Re: Security and PAX

[christos%astron.com@localhost (Christos Zoulas)]

In article <20150607150930.GA67497%nordend.local.sourire.ch@localhost>,
 <rhino64%epost.ch@localhost> wrote:
>On Sat, Jun 06, 2015 at 02:35:32PM +0000, Christos Zoulas wrote:
>> In article <20150606142015.GA61273%nordend.local.sourire.ch@localhost>,
>>  <rhino64%epost.ch@localhost> wrote:
>> >Hi,
>> >  I am quite new to netbsd and I am curious about 
>> >the security mechanisms available.
>> >
>> >In the security page "http://www.netbsd.org/support/security/";,
>> >I can see that the PaX module is used in the kernel
>> >but without any other information.
>> >
>> >What should be done in order to use (and perhaps configure)
>> >that feature?
>> >
>> >Sould the executables being compiled with the "-fpie" option?
>> >
>> >Any comment would be greatly appreciated?
>> 
>> $ man 7 sysctl look for pax
>> $ man paxctl
>> 
>> To use ASLR effectively you need to build with MKPIE...
>> 
>> christos
>Hi,
>
>Thanks a lot for the info and links (which were very useful).
>
>I have set USE_SSP=yes, USE_FORT=yes, MKPIE=yes in the file
>/usr/pkg/etc/mk.conf but without any sign of something
>being changed during the compilation.
>
>Finally I have added "-fpie" and "-fstack-protector-all" to the CFLAGS
>and it seems to have worked.
>
>Where should the variable MKPIE be set (in the kernel/world config file)?
>
>How is it possible to check if a program is running with ASLR? I suppose
>that, by looking at the address space of the program,
>it is possible to see  that the base address should change at each execution. 
>
>Is that possible and how to do it?
>
>Thanks for your help.
>
>kind regards,


#include <stdio.h>
#include <stdlib.h>

int array[] = { 0, 1, 2 };

int
main(int argc, char *argv[])
{
        printf("main %p\n", main);
        printf("libc %p\n", printf);
        printf("stack %p\n", argv);
        printf("data %p\n", array);
        return 0;
}