Page 1 of 1

randmisation in the results of paxtest

PostPosted: Tue Jun 16, 2015 11:22 pm
by lynliuyan
why randmisation result in the results of running paxtest is quality bits?Address space randomization is enhanced randomized bits?

Anonymous mapping randomisation test : 33 quality bits (guessed)
Heap randomisation test (ET_EXEC) : 22 quality bits (guessed)
Heap randomisation test (PIE) : 40 quality bits (guessed)
Main executable randomisation (ET_EXEC) : 33 quality bits (guessed)
Main executable randomisation (PIE) : 33 quality bits (guessed)
Shared library randomisation test : 33 quality bits (guessed)
VDSO randomisation test : 33 quality bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 quality bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 quality bits (guessed)
Arg/env randomisation test (SEGMEXEC) : 44 quality bits (guessed)
Arg/env randomisation test (PAGEEXEC) : 44 quality bits (guessed)
Randomization under memory exhaustion @~0: 33 bits (guessed)
Randomization under memory exhaustion @0 : 33 bits (guessed)

Re: randmisation in the results of paxtest

PostPosted: Wed Jun 17, 2015 5:21 am
by PaX Team
randomization measurement isn't exact science, the original algo was written with the PaX style region based randomization in mind and even there it can be off by one bit (e.g., the executable randomization bits should really be 32 as you can verify it from the PaX code). for other schemes it can overestimate the number of bits even more so to provide numbers closer to reality, last year spender added a tweak that tries to do a better estimate (see randbody.c and the weak_bits estimate for the gory details) and added 'quality' to the printed output (not saying that it suddenly became exact science though ;)).

Re: randmisation in the results of paxtest

PostPosted: Thu Jun 18, 2015 10:44 pm
by lynliuyan
I don't understand the code of randbody.c

for( i = 0; i < COUNT; i++ ) {
fp = popen( testprog, "r" );
......
ret = fscanf( fp, "%lx", &tmp );

results[i] = tmp;
and &= tmp;
or |= tmp;

pclose( fp );
}

What is the purpose of this code is?

Re: randmisation in the results of paxtest

PostPosted: Fri Jun 19, 2015 5:34 am
by PaX Team
it executes a test program (the various get* ones, you can run them by hand) COUNT times which prints out an address that is read back via fscanf. this address is stored in an array and we also compute a bitwise min/max value of these measurements via logical and/or (this is the part of the algo that assumes the PaX style ASLR approach).