slimm609/checksec 3.2.0

on GitHub

[3.2.0]

Added

• SafeStack detection for ELF binaries.
• CFI hardening detection extended to i386 CET and RISC-V Zicfilp/Zicfiss (Zicfilp landing pads, Zicfiss shadow stack), covering RV32 and RV64.
• Sanitizer detection (ASAN, UBSAN, MSAN, TSAN, LSAN) by compiler-rt symbol prefix scan.
• Selfrando detection via the .txtrp section (restores a checksec.bash check lost in the v3 port).
• W^X segment check (SeparateCode): asserts no PT_LOAD segment is both writable and executable, as guaranteed by ld -z separate-code / lld --rosegment.
• Stack-clash protection detection via annobin .gnu.build.attributes notes (authoritative on RHEL/Fedora/CentOS toolchains; reports Unknown otherwise).
• RPATH/RUNPATH inspection that classifies each entry: relative/empty/world-writable as bad, $ORIGIN or nonexistent as warning, safe absolute as info.
• annobin-based FORTIFY/GLIBCXX assertion detection.
• CSV output format restored (dropped in the v3 Go port).
• Restored listfile, procLibs, per-process Seccomp, and the Fortify breakdown.
• --fail-if CI gate: exit non-zero when a required check is not in a good state.
• Parallel directory scanning (RunListChecksParallel) over a bounded worker pool (default GOMAXPROCS).
• --no-warnings and --color flags; warnings now include filename context.

Fixed

• Full RELRO detection now uses presence semantics for DT_BIND_NOW: any entry in the dynamic section is treated as bind-now, regardless of its d_val. Linkers that set a nonzero (spec-unused) value previously caused Full RELRO binaries to be misclassified as Partial or No RELRO.
• CFI .note.gnu.property payload parsing: the GNU note wrapper is now validated and sliced out before walking properties, fixing a false negative where IBT+SHSTK binaries were reported as "NO SHSTK & NO IBT".
• PIE detection now distinguishes PIE executables (DF_1_PIE or PT_INTERP present) from shared libraries (reported as DSO), and reports static-PIE binaries as "Static PIE" rather than "PIE Enabled".
• NX: a missing PT_GNU_STACK now reports "No GNU_STACK" instead of being conflated with an RWX (NX-disabled) stack.
• Canary detection now also matches __stack_chk_guard and __intel_security_cookie, restoring parity with checksec.bash for static/ICC binaries.
• CFI is no longer dropped from XML output.
• ParseProcMaps now propagates scanner errors and raises the token limit to 1 MiB so long mapping paths no longer truncate.
• proc command now validates the PID up front and fails with a clear error on non-numeric input.
• Fortify error returns and CFI note parser desync corrected.
• procAll now skips kernel threads (kthreadd and its children) and non-ELF files instead of crashing on dangling /proc/<pid>/exe symlinks.
• Improved error messages in the proc command.

Changed

• Typed output pipeline: a uniform Result{Value, Status} return type for all binary checks and a single fileFields registry (column order, JSON keys, XML elements, table headers) — adding a check is now one line, and the "field silently dropped from one format" bug class is structurally prevented.
• Check functions (RELRO, RPATH, RUNPATH, SYMBOLS, Fortify) now return errors instead of calling os.Exit(1) directly, making error paths testable and consistent.
• Extracted pure helper functions from CFI, Fortify, and dynamic scan logic to enable property-based testing.
• Property-based tests (via pgregory.net/rapid) for CFI note parsing, dynamic section scanning, and Fortify helpers; fixture-backed unit tests raise pkg/ coverage to 80.6%. CI now enforces an 80% coverage floor.

Performance

• Each target ELF is opened exactly once per RunFileChecks (1 os.Open + 1 elf.NewFile) instead of ~9 reopens; a recursive scan of /usr/bin drops from ~18k to ~2k open syscalls.

Dependencies

• Added pgregory.net/rapid for property-based testing.
• Bumped github.com/u-root/u-root to 0.16.0, github.com/fatih/color to 1.19.0, and github.com/opencontainers/selinux.
• Updated Ubuntu base image from 24.04 to 26.04.