Paxtest results with default Grsec2 aren't impressive

To: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Paxtest results with default Grsec2 aren't impressive
From: Kees de Jong <keesdejong@gmail.com>
Date: Tue, 13 Sep 2011 22:47:19 +0200
Message-id: <[🔎] 1315946853.4687.55.camel@Intrepid.Debnet>

I've been running my Debian machines with Grsec2 (package: "linux-patch-grsecurity2") for a long time.
I thought that would keep me rather save, but I've ran Paxtest today (which is in the Debian repository only available for i386...)
and I wonder now if it could be better.

Follow these steps if you want to test it too and don't have the i386 architecture like me:

1) Download the source.
# wget http://www.grsecurity.net/~paxguy1/paxtest-0.9.7-pre5.tar.gz

2) Extract it:
# tar xzvf paxtest-0.9.7-pre5.tar.gz
# cd paxtest-0.9.7-pre5

3) Compile it:
# make generic
If generic doesn't work try this:
# make adamantix

4) Run these two tests:
./paxtest kiddie
./paxtest blackhat

Below are my results, they are quite disappointing, I was expecting full protection. Why is that not enabled?
Would that interfere with other applications and functionality? I guess a custom compiled kernel would be better with the Grsecurity settings at high.

What are the default settings right now in the default Debian Linux kernels? And if they aren't at the highest setting, I ask myself why?
I would like some expert comments on this :-)

I run Debian Testing on AMD64.
My results on a Conroe Core2Duo E6600 CPU are:

Mode: kiddie
Linux 3.0.0-1-amd64 #1 SMP Sat Aug 27 16:21:11 UTC 2011 x86_64 GNU/Linux

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 28 bits (guessed)
Heap randomisation test (ET_EXEC)        : No randomisation
Heap randomisation test (ET_DYN)         : No randomisation
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN)   : No randomisation
Shared library randomisation test        : 28 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 28 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 28 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (strcpy, RANDEXEC)    : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Return to function (memcpy, RANDEXEC)    : Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Vulnerable

Mode: blackhat
Linux 3.0.0-1-amd64 #1 SMP Sat Aug 27 16:21:11 UTC 2011 x86_64 GNU/Linux

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 28 bits (guessed)
Heap randomisation test (ET_EXEC)        : No randomisation
Heap randomisation test (ET_DYN)         : No randomisation
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN)   : No randomisation
Shared library randomisation test        : 28 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 28 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 28 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (strcpy, RANDEXEC)    : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Killed
Return to function (memcpy, RANDEXEC)    : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Vulnerable

--
Met vriendelijke groet,
Kees de Jong

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde(n).
Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren.
--
The information contained in this message may be confidential and is intended to be exclusively for the addressee(s).
Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: Paxtest results with default Grsec2 aren't impressive
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Paxtest results with default Grsec2 aren't impressive
  - From: Robert Tomsick <robert@tomsick.net>
- Re: Paxtest results with default Grsec2 aren't impressive
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: Re: url Debian
Next by Date: Re: Paxtest results with default Grsec2 aren't impressive
Previous by thread: Re: url Debian
Next by thread: Re: Paxtest results with default Grsec2 aren't impressive
Index(es):
- Date
- Thread