[38203] in bugtraq
Re: Is DEP easily evadable?
daemon@ATHENA.MIT.EDU (John Richard Moser)
Fri Jan 14 12:58:29 2005
Message-ID: <41E760F6.5000501@comcast.net>
Date: Fri, 14 Jan 2005 01:04:38 -0500
From: John Richard Moser <nigelenki@comcast.net>
MIME-Version: 1.0
To: blp@cs.stanford.edu
Cc: bugtraq@securityfocus.com
In-Reply-To: <878y6xp1b2.fsf@benpfaff.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ben Pfaff wrote:
> John Richard Moser <nigelenki@comcast.net> writes:
>
>
>>PaX does pretty nice randomization. I think 15/16 for heap and stack
>>and 24 for mmap(), though I could be overshooting the 24. I'm on amd64
>>so I can't just run paxtest and see; though I could read the source code.
>
>
> In some fairly reasonable circumstances, this may not be enough.
> I wonder whether the security community is generally aware of a
> paper I co-authored on defeating PaX and address space
> randomization in general on 32-bit systems, titled "On the
> Effectiveness of Address Space Randomization". It was presented
> at CCS 2004 and available on my webpage, among other places:
> http://www.stanford.edu/~blp/papers/asrandom.pdf
Brad says he's seen it, and that at the time of that writing he'd
already solved that problem.
Apparently in grsecurity, once you've caused a program to segfault or
get a PaX kill, it's flagged to delay all future forks by 30 seconds, or
something like that. I don't know the exact details.
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB52D2hDd4aOud5P8RAgxVAJ9NMAhRPFwAyQ0gC9/SA8AD4NpwkQCgiCuM
bNddcz3FHs0b41VNnHOezMk=
=Khb9
-----END PGP SIGNATURE-----
