PAXTEST(1) General Commands Manual PAXTEST(1)
NAME
paxtest — program to test buffer overflow protection
SYNOPSIS
paxtest [kiddie|blackhat] [logfile]
DESCRIPTION
paxtest is a program that attempts to test kernel enforcements over
memory usage. Some attacks benefit from kernels that do not impose lim-
itations. For example, execution in some memory segments makes buffer
overflows possible. It is used as a regression test suite for PaX, but
might be useful to test other memory protection patches for the kernel.
paxtest runs a set of programs that attempt to subvert memory usage.
For example:
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 25 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 17 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
The ``Executable ...'' tests basically put an instruction in a place
that is supposed to be data (i.e. malloced data, C variable, etc.) and
tries to execute it. The ``(mprotect)'' tests try to trick the kernel
in marking this piece of memory as executable first. Return to func-
tion tests overwrite the return address on the stack, these are hard to
prevent from inside the kernel. The last test tries to overwrite mem-
ory which is marked as executable.
A normal Linux kernel (unpatched to protect for buffer overflows) will
show all tests as Vulnerable and no stack randomisation or 6 bits (due
to stack colouring). In other words, on a normal Linux kernel you can
execute any data inside a process's memory or overwrite any code at
will.
This manual page was written for the Debian distribution because the
original program does not have a manual page.
OPTIONS
This program can take two options: the tests to run, which are indi-
cated using either kiddie or blackhat and (optionally) a file to
which log all the test results. By default it will log to the user's
HOME directory in a paxtest.log file.
SEE ALSO
For more information see PaX Documentation (link to URL http://pax.gr-
security.net/docs) .
AUTHOR
paxtest was written by Peter Busser.
This manual page was written by Javier Fernandez-Sanguino jfs@de-
bian.org for the Debian system (but may be used by others) based on the
information in the source code and Peter Busser's comments sent to pub-
lic mailing lists. Permission is granted to copy, distribute and/or
modify this document under the terms of the GNU Public License, Version
2 or any later version published by the Free Software Foundation.
PAXTEST(1)
Generated by dwww version 1.15 on Sun Jun 23 20:55:01 CEST 2024.