Action items of executable

Syft
1

hello!

I am trying to understand what action items can I do with the information on the executables.
what thing should I review?

thanks!

      "id": "64534312d0c8ebaf",
      "location": {
        "path": "/lib/x86_64-linux-gnu/libmount.so.1.1.0",
        "layerID": "sha256:dd7b8d3c2585e6b6bc96ef95f20c0d5008852009c87faac0be5a6b6f6971aee1"
      },
      "metadata": {
        "mode": 644,
        "type": "RegularFile",
        "userID": 0,
        "groupID": 0,
        "mimeType": "application/x-sharedlib",
        "size": 163840
      },
      "digests": [
        {
          "algorithm": "sha1",
          "value": "467c6c45ad39dfb426b9c9a1f7550b9ffa6ba5c8"
        },
        {
          "algorithm": "sha256",
          "value": "8b190be4c6fd4a39268759bb60fc588e7b1cdaa6b96b2f6215e3063fbb34f7e9"
        }
      ],
      "executable": {
        "format": "elf",
        "hasExports": true,
        "hasEntrypoint": true,
        "importedLibraries": [
          "libblkid.so.1",
          "libselinux.so.1",
          "libsepol.so.1",
          "libc.so.6"
        ],
        "elfSecurityFeatures": {
          "symbolTableStripped": true,
          "stackCanary": true,
          "nx": true,
          "relRO": "partial",
          "pie": false,
          "dso": true,
          "safeStack": false
        }
      }
    },
2

any thoughts? how can I use this information?

3

Hi @TimBrown1611! Thanks for the question. I’m not sure I understand it very well. These are facts about the file that Syft was able to learn, that we believe might be relevant for security teams or other consumers of SBOMs.

Let’s look at some examples from the output above and talk about what they mean. Whether you are interested in taking some action based on them isn’t a question I can really answer for you, since it depends on too much context outside the SBOM. (Does this system handle sensitive data? Is this system multi-tenant? Is this in a highly regulated industry? I can’t answer these questions about your situation :slight_smile: ).

Maybe someone is concerned that a file has been tampered with. Having a digest is a quick way to check that the file is byte-for-byte identical with a trusted source of the file.

"mode": 644 means that the file is not marked as executable, but can be read by anyone with access to the system. Some files, such as keys, should probably not have 644 and should instead be readable only by the owner. This is a shared library that’s part of Linux, so I wouldn’t mind if anyone on the system can read it; the contents are probably not sensitive at all.

This section talks about whether the compiler tooling that built this ELF included certain security features. For example, "symbolTableStripped": true means that some names have been stripped from the binary, making it harder to decompile or reverse engineer. I don’t know whether that’s important to you, but I can see it being important to someone. Maybe a company is distributing proprietary code, and they don’t want to make it easy for someone buying a copy to decompile it, and so they require this to be true on all ELFs in the image.

"stackCanary":true means that the binary has some built in defenses against certain exploit techniques, making it harder to turn memory safety bugs like buffer overruns into real exploits. Some users might wish to enforce a rule that all binaries, or all binaries that take network traffic, or something, have this set.

Does that give you some idea as to what this information is for?

1 Like
4

hi! @willmurphy

thanks for the answer!