grsecurity forums

[dabaosod011]

I patched pax-linux-2.6.22.9-test32.patch to linux-2.6.22.9,
here is the config :

Code: Select all

#
# Security options
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
#CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_KEYS=y
# CONFIG_KEYS_DEBUG_PROC_KEYS is not set
# CONFIG_SECURITY is not set

I compiled the l kernel (2.6.22.9) with the pax-patch (2.6.22.9-test32)
But when I run paxtest it tells me the system is still vulnerable:

Code: Select all


xiaohai@xiaohai:~/xiaohai/Grsecurity/PaX Test/paxtest-0.9.7-pre5$ make generic
make -f Makefile.generic
make[1]: Entering directory `/home/xiaohai/xiaohai/Grsecurity/PaX Test/paxtest-0.9.7-pre5'
gcc -O2 -DRUNDIR=\".\"   -c -o chpax-0.7/aout.o chpax-0.7/aout.c
gcc -O2 -DRUNDIR=\".\"   -c -o chpax-0.7/chpax.o chpax-0.7/chpax.c
gcc -O2 -DRUNDIR=\".\"   -c -o chpax-0.7/elf32.o chpax-0.7/elf32.c
gcc -O2 -DRUNDIR=\".\"   -c -o chpax-0.7/elf64.o chpax-0.7/elf64.c
gcc -O2 -DRUNDIR=\".\"   -c -o chpax-0.7/flags.o chpax-0.7/flags.c
gcc -O2 -DRUNDIR=\".\"   -c -o chpax-0.7/io.o chpax-0.7/io.c
gcc  -lpthread -o chpax chpax-0.7/aout.o chpax-0.7/chpax.o chpax-0.7/elf32.o chpax-0.7/elf64.o chpax-0.7/flags.o chpax-0.7/io.o
gcc -O2 -DRUNDIR=\".\" -fPIC -DPIC -c shlibtest.c -o shlibtest.o
gcc  -shared -o shlibtest.so shlibtest.o
gcc -O2 -DRUNDIR=\".\" -fPIC -DPIC -c shlibtest2.c -o shlibtest2.o
gcc  -shared -o shlibtest2.so shlibtest2.o
gcc -O2 -DRUNDIR=\".\"   -c -o anonmap.o anonmap.c
gcc -O2 -DRUNDIR=\".\"   -c -o body.o body.c
gcc  -lpthread  anonmap.o body.o   -o anonmap
gcc -O2 -DRUNDIR=\".\"   -c -o execbss.o execbss.c
gcc  -lpthread  execbss.o body.o   -o execbss
gcc -O2 -DRUNDIR=\".\"   -c -o execdata.o execdata.c
gcc  -lpthread  execdata.o body.o   -o execdata
gcc -O2 -DRUNDIR=\".\"   -c -o execheap.o execheap.c
gcc  -lpthread  execheap.o body.o   -o execheap
gcc -O2 -DRUNDIR=\".\"   -c -o execstack.o execstack.c
gcc  -lpthread  execstack.o body.o   -o execstack
gcc -O2 -DRUNDIR=\".\"   -c -o mprotanon.o mprotanon.c
gcc  -lpthread  mprotanon.o body.o   -o mprotanon
gcc -O2 -DRUNDIR=\".\"   -c -o mprotbss.o mprotbss.c
gcc  -lpthread  mprotbss.o body.o   -o mprotbss
gcc -O2 -DRUNDIR=\".\"   -c -o mprotdata.o mprotdata.c
gcc  -lpthread  mprotdata.o body.o   -o mprotdata
gcc -O2 -DRUNDIR=\".\"   -c -o mprotheap.o mprotheap.c
gcc  -lpthread  mprotheap.o body.o   -o mprotheap
gcc -O2 -DRUNDIR=\".\"   -c -o mprotshbss.o mprotshbss.c
gcc  -lpthread  mprotshbss.o body.o shlibtest.so   -o mprotshbss
gcc -O2 -DRUNDIR=\".\"   -c -o mprotshdata.o mprotshdata.c
gcc  -lpthread  mprotshdata.o body.o shlibtest.so   -o mprotshdata
gcc -O2 -DRUNDIR=\".\"   -c -o mprotstack.o mprotstack.c
gcc  -lpthread  mprotstack.o body.o   -o mprotstack
gcc -O2 -DRUNDIR=\".\"   -c -o randamap.o randamap.c
gcc -O2 -DRUNDIR=\".\"   -c -o randbody.o randbody.c
randbody.c: 在函数 ‘main’ 中：
randbody.c:31: 警告： 隐式声明与内建函数 ‘exit’ 不兼容
randbody.c:56: 警告： 隐式声明与内建函数 ‘exit’ 不兼容
gcc  -lpthread  randamap.o randbody.o   -o randamap
