[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

PaX demo results, logs, reproduction data

Hash: SHA1

I have completed an in-house test of a PaX demonstration.  The demo
includes the PaX patch; a patch I made to suppliment PaX with boot-time
selection of NX mode; a script `pax-flags` to mark binaries with
chpax/paxctl and execstack (to turn the executable stack bit,
PT_GNU_STACK, off); and a configuration script for pax-flags.

The process I followed was a three-phase process which involved 1)
running an unadultered Debian base on a non-PaX-patched 2.6.7 kernel
(kernel-sources-2.6.7-1); 2) Switching to a PaX-patched version and
demonstrating breakage, then demonstrating how flagging effectively
works around (and thus mutes) the incompatibilities; and 3) returning to
the same kernel used in (1) and running the marked binaries to show that
they are unaffected.

A full explaination is in the file:


The directory listing of


contains the patches used; the logs of the three-phase test (large
amounts of output, you really have to search for my input prompts); the
pax-flags script (an ugly script at that); and a pax.conf for pax-flags
on x86.

It is interesting to note that I messed up in the middle of phase 2, and
had to actually track down what was triggering wine; I was pretty sure
already, but wanted to test out just -m on it anyway, so took the
chance.  This process took less than two minutes for me to complete.

Wine is a special case, and needs the -x flag because of the preloader.
~ This was not tracked down during the above noted flagging miss; I added
that at the end when I remembered the docs I read about the preloader.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitely stated.

Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


Reply to: