lunar (1) paxtest.1.gz

Provided by: paxtest_0.9.15-2_amd64 bug

NAME

       paxtest — program to test buffer overflow protection

SYNOPSIS

       paxtest [kiddie|blackhat]  [logfile]

DESCRIPTION

       paxtest  is  a  program  that attempts to test kernel enforcements over memory usage. Some
       attacks benefit from kernels that do not impose limitations.  For  example,  execution  in
       some  memory  segments  makes  buffer  overflows possible. It is used as a regression test
       suite for PaX, but might be useful to test other memory protection patches for the kernel.

       paxtest runs a set of programs that attempt to subvert memory usage. For example:

       Executable anonymous mapping             : Killed
       Executable bss                           : Killed
       Executable data                          : Killed
       Executable heap                          : Killed
       Executable stack                         : Killed
       Executable anonymous mapping (mprotect)  : Killed
       Executable bss (mprotect)                : Killed
       Executable data (mprotect)               : Killed
       Executable heap (mprotect)               : Killed
       Executable shared library bss (mprotect) : Killed
       Executable shared library data (mprotect): Killed
       Executable stack (mprotect)              : Killed
       Anonymous mapping randomisation test     : 16 bits (guessed)
       Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
       Heap randomisation test (ET_DYN)         : 25 bits (guessed)
       Main executable randomisation (ET_EXEC)  : No randomisation
       Main executable randomisation (ET_DYN)   : 17 bits (guessed)
       Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
       Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)
       Return to function (strcpy)              : Vulnerable
       Return to function (strcpy, RANDEXEC)    : Vulnerable
       Return to function (memcpy)              : Vulnerable
       Return to function (memcpy, RANDEXEC)    : Vulnerable
       Executable shared library bss            : Killed
       Executable shared library data           : Killed
       Writable text segments                   : Killed

       The ``Executable ...'' tests basically put an instruction in a place that is  supposed  to
       be   data  (i.e.  malloced  data,  C  variable,  etc.)   and  tries  to  execute  it.  The
       ``(mprotect)'' tests try to trick the kernel in marking this piece of memory as executable
       first.  Return to function tests overwrite the return address on the stack, these are hard
       to prevent from inside the kernel.  The last test  tries  to  overwrite  memory  which  is
       marked as executable.

       A  normal  Linux kernel (unpatched to protect for buffer overflows) will show all tests as
       Vulnerable and no stack randomisation or 6 bits (due to stack colouring). In other  words,
       on  a  normal Linux kernel you can execute any data inside a process's memory or overwrite
       any code at will.

       This manual page was written for the Debian distribution because the original program does
       not have a manual page.

OPTIONS

       This  program  can  take  two  options: the tests to run, which are indicated using either
       kiddie or blackhat       and (optionally) a file to which log all  the  test  results.  By
       default it will log to the user's HOME directory in a paxtest.log file.

SEE ALSO

       For more information see PaX Documentation (link to URL http://pax.grsecurity.net/docs) .

AUTHOR

       paxtest was written by Peter Busser.

       This  manual  page  was written by Javier Fernandez-Sanguino jfs@debian.org for the Debian
       system (but may be used by others) based on the information in the source code  and  Peter
       Busser's comments sent to public mailing lists.  Permission is granted to copy, distribute
       and/or modify this document under the terms of the GNU Public License, Version  2  or  any
       later version published by the Free Software Foundation.

                                                                                       PAXTEST(1)