Re: Patch 4/6 randomize the stack pointer

[John Richard Moser <nigelenki@comcast.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Arjan van de Ven wrote:
> On Sat, 2005-01-29 at 11:21 -0500, John Richard Moser wrote:
> 
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>
>>
>>Arjan van de Ven wrote:
>>
>>>>I actually just tried to paxtest a fresh Fedora Core 3, unadultered,
>>>>that I installed, and it FAILED every test.  After a while, spender
>>>>reminded me about PT_GNU_STACK.  It failed everything but the Executable
>>>>Stack test after execstack -c *.  The randomization tests gave
>>>>13(heap-etexec), 16(heap-etdyn), 17(stack), and none for main exec
>>>>(etexec,et_dyn) or shared library randomization.
>>>
>>>
>>>because you ran prelink.
>>>and you did not compile paxtest with -fPIE -pie to make it a PIE
>>>executable.
>>>
> 
> 
> what I get is
> 
> Executable anonymous mapping             : Killed
> Executable bss                           : Killed
> Executable data                          : Vulnerable
> Executable heap                          : Killed
> Executable stack                         : Killed
> Executable anonymous mapping (mprotect)  : Vulnerable
> Executable bss (mprotect)                : Vulnerable
> Executable data (mprotect)               : Vulnerable
> Executable heap (mprotect)               : Vulnerable
> Executable shared library bss (mprotect) : Vulnerable
> Executable shared library data (mprotect): Vulnerable
> Executable stack (mprotect)              : Vulnerable
> Anonymous mapping randomisation test     : No randomisation
> Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
> Heap randomisation test (ET_DYN)         : 13 bits (guessed)
> Main executable randomisation (ET_EXEC)  : 12 bits (guessed)
> Main executable randomisation (ET_DYN)   : 12 bits (guessed)
> Shared library randomisation test        : 12 bits (guessed)
> Stack randomisation test (SEGMEXEC)      : 17 bits (guessed)
> Stack randomisation test (PAGEEXEC)      : 17 bits (guessed)
> Return to function (strcpy)              : paxtest: bad luck, try
> different compiler options.
> Return to function (strcpy, RANDEXEC)    : paxtest: bad luck, try
> different compiler options.
> Return to function (memcpy)              : Vulnerable
> Return to function (memcpy, RANDEXEC)    : Vulnerable
> Executable shared library bss            : Killed
> Executable shared library data           : Killed
> Writable text segments                   : Vulnerable
> 
> 
> I'm not entirely happy yet (it shows a bug in mmap randomisation) but
> it's way better than what you get in your tests (this is the desabotaged
> 0.9.6 version fwiw)
> 

I used 0.9.6 too, it had a slight bug in the randomization test
(getmain.c), which I pointed out in another post.

void foo( int unused )
{
        printf( "%p\n", __builtin_return_address(0) );
        //printf( "0x%08x\n", ((unsigned long*)&unused)[-1] );
}

I'm curious as to what the hell you're doing to get these results.  Exec
Shield came with the sysctl sys/kernel/exec-shield = 1 and
sys/kernel/exec-shield-randomize = 1.  I tried exec-shield = 0, 1, 2,
and 3 and couldn't get anything but the stack to kill on a Barton cored
32 bit athlon xp.

The tests I did were on a Fedora Core 3 i net-installed last night, no
adulteration.  Whatever black magic you're doing, it's not working here.
> 
> 

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB+8H/hDd4aOud5P8RAlIEAJkBwhIxdrXZ+jNz46oRg1SoSPmOHQCgiWfJ
HxzCBB43i6iLLhli5boKzoM=
=etT7
-----END PGP SIGNATURE-----