gcc -O2 -DRUNDIR=\".\"   -c -o randheap1.o randheap1.c
gcc  -lpthread  randheap1.o randbody.o   -o randheap1
gcc -O2 -DRUNDIR=\".\"   -c -o randheap2.o randheap2.c
gcc  -lpthread  randheap2.o randbody.o   -o randheap2
gcc -O2 -DRUNDIR=\".\"   -c -o randmain1.o randmain1.c
gcc  -lpthread  randmain1.o randbody.o   -o randmain1
gcc -O2 -DRUNDIR=\".\"   -c -o randmain2.o randmain2.c
gcc  -lpthread  randmain2.o randbody.o   -o randmain2
gcc -O2 -DRUNDIR=\".\"   -c -o randshlib.o randshlib.c
gcc  -lpthread  randshlib.o randbody.o   -o randshlib
gcc -O2 -DRUNDIR=\".\"   -c -o randstack1.o randstack1.c
gcc  -lpthread  randstack1.o randbody.o   -o randstack1
gcc -O2 -DRUNDIR=\".\"   -c -o randstack2.o randstack2.c
gcc  -lpthread  randstack2.o randbody.o   -o randstack2
gcc -O2 -DRUNDIR=\".\"   -c -o rettofunc1.o rettofunc1.c
rettofunc1.c: 在函数 ‘doit’ 中：
rettofunc1.c:28: 警告： 隐式声明与内建函数 ‘exit’ 不兼容
gcc  -lpthread  rettofunc1.o body.o   -o rettofunc1
gcc -O2 -DRUNDIR=\".\"   -c -o rettofunc1x.o rettofunc1x.c
rettofunc1x.c: 在函数 ‘doit’ 中：
rettofunc1x.c:28: 警告： 隐式声明与内建函数 ‘exit’ 不兼容
gcc  -lpthread -o rettofunc1x body.o rettofunc1x.o
./chpax -X rettofunc1x
gcc -O2 -DRUNDIR=\".\"   -c -o rettofunc2.o rettofunc2.c
gcc  -lpthread  rettofunc2.o body.o   -o rettofunc2
gcc -O2 -DRUNDIR=\".\"   -c -o rettofunc2x.o rettofunc2x.c
gcc  -lpthread -o rettofunc2x body.o rettofunc2x.o
./chpax -X rettofunc2x
gcc -O2 -DRUNDIR=\".\"   -c -o shlibbss.o shlibbss.c
gcc  -lpthread  shlibbss.o body.o shlibtest.so shlibtest2.so /usr/lib/libdl.so   -o shlibbss
gcc -O2 -DRUNDIR=\".\"   -c -o shlibdata.o shlibdata.c
gcc  -lpthread  shlibdata.o body.o shlibtest.so shlibtest2.so /usr/lib/libdl.so   -o shlibdata
gcc -O2 -DRUNDIR=\".\"   -c -o writetext.o writetext.c
gcc  -lpthread  writetext.o body.o shlibtest.so   -o writetext
gcc -O2 -DRUNDIR=\".\"   -c -o getamap.o getamap.c
gcc  -lpthread  getamap.o   -o getamap
gcc -O2 -DRUNDIR=\".\" -fPIC -DPIC -o getheap.o -c getheap.c
gcc  -lpthread -o getheap1 getheap.o
gcc    -c -o crt1S.o crt1S.S
gcc -O2 -DRUNDIR=\".\"   -c -o interp.o interp.c
gcc -shared -o getheap2 crt1S.o interp.o getheap.o
gcc -O2 -DRUNDIR=\".\"   -c -o getmain.o getmain.c
gcc  -lpthread -o getmain1 getmain.o
./chpax -X getmain1
gcc -O2 -DRUNDIR=\".\" -fPIC -DPIC -o getmain2.o -c getmain.c
gcc -shared -o getmain2 crt1S.o interp.o getmain2.o
gcc -O2 -DRUNDIR=\".\"   -c -o getshlib.o getshlib.c
gcc  -lpthread  getshlib.o /usr/lib/libdl.so   -o getshlib
gcc -O2 -DRUNDIR=\".\"   -c -o getstack.o getstack.c
getstack.c: 在函数 ‘main’ 中：
getstack.c:15: 警告： 隐式声明与内建函数 ‘exit’ 不兼容
gcc  -lpthread -o getstack1 getstack.o
./chpax -S getstack1
rm -f getstack2
cp getstack1 getstack2
chmod +x getstack2
./chpax -P getstack2
sh genpaxtest anonmap execbss execdata execheap execstack mprotanon mprotbss mprotdata mprotheap mprotshbss mprotshdata mprotstack randamap randheap1 randheap2 randmain1 randmain2 randshlib randstack1 randstack2 rettofunc1 rettofunc1x rettofunc2 rettofunc2x shlibbss shlibdata writetext

