diff --git a/README.md b/README.md index 6310058369..8ac19585d8 100644 --- a/README.md +++ b/README.md @@ -225,7 +225,6 @@ The layer can check on a recipe-level or on an image-level. | reconbf | security audit tool | https://github.com/HewlettPackard/reconbf | | | x | | | | | | | | | x | | | | | | | x | | | | reuse | Scan code for license information | https://github.com/fsfe/reuse-tool | | | | x | | | | | | | | | | | | | | x | x | | | | revive | GO linter | https://github.com/mgechev/revive | | | | x | | | | | | | x | | | | | | | | | x | x | -| ropgadget | Determine ROP exploitability in binaries | https://github.com/JonathanSalwan/ROPgadget | manual enable | | | x | | | | | | | | | | | | x | | | x | | | | rubycritic | Ruby linter | https://github.com/whitesmith/rubycritic/ | meta-rubygems, manual enable | | | x | | | | | | | | | | | | | | x | | | x | | safety | Check for known vulnerabilities in python-packages | https://github.com/pyupio/safety | | | | x | | | x | | | | | | | | | | x | | x | | | | scancode | Scan code for license information | https://github.com/nexB/scancode-toolkit | | | | x | | | | | | | | | | | | | | x | x | | | @@ -316,7 +315,6 @@ each tool does have it's own benefits and flaws so don't be mad if you have 10k+ - [reconbf](docs/conf/module/reconbf.md) - [reuse](docs/conf/module/reuse.md) - [revive](docs/conf/module/revive.md) - - [ropgadget](docs/conf/module/ropgadget.md) - [rubycritic](docs/conf/module/rubycritic.md) - [safety](docs/conf/module/safety.md) - [scancode](docs/conf/module/scancode.md) diff --git a/classes/sca-blacklist.bbclass b/classes/sca-blacklist.bbclass index c8bff352dc..5243353fce 100644 --- a/classes/sca-blacklist.bbclass +++ b/classes/sca-blacklist.bbclass @@ -53,7 +53,6 @@ SCA_BLACKLIST_pysymcheck ?= "" SCA_BLACKLIST_rats ?= "" SCA_BLACKLIST_reconbf ?= "" SCA_BLACKLIST_revive ?= "openssh" -SCA_BLACKLIST_ropgadget ?= "linux-.*" SCA_BLACKLIST_rubycritic ?= "" SCA_BLACKLIST_safety ?= "" SCA_BLACKLIST_scancode ?= "" diff --git a/classes/sca-on-recipe.bbclass b/classes/sca-on-recipe.bbclass index 51bbcf43af..0fda2da012 100755 --- a/classes/sca-on-recipe.bbclass +++ b/classes/sca-on-recipe.bbclass @@ -53,7 +53,6 @@ SCA_ENABLED_MODULES_RECIPE ?= "\ rats \ reuse \ revive \ - ropgadget \ rubycritic \ safety \ scancode \ diff --git a/classes/sca-ropgadget.bbclass b/classes/sca-ropgadget.bbclass deleted file mode 100755 index 6eb064acf4..0000000000 --- a/classes/sca-ropgadget.bbclass +++ /dev/null @@ -1,164 +0,0 @@ -## SPDX-License-Identifier: BSD-2-Clause -## Copyright (c) 2019, Konrad Weihmann - -## Threshold before issueing a warning -## all other findings are reported as info-only -SCA_ROPGADGET_WARNING_THRESHOLD ?= "500" - -SCA_RAW_RESULT_FILE[ropgadget] = "txt" - -inherit sca-conv-to-export -inherit sca-datamodel -inherit sca-global -inherit sca-helper -inherit sca-suppress -inherit sca-image-backtrack - -inherit python3native - -DEPENDS += "python3-ropgadget-native" - -PACKAGE_DEBUG_SPLIT_STYLE = '.debug' - -def translate_address(tuples, bin, d): - import subprocess - import re - import os - - _addr2line = os.environ.get("AS", "-as").replace("-as", "-addr2line").strip() - _args = [_addr2line, "-e", bin, tuples[0]] - output = "" - try: - _out = subprocess.check_output(_args, universal_newlines=True) - for im in re.finditer(r"(?P.