NAME¶
paxtest — program to test buffer overflow protection
SYNOPSIS¶
paxtest [
kiddie|blackhat] [
logfile]
DESCRIPTION¶
paxtest is a program that attempts to test kernel enforcements over
memory usage. Some attacks benefit from kernels that do not impose
limitations. For example, execution in some memory segments makes buffer
overflows possible. It is used as a regression test suite for PaX, but might
be useful to test other memory protection patches for the kernel.
paxtest runs a set of programs that attempt to subvert memory usage. For
example:
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 25 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 17 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
The ``
Executable ...'' tests basically put an instruction in a place
that is supposed to be data (i.e. malloced data, C variable, etc.) and tries
to execute it. The ``
(mprotect)'' tests try to trick the kernel in
marking this piece of memory as executable first. Return to function tests
overwrite the return address on the stack, these are hard to prevent from
inside the kernel. The last test tries to overwrite memory which is marked as
executable.
A normal Linux kernel (unpatched to protect for buffer overflows) will show all
tests as Vulnerable and no stack randomisation or 6 bits (due to stack
colouring). In other words, on a normal Linux kernel you can execute any data
inside a process's memory or overwrite any code at will.
This manual page was written for the
Debian distribution because the
original program does not have a manual page.
OPTIONS¶
This program can take two options: the tests to run, which are indicated using
either kiddie or blackhat and (optionally) a file to which log all the test
results. By default it will log to the user's HOME directory in a paxtest.log
file.
SEE ALSO¶
For more information see
PaX Documentation (link to URL
http://pax.grsecurity.net/docs) .
AUTHOR¶
paxtest was written by Peter Busser.
This manual page was written by Javier Fernandez-Sanguino jfs@debian.org for the
Debian system (but may be used by others) based on the information in
the source code and Peter Busser's comments sent to public mailing lists.
Permission is granted to copy, distribute and/or modify this document under
the terms of the GNU Public License, Version 2 or any later version published
by the Free Software Foundation.