LinuxCommandLibrary

checksec

Check security-related properties of executables

TLDR

List security properties of an executable binary file

$ checksec --file=[path/to/binary]
copy

List security properties recursively of all executable files in a directory
$ checksec --dir=[path/to/directory]
copy

List security properties of a process
$ checksec --proc=[pid]
copy

List security properties of the running kernel
$ checksec --kernel
copy

SYNOPSIS

checksec [OPTIONS] [FILE | PID]
checksec --file <file>
checksec --kernel
checksec --proc <pid>
checksec --dir <directory>
checksec --output <format>

PARAMETERS

--file <file>
    Analyzes a specified ELF executable or shared library file.

--kernel
    Checks the security features and mitigations applied to the Linux kernel.

--proc <pid>
    Inspects the security properties of a currently running process by its PID.

--dir <directory>
    Scans all executable files found within the specified directory.

--output <format>
    Specifies the output format, such as text (default), json, or csv.

--force
    Forces checksec to perform checks even if the file isn't recognized as a valid ELF.

--no-color
    Disables colored output, useful for scripting or terminals with limited color support.

--verbose
    Provides more detailed information during the analysis.

--help
    Displays the command's help message and available options.

--version
    Shows the checksec script version information.

DESCRIPTION

checksec is a powerful script designed to audit the security features enabled in compiled Linux executables (ELF files), kernel, or running processes. Its primary purpose is to help security researchers, exploit developers, and system administrators quickly assess the exploitability posture of binaries by checking for common mitigations. These include important protections like RELRO, Stack Canaries (SSP), NX (No eXecute), PIE (Position Independent Executable), and Fortify Source. By parsing ELF headers, program headers, and symbol tables, checksec provides a quick summary of whether these exploit mitigation techniques are active. This helps in understanding the level of protection a binary has against various exploitation techniques such as buffer overflows, ROP (Return-Oriented Programming), and code injection. It's an essential tool for penetration testing, vulnerability research, and secure software development auditing.

CAVEATS

checksec primarily checks for static security features compiled into an executable or applied to the kernel. It does not provide real-time runtime analysis of a binary's behavior or vulnerabilities. Its findings are dependent on accurate ELF parsing and might be incomplete or misleading for heavily obfuscated, packed, or malformed binaries. Furthermore, the presence of these mitigations does not guarantee absolute invulnerability; skilled attackers can sometimes bypass them.

KEY SECURITY FEATURES CHECKED

checksec evaluates the presence of several critical exploit mitigation techniques:
RELRO (Relocation Read-Only): Ensures that the Global Offset Table (GOT) or Procedure Linkage Table (PLT) cannot be overwritten after dynamic linking.
Canary (Stack Canary / SSP): A stack-based buffer overflow protection where a random value is placed on the stack before a return address. If this value changes, it indicates a buffer overflow.
NX (No eXecute): Marks memory regions (like the stack and heap) as non-executable, preventing code execution from data segments.
PIE (Position Independent Executable): Compiles the executable to be loaded at a random base address in memory, making ROP chain construction harder due to ASLR.
Fortify Source: A GCC compile-time option that provides checks for common buffer overflows in functions like strcpy, memcpy, sprintf, etc., by replacing them with safer versions or adding runtime checks.
RPATH/RUNPATH: Specifies a hardcoded library search path within the binary. While not a mitigation, it can be a security risk if pointing to untrusted locations.

HISTORY

The checksec script originated from the PaX Team, primarily developed by spender, as part of the broader PaX and GRsecurity efforts aimed at improving Linux security. It emerged as a practical utility to quickly verify the effectiveness of various exploit mitigation technologies (like NX, PIE, ASLR) that these projects pioneered or championed. Over time, it gained widespread adoption within the security community, particularly among exploit developers and penetration testers, becoming a de facto standard tool for auditing binary security properties. It has been integrated into or inspires features within various security toolkits, including pwntools. Its development continues to adapt to new compiler features and evolving exploit mitigation techniques.

SEE ALSO

readelf(1), objdump(1), ldd(1), file(1), elf(5)

Copied to clipboard