PAXTEST(1) General Commands Manual PAXTEST(1) NAME paxtest — program to test buffer overflow protection SYNOPSIS paxtest [kiddie|blackhat] [logfile] DESCRIPTION paxtest is a program that attempts to test kernel enforcements over memory usage. Some attacks benefit from kernels that do not impose lim- itations. For example, execution in some memory segments makes buffer overflows possible. It is used as a regression test suite for PaX, but might be useful to test other memory protection patches for the kernel. paxtest runs a set of programs that attempt to subvert memory usage. For example: Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Killed Executable bss (mprotect) : Killed Executable data (mprotect) : Killed Executable heap (mprotect) : Killed Executable shared library bss (mprotect) : Killed Executable shared library data (mprotect): Killed Executable stack (mprotect) : Killed Anonymous mapping randomisation test : 16 bits (guessed) Heap randomisation test (ET_EXEC) : 13 bits (guessed) Heap randomisation test (ET_DYN) : 25 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (ET_DYN) : 17 bits (guessed) Stack randomisation test (SEGMEXEC) : 23 bits (guessed) Stack randomisation test (PAGEEXEC) : 24 bits (guessed) Return to function (strcpy) : Vulnerable Return to function (strcpy, RANDEXEC) : Vulnerable Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Killed The ``Executable ...'' tests basically put an instruction in a place that is supposed to be data (i.e. malloced data, C variable, etc.) and tries to execute it. The ``(mprotect)'' tests try to trick the kernel in marking this piece of memory as executable first. Return to func- tion tests overwrite the return address on the stack, these are hard to prevent from inside the kernel. The last test tries to overwrite mem- ory which is marked as executable. A normal Linux kernel (unpatched to protect for buffer overflows) will show all tests as Vulnerable and no stack randomisation or 6 bits (due to stack colouring). In other words, on a normal Linux kernel you can execute any data inside a process's memory or overwrite any code at will. This manual page was written for the Debian distribution because the original program does not have a manual page. OPTIONS This program can take two options: the tests to run, which are indi- cated using either kiddie or blackhat and (optionally) a file to which log all the test results. By default it will log to the user's HOME directory in a paxtest.log file. SEE ALSO For more information see PaX Documentation (link to URL http://pax.gr- security.net/docs) . AUTHOR paxtest was written by Peter Busser. This manual page was written by Javier Fernandez-Sanguino jfs@de- bian.org for the Debian system (but may be used by others) based on the information in the source code and Peter Busser's comments sent to pub- lic mailing lists. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Public License, Version 2 or any later version published by the Free Software Foundation. PAXTEST(1)
Generated by dwww version 1.15 on Sun Jun 23 20:55:01 CEST 2024.