Re: Exec-Shield vs. PaX

To: pageexec@freemail.hu
Cc: mingo@elte.hu, debian-devel@lists.debian.org, spender@grsecurity.net
Subject: Re: Exec-Shield vs. PaX
From: Peter Busser <peter@adamantix.org>
Date: Wed, 5 Nov 2003 20:23:56 +0100
Message-id: <[🔎] 20031105192356.GA24483@adamantix.org>
In-reply-to: <[🔎] 3FA92DB2.20276.9A08A69@localhost>
References: <[🔎] 3FA82434.17565.5937549@localhost> <[🔎] 3FA92DB2.20276.9A08A69@localhost>

Hi!

> > this intentionally calls mprotect(PROT_EXEC) for the highest possible
> > address one can think of. This call has no useful purpose at all. In other
> > words, this is a specific, underhand cheat to trigger 'Vulnerable'
> > messages for all items when running paxtest on exec-shield kernels. Bravo!

If you get bad grades on school, don't work harder, blame the teacher.

Other people have been asking for such a test, because there was speculation
about this vulnerability in exec-shield. It is in fact a simulation of a
multithreaded application. I objected to adding tests that include a multi-
threaded library, because the library might interfere with the results of the
test. So instead of adding a library that would perform the mprotect(), the
mprotect() itself was added. Since multi-threaded applications are not that
uncommon. Therefore the results are quite relevant I think.

People deserve to know what the limitations the security products they use
have. That is why the return to function tests have been included, to show that
PaX is good but not perfect. Paxtest simply shows if people tell the truth
about memory protection patches. I wrote it to see if what pageexec told me
about it was true or not, so I wouldn't lie to people when I tell them
Adamantix has good memory protection. There are already too many lies in the
security world that there is no need for even more.

And after all, if exec-shield is being included in the Debian default kernel
source, then you are talking about the pride of a 1000 developers that are at
stake here. That is not something you should take lightly if you ask me. :-)

> > frankly, i've never experienced anything like this in my many years in the
> > Linux world. You so far gave the impression of a reasonable and balanced
> > person but this is as low as it gets. Shame on you.

Do you have the detailed specification of exec-shield somewhere? That would
make it easier to evaluate the completeness of the test suite. Feel free to
submit tests yourself, I'll add any sensible test.

Groetjes,
Peter Busser
-- 
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world
http://www.adamantix.org/

Reply to:

Follow-Ups:
- Re: Exec-Shield vs. PaX
  - From: Adam Heath <doogie@debian.org>
- Re: Exec-Shield vs. PaX
  - From: Ingo Molnar <mingo@elte.hu>

References:
- Exec-Shield vs. PaX
  - From: pageexec@freemail.hu
- Re: Exec-Shield vs. PaX
  - From: pageexec@freemail.hu

Prev by Date: Re: scarriest changelog entry ever?
Next by Date: Re: Exec-Shield vs. PaX
Previous by thread: Re: Exec-Shield vs. PaX
Next by thread: Re: Exec-Shield vs. PaX
Index(es):
- Date
- Thread