README
¶
CRACK - Compiler Hardening Checker
Work in Progress: This project is currently unstable and under active development. APIs, rules, and output formats may change without notice. Do not use in production workloads.
Language Support: This tool currently focuses on C/C++ binaries. Analysis of binaries compiled from other languages (Go, Rust, etc.) may produce false positives as many hardening checks are not applicable to those runtimes.
A tool to analyze ELF binaries for security hardening features.
Based on recommendations from:
- OpenSSF Compiler Options Hardening Guide for C and C++
- Gentoo Hardened Toolchain
- Debian Hardening
- Ubuntu Toolchain Compiler Flags
Usage
# Show help
crack analyze --help
# Analyze a binary with the default (recommended) preset
crack analyze /usr/bin/ls
# List rules in a specific preset
crack analyze --preset=hardened --list-rules
# Analyze with debuginfod to fetch debug symbols for stripped binaries
crack analyze --preset=hardened --debuginfod --debuginfod-urls=https://debuginfod.elfutils.org /usr/bin/ls
Available Rules
Universal Rules
| Rule ID | Description | GCC | Clang (LLVM) |
|---|---|---|---|
asan |
AddressSanitizer | ✓ | ✓ |
aslr |
Address Space Layout Randomization compatibility | ✓ | ✓ |
cfi |
Control Flow Integrity | ✓ | |
fortify-source |
FORTIFY_SOURCE buffer overflow protection | ✓ | ✓ |
full-relro |
Full RELRO (immediate binding) | ✓ | ✓ |
kernel-cfi |
Kernel CFI | ✓ | |
no-dlopen |
Dynamic library loading disabled | ✓ | ✓ |
no-dump |
Core dump disabled | ✓ | ✓ |
no-insecure-rpath |
No insecure RPATH entries | ✓ | ✓ |
no-insecure-runpath |
No insecure RUNPATH entries | ✓ | ✓ |
no-plt |
No PLT (direct GOT access) | ✓ | ✓ |
nx-bit |
Non-executable stack (NX bit) | ✓ | ✓ |
pie |
Position Independent Executable | ✓ | ✓ |
relro |
Read-only relocations (RELRO) | ✓ | ✓ |
safe-stack |
SafeStack | ✓ | |
separate-code |
Separate code and data segments | ✓ | ✓ |
stack-canary |
Stack canary protection | ✓ | ✓ |
stack-limit |
Stack size limit | ✓ | ✓ |
stripped |
Debug symbols stripped | ✓ | ✓ |
ubsan |
UndefinedBehaviorSanitizer | ✓ | ✓ |
wxorx |
Write XOR Execute policy | ✓ | ✓ |
x86/x86-64 Specific Rules
| Rule ID | Description | GCC | Clang (LLVM) |
|---|---|---|---|
intel-cet-ibt |
Intel CET Indirect Branch Tracking | ✓ | ✓ |
intel-cet-shstk |
Intel CET Shadow Stack | ✓ | ✓ |
x86-retpoline |
Retpoline Spectre v2 mitigation | ✓ | ✓ |
ARM64 Specific Rules
| Rule ID | Description | GCC | Clang (LLVM) |
|---|---|---|---|
arm-branch-protection |
ARM branch protection | ✓ | ✓ |
arm-bti |
ARM Branch Target Identification | ✓ | ✓ |
arm-mte |
ARM Memory Tagging Extension | ✓ | |
arm-pac |
ARM Pointer Authentication | ✓ | ✓ |
License
MIT License - see LICENSE for details.
Directories
Click to show internal directories.
Click to hide internal directories.