*):(?P\d+)", _out): - _file = os.path.abspath(im.group("file")) - output += "{} - {}:{} - {}\n".format(bin, _file, im.group("line"), tuples[1]) - except Exception as e: - sca_log_note(d, str(e)) - return output - -def convert_veryraw(d, bin, content): - import os - import re - ## Find debug symbol file - _relpath = os.path.relpath(bin, - os.path.join(d.getVar("WORKDIR"), "packages-split", d.getVar("PN"))) - _dbg = os.path.join(os.path.join(d.getVar("WORKDIR"), "packages-split", - "{}-dbg".format(d.getVar("PN")), os.path.dirname(_relpath), ".debug", os.path.basename(bin))) - output = "" - if os.path.isfile(_dbg): - _map = [] - - for m in re.finditer(r"^(?P0x\w+)\s+:\s+(?P.*)", content, re.MULTILINE): - _map.append((m.group("addr"), m.group("msg"))) - - results = oe.utils.multiprocess_launch(translate_address, _map, d, extraargs=(_dbg, d,)) - output = "".join(results) - return output - -def do_sca_conv_ropgadget(d): - import os - import re - - package_name = d.getVar("PN") - buildpath = d.getVar("SCA_SOURCES_DIR") - - pattern = r"^(?P.*)\s+-\s+(?P.*):(?P\d+)\s+-\s+(?P.*)" - - _excludes = sca_filter_files(d, d.getVar("SCA_SOURCES_DIR"), clean_split(d, "SCA_FILE_FILTER_EXTRA")) - _suppress = sca_suppress_init(d, "", None, file_trace=False) - _findings = {} - _findingsres = [] - - if os.path.exists(sca_raw_result_file(d, "ropgadget")): - with open(sca_raw_result_file(d, "ropgadget"), "r") as f: - for m in re.finditer(pattern, f.read(), re.MULTILINE): - try: - g = sca_get_model_class(d, - PackageName=package_name, - Tool="ropgadget", - BuildPath=buildpath, - File=m.group("file"), - Line=m.group("line"), - Message=m.group("msg"), - ID="ropprone", - Severity="info") - if _suppress.Suppressed(g): - continue - if g.File in _excludes: - continue - if g.Scope not in clean_split(d, "SCA_SCOPE_FILTER"): - continue - if not m.group("bin") in _findings.keys(): - _findings[m.group("bin")] = 0 - _findings[m.group("bin")] += 1 - if g.Severity in sca_allowed_warning_level(d): - _findingsres += sca_backtrack_findings(d, g) - except Exception as exp: - sca_log_note(d, str(exp)) - - _threshold = 99999999999 - try: - _threshold = int(d.getVar("SCA_ROPGADGET_WARNING_THRESHOLD")) - except: - pass - - for k, v in _findings.items(): - if v > _threshold: - g = sca_get_model_class(d, - PackageName=package_name, - Tool="ropgadget", - File=k, - BuildPath=os.path.join(d.getVar("WORKDIR"), "packages-split"), - Message="{} exceeded ROP exploit threshold ({}/{})".format(package_name, v, _threshold), - ID="thresholdexceeded", - Severity="warning") - if _suppress.Suppressed(g): - continue - if g.Scope not in clean_split(d, "SCA_SCOPE_FILTER"): - continue - if g.Severity in sca_allowed_warning_level(d): - _findingsres += sca_backtrack_findings(d, g) - - sca_add_model_class_list(d, _findingsres) - return sca_save_model_to_string(d) - -python do_sca_ropgadget() { - import os - import subprocess - - ## This module does not support suppression or fatal-error - - _args = [d.getVar("PYTHON")] - _args += [os.path.join(d.getVar("STAGING_BINDIR_NATIVE"), "ROPgadget")] - _args += ["--binary"] - - _files = get_files_by_mimetype(d, os.path.join(d.getVar("WORKDIR"), "packages-split"), - ["application/x-executable", 'application/x-sharedlib', 'application/x-pie-executable'],[]) - ## Run - cmd_output = "" - raw_output = "" - - for _f in _files: - if ("{}-dbg".format(d.getVar("PN")) in _f.split("/")) or os.path.islink(_f): - ## Skip debug packages - continue - try: - raw_output = subprocess.check_output(_args + [_f], universal_newlines=True) - except