -frecord-gcc-switches command-line switch, then you could do the following:

$ gcc -frecord-gcc-switches -fno-stack-protector test.c
$ readelf -p .GCC.command.line a.out

String dump of section '.GCC.command.line':
  [     0]  -imultiarch x86_64-linux-gnu
  [    1d]  test.c
  [    24]  -mtune=generic
  [    33]  -march=x86-64
  [    41]  -frecord-gcc-switches
  [    57]  -fno-stack-protector

When GCC is passed the -frecord-gcc-switches switch, it will add the .GCC.comment.line section -- containing the switches passed to GCC -- to the binary ELF file it creates.

You can then use readelf to print out the relevant section from your binary ELF file and search for the existence of the -fno-stack-protector switch to determine if the binary file has been compiled with stack-smashing on/off.

Unfortunately, this solution is limited to binary files compiled using the -frecord-gcc-switches -- which effectively means it's useless for the majority of situations, though perhaps you may luck out in your particular case.

It's worth mentioning that the detection of buffer overflow vulnerabilities in binary files is an active area of research. For instance, here's a research paper detailing a simple detection module (see section 7.1).

See also

Get the compiler options from a compiled executable?

Community
  • 1
  • 1
Vilhelm Gray
  • 11,516
  • 10
  • 61
  • 114
1

The checksec command can be used to check for stack protection measures (along with other binary security properties):

checksec --file /usr/bin/ls
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols     FORTIFY Fortified   Fortifiable FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols  Yes     5           17          /usr/bin/ls

Note that STACK CANARY indicates whether stack protection is enabled for the executable.

This command can be installed via the package manager for most linux distributions; the bash script it uses can also be downloaded from its github repo.

Nathaniel Bennett
  • 11
  • 1