paxtest(1) program to test buffer overflow protection

SYNOPSIS

paxtest [kiddie|blackhat] [logfile]

DESCRIPTION

paxtest is a program that attempts to test kernel enforcements over memory usage. Some attacks benefit from kernels that do not impose limitations. For example, execution in some memory segments makes buffer overflows possible. It is used as a regression test suite for PaX, but might be useful to test other memory protection patches for the kernel.

paxtest runs a set of programs that attempt to subvert memory usage. For example:
 

Executable anonymous mapping             : Killed 
Executable bss                           : Killed 
Executable data                          : Killed 
Executable heap                          : Killed 
Executable stack                         : Killed 
Executable anonymous mapping (mprotect)  : Killed 
Executable bss (mprotect)                : Killed 
Executable data (mprotect)               : Killed 
Executable heap (mprotect)               : Killed 
Executable shared library bss (mprotect) : Killed 
Executable shared library data (mprotect): Killed 
Executable stack (mprotect)              : Killed 
Anonymous mapping randomisation test     : 16 bits (guessed) 
Heap randomisation test (ET_EXEC)        : 13 bits (guessed) 
Heap randomisation test (ET_DYN)         : 25 bits (guessed) 
Main executable randomisation (ET_EXEC)  : No randomisation 
Main executable randomisation (ET_DYN)   : 17 bits (guessed) 
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed) 
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed) 
Return to function (strcpy)              : Vulnerable 
Return to function (strcpy, RANDEXEC)    : Vulnerable 
Return to function (memcpy)              : Vulnerable 
Return to function (memcpy, RANDEXEC)    : Vulnerable 
Executable shared library bss            : Killed 
Executable shared library data           : Killed 
Writable text segments                   : Killed 
 

The ``Executable ...'' tests basically put an instruction in a place that is supposed to be data (i.e. malloced data, C variable, etc.) and tries to execute it. The ``(mprotect)'' tests try to trick the kernel in marking this piece of memory as executable first. Return to function tests overwrite the return address on the stack, these are hard to prevent from inside the kernel. The last test tries to overwrite memory which is marked as executable.
 

A normal Linux kernel (unpatched to protect for buffer overflows) will show all tests as Vulnerable and no stack randomisation or 6 bits (due to stack colouring). In other words, on a normal Linux kernel you can execute any data inside a process's memory or overwrite any code at will.
 

This manual page was written for the Debian distribution because the original program does not have a manual page.
 

OPTIONS

This program can take two options: the tests to run, which are indicated using either kiddie or blackhat and (optionally) a file to which log all the test results. By default it will log to the user's HOME directory in a paxtest.log file.
 

AUTHOR

paxtest was written by Peter Busser.

This manual page was written by Javier Fernandez-Sanguino [email protected] for the Debian system (but may be used by others) based on the information in the source code and Peter Busser's comments sent to public mailing lists. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Public License, Version 2 or any later version published by the Free Software Foundation.