subprocess.CalledProcessError as e: - raw_output = e.stdout or "" - cmd_output += convert_veryraw(d, _f, raw_output) - with open(sca_raw_result_file(d, "ropgadget"), "w") as o: - o.write(cmd_output) - - ## Create data model - d.setVar("SCA_DATAMODEL_STORAGE", "{}/ropgadget.dm".format(d.getVar("T"))) - dm_output = do_sca_conv_ropgadget(d) - with open(d.getVar("SCA_DATAMODEL_STORAGE"), "w") as o: - o.write(dm_output) - - sca_task_aftermath(d, "ropgadget", get_fatal_entries(d, "", None)) -} - -do_sca_ropgadget[doc] = "Find ROP exploitable pattern in binaries" -addtask do_sca_ropgadget before do_sca_deploy after do_package diff --git a/docs/casestudy/adv_security.md b/docs/casestudy/adv_security.md index 0a9de95e58..60e478c229 100644 --- a/docs/casestudy/adv_security.md +++ b/docs/casestudy/adv_security.md @@ -114,26 +114,6 @@ SCA_AVAILABLE_MODULES = "tlv" in the conf/local.conf-file. -#### Hardening if user defined code is executed - -In this case it might be worth a look if your code does have a larger weakness for [ROP](https://en.wikipedia.org/wiki/Return-oriented_programming). -Mostly it can't be fully avoided, but the chances of being exploited by that technique could be mitigated. - -The [ropgadget](../conf/module/ropgadget.md) module does scan your code for such pattern. -As there are a large number of occurrences the global loglevel need to be turned to "info" to see all findings. - -To active add/set - -```bitbake -SCA_AVAILABLE_MODULES = "ropgadget" -SCA_WARNING_LEVEL = "info" -``` - -in the conf/local.conf-file. - -To fix it, try to write the code pattern in a different style so the compiler doesn't translate it into a exploitable pattern. -This might need some time and should be done by an experienced developer. - #### Usage of metrics Metrics have proven to be quite a good indicator of improvable code. @@ -176,7 +156,6 @@ The full applied configuration may look like this SCA_AVAILABLE_MODULES = "\ gcc \ bitbake \ - ropgadget \ tlv \ multimetric \ cppcheck \ diff --git a/docs/conf/module/ropgadget.md b/docs/conf/module/ropgadget.md deleted file mode 100644 index c61fff5771..0000000000 --- a/docs/conf/module/ropgadget.md +++ /dev/null @@ -1,68 +0,0 @@ -# Available configuration for ropgadget - -This module is somehow different - it tries to get all code which is somehow exploitable by ROP (return oriented programming). -If the number of findings exceeds the configured threshold value a warning is issued. -The findings themselves are only created as "info" level findings. -So if you actually want to see the details you can have a look into the raw-file or you have to configure SCA_WARNING_LEVEL to "info". - -## Supported environments/languages - -* binaries - -## Configuration - -| var | purpose | type | default | -| ------------- |:-------------:| -----:| -----: -| SCA_BLACKLIST_ropgagdet | Blacklist filter for this tool | space-separated-list | "linux-*" -| SCA_ROPGADGET_WARNING_THRESHOLD | Threshold value when to issue a warning | integer | "500" - -## Supports - -* [ ] suppression of IDs -* [ ] terminate build on fatal -* [x] run on recipe -* [ ] run on image -* [ ] run with SCA-layer default settings (see SCA_AVAILABLE_MODULES) - -## Requires - -* [ ] requires online access - -## Known error-IDs - -__tbd__ - -## Notes - -A large value does not actually mean that your binary __is__ exploitable, but a larger number actually raises the probability a lot that it __could__ be done - -## Checking scope - -* [x] security -* [ ] functional defects -* [ ] compliance -* [ ] style issues - -## Statistics - -* ⬛⬛⬛⬛⬛⬜⬜⬜⬜⬜ 05/10 Build Speed -* ⬛⬛⬛⬛⬛⬛⬛⬜⬜⬜ 07/10 Execution Speed -* ⬛⬛⬛⬛⬛⬛⬛⬛⬛⬜ 09/10 Quality - -## Score mapping - -### Error considered as security relevant - -* ropgadget.ropgadget.