Given the concerns regarding software memory safety issues raised by
NSA,
White House Office of the National Cyber Director (ONCD) for C/C++ but also the fact that the recommendations regarding the use of other programming languages cannot be put into practice easily and immediately because the amount of C and C++ code written over the years is immense, the solution is to secure what we had now until we can move on to something else.
So let's build more secure ELF binaries and check what we're using.
I've talked about building in previous posts, but I've also talked a bit about how to test binaries using checksec (Bash script).
There is also the alternative
HardeningMeter (Python based) which I haven't used yet, I just read about it. The author says that checksec should be improved, so I started to better document myself about the development of checksec and to test the new versions.
After checking the test files (tests/binaries/output) from checksec with both applications, the conclusion is that HardeningMeter is the one that suffers from the lack of accuracy and I do not recommend its use.
That's how I found out that there is a
large rewrite in progress and it seems that things are moving.
Checksec 2.7.0 was released last week and is already there checksec
2.7.1 tag with improved detection for Fortify source including tests for verification.
If someone wants/is curious to find out how Slackware compares to, for example, Ubuntu, you can download the checksec script from the 2.7.1 link and run it to check all running processes:
Code:
./checksec --proc-all
Red dominates in Slackware and green in Ubuntu.
Ubuntu 24.04 LTS (Noble Numbat) released, I will test it a bit.