make[1]: Leaving directory `/home/xiaohai/xiaohai/Grsecurity/PaX Test/paxtest-0.9.7-pre5'
xiaohai@xiaohai:~/xiaohai/Grsecurity/PaX Test/paxtest-0.9.7-pre5$
xiaohai@xiaohai:~/xiaohai/Grsecurity/PaX Test/paxtest-0.9.7-pre5$ ./paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux xiaohai 2.6.22.9 #2 SMP Sun Oct 28 09:24:33 CST 2007 i686 GNU/Linux

Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 18 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 24 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 16 bits (guessed)
Shared library randomisation test        : 18 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 24 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Vulnerable
Executable shared library data           : Vulnerable
Writable text segments                   : Vulnerable

xiaohai@xiaohai:~/xiaohai/Grsecurity/PaX Test/paxtest-0.9.7-pre5$


So would you please tell why, and how to use PaX. Do i need some other patch ,and what is the right command ?

Thank you for your help !

[dabaosod011]

and how to kill these ?

[PaX Team]

Code: Select all

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y

So would you please tell why, and how to use PaX. Do i need some other patch ,and what is the right command ?

how about actually enabling PAGEEXEC (not to mention the rest ?

[dabaosod011]

do you mean

Code: Select all

#CONFIG_PAX_NOEXEC=y

??
could you please explain it more detailedly?
Thank you !

[PaX Team]

do you mean

Code: Select all

#CONFIG_PAX_NOEXEC=y

??
could you please explain it more detailedly?
Thank you !

look at the config menu when you enable NOEXEC, there's a few more options there, read the config help, etc .

[dabaosod011]

Sorry ,I compile the kernel again . In the config menu, I enabled the NOEXEC,but there is no more options ,so my config file is

Code: Select all

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y

no

Code: Select all

CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y

[PaX Team]

Sorry ,I compile the kernel again . In the config menu, I enabled the NOEXEC,but there is no more options

have you got COMPAT_VDSO enabled? you have to disable it as it's not compatible with either non-exec method on i386. if you do have an old and buggy glibc (very unlikely these days but check it) then you obviously can't disable it.

[dabaosod011]

Yes! Thank you!
Now my result is

Code: Select all

xiaohai@xiaohai:~/xiaohai/Grsecurity/PaX Test/paxtest-0.9.7-pre5$ ./paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux xiaohai 2.6.22.9 #1 SMP Tue Oct 30 09:09:15 CST 2007 i686 GNU/Linux

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 17 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 23 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 15 bits (guessed)
Shared library randomisation test        : 17 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Killed

1.Why the Return to function is still Vulnerable ?
2.how to use PaX to protect other program ? For example ,i have Hello.c in /home/xiaohai,and there is a Bug( e.g.:Buffer Overflow),how to kill the Executing of Hello.

And now my config is as follow:

Code: Select all

#
# Security options
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_KEYS=y
# CONFIG_KEYS_DEBUG_PROC_KEYS is not set
# CONFIG_SECURITY is not set


Thank you !

[PaX Team]

1.Why the Return to function is still Vulnerable ?

it's on purpose, i explained it here on the forum or the mailing list, search for it.

2.how to use PaX to protect other program ? For example ,i have Hello.c in /home/xiaohai,and there is a Bug( e.g.:Buffer Overflow),how to kill the Executing of Hello.

since you don't use softmode, everything by default is protected by PaX, you can check the actual process/PaX flags in /proc/pid/status. if you have to disable a PaX feature, you'll have to use chpax or paxctl.

[dabaosod011]

OK , Thank you !