Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amazon "Application Security Best Practices" Alert Firing #47345

Closed
wycats opened this issue Jan 11, 2018 · 4 comments
Closed

Amazon "Application Security Best Practices" Alert Firing #47345

wycats opened this issue Jan 11, 2018 · 4 comments
Labels
C-enhancement Category: An issue proposing an enhancement or a PR with one. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.

Comments

@wycats
Copy link
Contributor

wycats commented Jan 11, 2018

For a few years, users have been reporting that libskylight.so, a compiled Rust binary, is triggering an Amazon "Application Security Best Practices" inspection with a "High" severity.

The issue is tracked on our tracker but we've not had great luck tracking down the source of the problem.

We're using Cargo to compile a staticlib, and then turning it into an so with a bit of postprocessing via gcc with these settings:

--shared -Wall -lrt -Wl,--gc-sections -Wl,--version-script ./skylight.map

We don't do anything special with stack-protector or nxcompat.

Our best guess at the moment is that the Rust compiled output is somehow tripping these alerts, but we don't have many leads.
@sfackler
Copy link
Member

What does readelf -l report for the .so?

@sfackler
Copy link
Member

Ok, yeah, it's marked as requiring an executable stack:

Elf file type is DYN (Shared object file)                                                                                                                                                                                                                                          
Entry point 0x53880                                                                                                                                                                                                                                                                
There are 6 program headers, starting at offset 64                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                   
Program Headers:                                                                                                                                                                                                                                                                   
  Type           Offset             VirtAddr           PhysAddr                                                                                                                                                                                                                    
                 FileSiz            MemSiz              Flags  Align                                                                                                                                                                                                               
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000                                                                                                                                                                                                          
                 0x0000000000b7a254 0x0000000000b7a254  R E    0x200000                                                                                                                                                                                                            
  LOAD           0x0000000000b7a258 0x0000000000d7a258 0x0000000000d7a258                                                                                                                                                                                                          
                 0x0000000000040fa8 0x00000000000437a0  RW     0x200000                                                                                                                                                                                                            
  DYNAMIC        0x0000000000bb3138 0x0000000000db3138 0x0000000000db3138                                                                                                                                                                                                          
                 0x00000000000001e0 0x00000000000001e0  RW     0x8                                                                                                                                                                                                                 
  TLS            0x0000000000b7a258 0x0000000000d7a258 0x0000000000d7a258                                                                                                                                                                                                          
                 0x00000000000000f0 0x00000000000000f0  R      0x8                                                                                                                                                                                                                 
  GNU_EH_FRAME   0x0000000000af4220 0x0000000000af4220 0x0000000000af4220                                                                                                                                                                                                          
                 0x0000000000000008 0x0000000000000008  R      0x4                                                                                                                                                                                                                 
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000                                                                                                                                                                                                          
                 0x0000000000000000 0x0000000000000000  RWE    0x8                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                   
 Section to Segment mapping:                                                                                                                                                                                                                                                       
  Segment Sections...                                                                                                                                                                                                                                                              
   00     .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame .gcc_except_table                                                                                                                       
   01     .tdata .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss                                                                                                                                                                                                 
   02     .dynamic                                                                                                                                                                                                                                                                 
   03     .tdata                                                                                                                                                                                                                                                                   
   04     .eh_frame_hdr                                                                                                                                                                                                                                                            
   05

A rust-built cdylib doesn't have one, so it seems like this is being injected by the postprocessing?

@sfackler
Copy link
Member

I think it may be as simple as just telling the linker to not set the execute bit:

rust/src/librustc_back/target/linux_base.rs

Line 28 in 4e56bbe

"-Wl,-z,noexecstack".to_string(),

@pietroalbini pietroalbini added C-enhancement Category: An issue proposing an enhancement or a PR with one. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. labels Feb 6, 2018
@jonas-schievink
Copy link
Contributor

Not our bug, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-enhancement Category: An issue proposing an enhancement or a PR with one. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wycats @sfackler @jonas-schievink @pietroalbini