checksec / security features of compiled binaries

We recently (November 2021) had a look at the default security features that can be enabled when compiling a binary. More concrete we just ran

1

$ gcc test.c -o test

without any additional parameters and then used pwntool’s checksec to check the presence of RELRO, Stack Canaries, NX and PIE support. Those were the results across some popular Linux distributions and versions:

The results show that Debian and Fedora/CentOS don’t use stack canaries by default and Fedora/CentOS doesn’t compile the binary as a Position Independent Executable (PIE) by default. With Kali Linux there are also no stack canaries by default. Full RELRO is only enabled by Ubuntu by default. Also, Ubuntu enables all of the checked features by default.

Note: This does not mean that the distributions’s binaries (e.g., ls, cat, …) are compiled without the security flags as can be seen on this Fedora 35 machine:

1
2
3
4
5
6
7
8

$ checksec /bin/ls              
[*] '/bin/ls'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    FORTIFY:  Enabled

It’s always good to know which features are available and how they can be activated when compiling a program. More information can be found here: https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc

If you want to investigate your favorite Linux distribution use this checksec version: https://github.com/slimm609/checksec.sh and, for example, run:

1

./checksec --dir=/bin

to check all binaries in /bin or

1

./checksec --all-procs

to iterate over all running processes.