AD4002: ReportElfOrMachoCompilerData¶
Summary¶
| Property | Value |
|---|---|
| ID | AD4002 |
| Name | ReportElfOrMachoCompilerData |
| Category | Reporting |
| Severity | Note |
| Applies to | ELF (Linux/Unix), Mach-O (macOS) |
Description¶
This rule emits CSV-formatted data reporting the security hardening status of ELF (Linux/Unix) and Mach-O (macOS) binaries. The output summarizes which security mitigations are enabled, allowing you to quickly audit binaries, integrate with CI/CD pipelines, or track security posture across a fleet.
This is a reporting rule, not a pass/fail check. It extracts data from binary headers, sections, and symbol tables to give you visibility into:
- Address Space Layout Randomization (ASLR) readiness via PIE status
- GOT/PLT protection via RELRO and BindNow status
- Stack buffer overflow protection via stack canary detection
- Fortified function usage via FORTIFY_SOURCE symbol detection
Why This Matters¶
Quick visibility into binary security posture enables efficient security auditing, compliance checking, and vulnerability triage across Linux and macOS deployments.
Security Audit Efficiency¶
Traditional audit:
For each binary:
readelf -l binary | grep ...
readelf -d binary | grep ...
objdump -T binary | grep ...
Manually interpret results
Hours of work
With AD4002:
aldur scan --output csv *.so
Immediate security status for all binaries
Minutes of work
Fleet-Wide Visibility¶
| Security Feature | Status Count |
|---|---|
| PIE enabled | 95% (target: 100%) |
| Full RELRO | 87% (target: 100%) |
| Stack protector | 99% ✓ |
| FORTIFY_SOURCE | 82% (investigate) |
Compliance Automation¶
CI/CD pipeline:
1. Build binary
2. Run aldur AD4002
3. Parse CSV output
4. Fail build if PIE=No or RELRO!=Full
5. Automatic security gate
Vulnerability Triage¶
When a new exploit technique emerges:
New GOT overwrite exploit disclosed
Query: Which binaries have RELRO < Full?
Result:
liblegacy.so - Partial RELRO
oldservice - No RELRO
Priority patch list generated instantly.
Cross-Platform Consistency¶
Compare security posture across platforms:
| Binary | Linux x86_64 | macOS ARM64 |
|---|---|---|
| myapp | PIE, Full RELRO | PIE, Hardened |
| libcore | PIE, Partial | PIE, OK |
Regression Detection¶
Build 1.0: PIE=Yes, RELRO=Full
Build 1.1: PIE=Yes, RELRO=Partial ← Regression!
Something changed in build config.
Investigate before release.
Understanding the security posture of a binary at a glance helps with:
- Security Auditing: Quick assessment of hardening status
- Compliance Checking: Verifying expected security features are enabled
- Build Verification: Confirming build system produces expected outputs
- Vulnerability Triage: Understanding attack surface
Output Format¶
For ELF binaries, the rule outputs CSV-formatted data with the following columns:
Where: - Binary: The binary file name - Format: Always "ELF" for ELF binaries - Architecture: x86, x86_64, ARM, or AArch64 - Type: Executable, PIE Executable, or SharedLibrary - PIE: Whether Position Independent Executable is enabled - RELRO: Full, Partial, or No - BindNow: Whether BIND_NOW is enabled (immediate binding) - StackProtector: Whether stack canary symbols are present - Fortified: Whether FORTIFY_SOURCE symbols are present
Example Output¶
Binary,Format,Architecture,Type,PIE,RELRO,BindNow,StackProtector,Fortified
myapp,ELF,x86_64,PIE Executable,Yes,Full,Yes,Yes,Yes
Understanding the Reported Data¶
This rule is informational only—it reports the current security posture of your binaries and does not indicate a problem that requires fixing. Use this data to audit, compare, and track security features across your binaries.
Resolution¶
This is a reporting rule that provides visibility into binary security posture. No action is required to resolve this rule—it always passes and emits informational data.
If the reported data shows security features are missing in your binaries, refer to the specific rules for each feature to learn how to enable them:
- PIE disabled: See AD3001: EnablePositionIndependentExecutable
- RELRO not Full: See AD3010: EnableReadOnlyRelocations
- Stack Protector missing: See AD3003: EnableStackProtector
- FORTIFY_SOURCE not used: See AD3030: UseGccCheckedFunctions
Improving Security Posture¶
If the reported data shows security features are missing, here's how to enable them:
| Feature | How to Enable | Compiler/Linker Flags |
|---|---|---|
| PIE | Compile and link as position-independent | -fPIE -pie |
| Full RELRO | Mark relocations read-only, bind immediately | -Wl,-z,relro,-z,now |
| Stack Protector | Enable stack canaries | -fstack-protector-strong |
| Fortified Functions | Use checked libc wrappers | -D_FORTIFY_SOURCE=2 -O2 |
What Each Field Means¶
| Field | Description | Why It Matters |
|---|---|---|
| PIE | Position Independent Executable—code can load at random addresses | Enables ASLR, making exploitation harder |
| RELRO | Relocation Read-Only—protects the GOT from overwrite attacks | Full RELRO prevents GOT hijacking |
| BindNow | Resolves all symbols at load time, not lazily | Combined with RELRO, fully protects GOT |
| StackProtector | Stack canaries detect buffer overflows | Catches stack smashing before ROP/RCE |
| Fortified | Uses checked versions of libc functions (memcpy, strcpy, etc.) | Prevents buffer overflows in common functions |
Example secure build command:
gcc -fPIE -pie -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 \
-Wl,-z,relro,-z,now -o myapp myapp.c
Mach-O Binaries (macOS)¶
For Mach-O binaries, the output format is similar but reports macOS-specific security features:
Where: - Hardened: Whether the hardened runtime is enabled - Signed: Whether the binary is code-signed
See Also¶
- AD3001: EnablePositionIndependentExecutable - PIE check
- AD3010: EnableReadOnlyRelocations - RELRO check
- AD3003: EnableStackProtector - Stack protection check
- AD3030: UseGccCheckedFunctions - FORTIFY_SOURCE check