Re: Security and PAX

[christos%zoulas.com@localhost (Christos Zoulas)]

On Jun 7,  5:09pm, rhino64%epost.ch@localhost (rhino64%epost.ch@localhost) wrote:
-- Subject: Re: Security and PAX

| Hi,
| 
| Thanks a lot for the info and links (which were very useful).
| 
| I have set USE_SSP=yes, USE_FORT=yes, MKPIE=yes in the file
| /usr/pkg/etc/mk.conf but without any sign of something
| being changed during the compilation.

Yes, packages don't know about this variables (and the package Makefiles).
Perhaps that can be improved.

| Finally I have added "-fpie" and "-fstack-protector-all" to the CFLAGS
| and it seems to have worked.

Yds.

| Where should the variable MKPIE be set (in the kernel/world config file)?

In the kernel it does not make sense. The kernel is loaded in the same place.
But in the userland build putting it in /etc/mk.conf should work.

| How is it possible to check if a program is running with ASLR? I suppose
| that, by looking at the address space of the program,
| it is possible to see  that the base address should change at each execution.
| 
| Is that possible and how to do it?

I posted a program that does prints addresses and it should print something
different on each run. Here it is again:

#include <stdio.h>
#include <stdlib.h>

int array[] = { 0, 1, 2 };

int
main(int argc, char *argv[])
{
        printf("main %p\n", main);
        printf("libc %p\n", printf);
        printf("stack %p\n", argv);
        printf("data %p\n", array);
        return 0;
}

christos