Re: Security and PAX

2015-06-07 Thread Christos Zoulas
In article <20150607170425.ge67...@nordend.local.sourire.ch>, wrote: > >However, when compiled statically the link stage fails (as you can see). > >virtualisation# cc -fpie -Wl,-pie -Wl,-static -fPIC testASLR.c >ld: /usr/lib/libc

Re: Security and PAX

2015-06-07 Thread rhino64
On Sun, Jun 07, 2015 at 04:14:20PM +, Christos Zoulas wrote: > 1,2,3,4 pie... > > $ cc -fpie -Wl,-pie pie.c > $ paxctl +A ./a.out > # sysctl -w security.pax.aslr.enable=1 > $ ./a.out > > christos Yes with your command ("cc -fpie -Wl,-pie pie.c"), it works. However, when compiled statically

Re: Security and PAX

2015-06-07 Thread Christos Zoulas
On Jun 7, 6:13pm, rhin...@epost.ch (rhin...@epost.ch) wrote: -- Subject: Re: Security and PAX | Hi, |I have just tested your program and only the address of the stack seems | to be different. Do I have missed someting? Did you link it with -Wl,-pie? christos

Re: Security and PAX

2015-06-07 Thread Thor Lancelot Simon
On Sun, Jun 07, 2015 at 05:09:32PM +0200, rhin...@epost.ch wrote: > > How is it possible to check if a program is running with ASLR? I suppose > that, by looking at the address space of the program, > it is possible to see that the base address should change at each execution. Well, if you can'

Re: Security and PAX

2015-06-07 Thread rhino64
Hi, I have just tested your program and only the address of the stack seems to be different. Do I have missed someting? --Log of my tests-- Script started on Sun Jun 7 18:06:49 2015 virtualisation# gcat testASLR.c #include

Re: Security and PAX

2015-06-07 Thread Christos Zoulas
1,2,3,4 pie... $ cc -fpie -Wl,-pie pie.c $ paxctl +A ./a.out # sysctl -w security.pax.aslr.enable=1 $ ./a.out christos

Re: Security and PAX

2015-06-07 Thread Christos Zoulas
On Jun 7, 5:09pm, rhin...@epost.ch (rhin...@epost.ch) wrote: -- Subject: Re: Security and PAX | Hi, | | Thanks a lot for the info and links (which were very useful). | | I have set USE_SSP=yes, USE_FORT=yes, MKPIE=yes in the file | /usr/pkg/etc/mk.conf but without any sign of something | being

Re: Security and PAX

2015-06-07 Thread Christos Zoulas
In article <20150607150930.ga67...@nordend.local.sourire.ch>, wrote: >On Sat, Jun 06, 2015 at 02:35:32PM +, Christos Zoulas wrote: >> In article <20150606142015.ga61...@nordend.local.sourire.ch>, >> wrote: >> >Hi, >> > I am quite new to netbsd and I am curious about >> >the security mecha

Re: Security and PAX

2015-06-07 Thread rhino64
On Sat, Jun 06, 2015 at 02:35:32PM +, Christos Zoulas wrote: > In article <20150606142015.ga61...@nordend.local.sourire.ch>, > wrote: > >Hi, > > I am quite new to netbsd and I am curious about > >the security mechanisms available. > > > >In the security page "http://www.netbsd.org/support/s

Re: Security and PAX

2015-06-07 Thread Martin Husemann
On Sat, Jun 06, 2015 at 08:06:06PM +, Christos Zoulas wrote: > That just changes the defaults for the sysctls > security.pax.aslr.global and security.pax.mprotect.global... > You can put 2 lines in /etc/sysctl.conf and achieve the same... Note that you better carefully check wether your archit