* - -### Error considered as functional defect - -* n.a. - -### Error consired as compliance issue - -* n.a. - -### Error considered as style issue - -* n.a. diff --git a/files/module_list.csv b/files/module_list.csv index 0df4eeaff7..49c73f2594 100644 --- a/files/module_list.csv +++ b/files/module_list.csv @@ -50,7 +50,6 @@ rats,Check on insecurities in several languages,https://github.com/redNixon/rats reconbf,security audit tool,https://github.com/HewlettPackard/reconbf,,,x,,,,,,,,,x,,,,,,,x,, reuse,Scan code for license information,https://github.com/fsfe/reuse-tool,,,,x,,,,,,,,,,,,,,x,x,, revive,GO linter,https://github.com/mgechev/revive,,,,x,,,,,,,x,,,,,,,,,x,x -ropgadget,Determine ROP exploitability in binaries,https://github.com/JonathanSalwan/ROPgadget,manual enable,,,x,,,,,,,,,,,,x,,,x,, rubycritic,Ruby linter,https://github.com/whitesmith/rubycritic/,"meta-rubygems, manual enable",,,x,,,,,,,,,,,,,,x,,,x safety,Check for known vulnerabilities in python-packages,https://github.com/pyupio/safety,,,,x,,,x,,,,,,,,,,x,,x,, scancode,Scan code for license information,https://github.com/nexB/scancode-toolkit,,,,x,,,,,,,,,,,,,,x,x,, diff --git a/recipes-sca/python3-ropgadget-native/files/ropgadget.sca.description b/recipes-sca/python3-ropgadget-native/files/ropgadget.sca.description deleted file mode 100644 index 4c99f0a057..0000000000 --- a/recipes-sca/python3-ropgadget-native/files/ropgadget.sca.description +++ /dev/null @@ -1,34 +0,0 @@ -{ - "buildspeed": 5, - "execspeed": 7, - "languages": [ - "binary" - ], - "uses": [ - "@python" - ], - "quality": 9, - "scope": [ - "security", - "style" - ], - "score": { - "security": [ - "ropgadget.ropgadget.thresholdexceeded" - ], - "style": [ - "ropgadget.ropgadget..*" - ] - }, - "test": { - "integration": [ - {"cmd": ["ROPgadget", "--help"], "returncode": 0} - ], - "findings": [ - "busybox" - ], - "no-findings": [ - "bad-bitbake" - ] - } -} \ No newline at end of file diff --git a/recipes-sca/python3-ropgadget-native/python3-ropgadget-native_6.7.bb b/recipes-sca/python3-ropgadget-native/python3-ropgadget-native_6.7.bb deleted file mode 100755 index 375854aafd..0000000000 --- a/recipes-sca/python3-ropgadget-native/python3-ropgadget-native_6.7.bb +++ /dev/null @@ -1,23 +0,0 @@ -SUMMARY = "Find ROP exploitation pattern" -DESCRIPTION = "This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation" -HOMEPAGE = "https://github.com/JonathanSalwan/ROPgadget" - -DEFAULT_PREFERENCE = "${SCA_DEFAULT_PREFERENCE}" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/${LICENSE};md5=550794465ba0ec5312d6919e203a55f9" - -DEPENDS += "\ - python3-capstone-native \ - python3-native \ - " - -SRC_URI[sha256sum] = "a048f2e51c397b902e4586997bd4fe62af97984e207567cb63e67d86e8e09c8e" - -PYPI_PACKAGE = "ROPGadget" - -inherit sca-description -inherit pypi -inherit setuptools3 -inherit native - -SCA_TOOL_DESCRIPTION = "ropgadget" diff --git a/test/lang_standard_03.txt b/test/lang_standard_03.txt index 834dd0a918..6704308b0f 100644 --- a/test/lang_standard_03.txt +++ b/test/lang_standard_03.txt @@ -3,7 +3,6 @@ configcheck lse lynis nixauditor -ropgadget reconbf sudokiller systemdlint