NAME
paxtest — program to test buffer overflow protection
SYNOPSIS
paxtest [logfile]
DESCRIPTION
paxtest is a program that attempts to test kernel enforcements over
memory usage. Some attacks benefit from kernels that do not impose
limitations. For example, execution in some memory segments makes
buffer overflows possible. It is used as a regression test suite for
PaX, but might be useful to test other memory protection patches for
the kernel.
paxtest runs a set of programs that attempt to subvert memory usage.
For example:
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 25 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 17 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
The ‘‘Executable ...’’ tests basically put an instruction in a place
that is supposed to be data (i.e. malloced data, C variable, etc.) and
tries to execute it. The ‘‘(mprotect)’’ tests try to trick the kernel
in marking this piece of memory as executable first. Return to
function tests overwrite the return address on the stack, these are
hard to prevent from inside the kernel. The last test tries to
overwrite memory which is marked as executable.
A normal Linux kernel (unpatched to protect for buffer overflows) will
show all tests as Vulnerable and no stack randomisation or 6 bits (due
to stack colouring). In other words, on a normal Linux kernel you can
execute any data inside a process’s memory or overwrite any code at
will.
This manual page was written for the Debian distribution because the
original program does not have a manual page.
OPTIONS
This program takes only a single option: a file to which log all the
test results (by default it will log to stdin/stdout)
SEE ALSO
For more information see PaX Documentation (link to URL
http://pax.grsecurity.net/docs) .
AUTHOR
paxtest was written by Peter Busser.
This manual page was written by Javier Fernandez-Sanguino
jfs@computer.org for the Debian system (but may be used by others)
based on the information in the source code and Peter Busser’s comments
sent to public mailing lists. Permission is granted to copy,
distribute and/or modify this document under the terms of the GNU
Public License, Version 2 or any later version published by the Free
Software Foundation.