Posted: Sun Feb 22, 2004 1:16 amPosted: Sun Feb 22, 2004 1:46 am---------------------------------------------------------------------------------
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Executable anonymous mapping : Vulnerable
Executable bss : Vulnerable
Executable data : Vulnerable
Executable heap : Vulnerable
Executable stack : Vulnerable
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : No randomisation
Heap randomisation test (ET_EXEC) : No randomisation
Heap randomisation test (ET_DYN) : No randomisation
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : No randomisation
Shared library randomisation test : No randomisation
Stack randomisation test (SEGMEXEC) : 9 bits (guessed)
Stack randomisation test (PAGEEXEC) : 9 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Vulnerable
Executable shared library data : Vulnerable
Writable text segments : Vulnerable
---------------------------------------------------------------------------------
Posted: Sun Feb 22, 2004 4:10 amPosted: Sun Feb 22, 2004 2:14 pmyou can have your old way back, just enable the proper options, in your case that would probably be CONFIG_PAX_EI_PAX. as for who needs softmode: anyone who wants everything to work by default (including 3rd party binary only apps) but still wants a few important/sensitive apps to run with full protection. think of the average desktop user who doesn't want to get owned nor delve into the fine details of computer security.mikeeusa wrote:Can we have the old way back. This new stuff is a failure.
Posted: Sun Feb 22, 2004 3:36 pmPaX Team wrote:guys, did you bother reading the announcement at http://www.grsecurity.net/news.php at all? it quite clearly explains what to watch out for. alternatively there's the configure help which explains what the new PaX control system is, choose as it is appropriate for your system (most likely you want CONFIG_PAX_EI_PAX as a minimum).
Posted: Sun Feb 22, 2004 6:08 pmto understand the above results consider that paxtest is a regression test suite, that is, it tests what doesn't work, not what does. in our case 'what' refers to 'exploit techniques', so paxtest tries to simulate a few of them and shows you how many work under a given system. the four attacks above test so called return-to-libc attacks, that happens when an exploit writer tries to execute already existing code in the attacked program (vs. introducing his own payload). it is a known weakness of PaX (or more generally, kernel based approaches) that return-to-libc attacks are quite possible provided the attacker can learn the randomization in the attacked process - this is exactly the situation that the above tests run under. the two successful tests show that the technology behind RANDEXEC can detect such attacks, but it also has other drawbacks, so it's generally not useful - it's a proof of concept. for more information feel free to check out the main PaX document that explains all possible attack categories: http://pax.grsecurity.net/docs/pax.txt. also, if you're concerned about these kinds of attacks, consider using ssp (propolice) which is available in distributions such as Adamantix or Hardened Gentoo (URLs are on the PaX site).jappyfr wrote:Thanks, it's work, but can someone explain why i obtain
vulnerable results in return to function test (stcpy, memcpy).
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Killed
Posted: Mon Feb 23, 2004 2:41 amTo retain the same functionality as before, enable the "legacy ELF header marking" and "ELF program header marking"
Posted: Mon Feb 23, 2004 6:44 amthe override is about the markings, not the kernel support per se. the two are independent things, you can have a userland and kernel having/supporting any combination of the markings, at most not everything will result in the secure system you hoped to get - as usual, careful reading the help should answer the question:personman wrote:To retain the same functionality as before, enable the "legacy ELF header marking" and "ELF program header marking"
However, I did not realize this applied to me since (1) I'm not upgrading from a previous version and thus not concerned about retaining same functionality as before, and (2), the Configure.help text says that if you enable both, PAX_FLAGS overrides EI_PAX.
You should enable this option only if your toolchain does not yet
support the new control flag location (PT_PAX_FLAGS) or you still
have applications not marked by PT_PAX_FLAGS.
Posted: Mon Feb 23, 2004 7:58 am