Re: Security and PAX

2015-06-19 Thread rhino64
On Tue, Jun 16, 2015 at 02:41:45PM -0400, Christos Zoulas wrote: > On Jun 16, 7:54pm, rhin...@epost.ch (rhin...@epost.ch) wrote: > -- Subject: Re: Security and PAX > > | Hoewever, I get a new error message when I try to do manually > | t

Re: Security and PAX

2015-06-16 Thread Justin Cormack
On Jun 16, 2015 7:42 PM, "Christos Zoulas" wrote: > > On Jun 16, 7:54pm, rhin...@epost.ch (rhin...@epost.ch) wrote: > -- Subject: Re: Security and PAX > > | On Mon, Jun 15, 2015 at 09:59:34AM -0400, Christos Zoulas wrote: > | > On Jun 15, 9:15am, rhin...@ep

Re: Security and PAX

2015-06-16 Thread Christos Zoulas
On Jun 16, 7:54pm, rhin...@epost.ch (rhin...@epost.ch) wrote: -- Subject: Re: Security and PAX | On Mon, Jun 15, 2015 at 09:59:34AM -0400, Christos Zoulas wrote: | > On Jun 15, 9:15am, rhin...@epost.ch (rhin...@epost.ch) wrote: | > -- Subject: Re: Security and PAX | > | > | I w

Re: Security and PAX

2015-06-16 Thread rhino64
On Mon, Jun 15, 2015 at 09:59:34AM -0400, Christos Zoulas wrote: > On Jun 15, 9:15am, rhin...@epost.ch (rhin...@epost.ch) wrote: > -- Subject: Re: Security and PAX > > | I will send you this info soon. Should I recompile Userland programs and > libs > | with the parame

Re: Security and PAX

2015-06-15 Thread Christos Zoulas
On Jun 15, 9:15am, rhin...@epost.ch (rhin...@epost.ch) wrote: -- Subject: Re: Security and PAX | I will send you this info soon. Should I recompile Userland programs and libs | with the parameter "-fpic". If I remember well, it was the library | "libtermcap" (from userl

Re: Security and PAX

2015-06-15 Thread rhino64
On Sun, Jun 14, 2015 at 12:57:44PM -0400, Christos Zoulas wrote: > On Jun 14, 6:39pm, rhin...@epost.ch (rhin...@epost.ch) wrote: > -- Subject: Re: Security and PAX > > | Hi, > | > | finally I have tried to use these parameters to compile pseudo statically a > | big program

Re: Security and PAX

2015-06-14 Thread Christos Zoulas
On Jun 14, 6:39pm, rhin...@epost.ch (rhin...@epost.ch) wrote: -- Subject: Re: Security and PAX | Hi, | | finally I have tried to use these parameters to compile pseudo statically a | big program (zsh) but without too much succes (the linking stage failed | with an error with the .RODATA segment

Re: Security and PAX

2015-06-14 Thread rhino64
Hi, finally I have tried to use these parameters to compile pseudo statically a big program (zsh) but without too much succes (the linking stage failed with an error with the .RODATA segment of some libs). Probably, I will have to build static executables for some usage (mainly to have executabl

Re: Security and PAX

2015-06-07 Thread Christos Zoulas
In article <20150607170425.ge67...@nordend.local.sourire.ch>, wrote: > >However, when compiled statically the link stage fails (as you can see). > >virtualisation# cc -fpie -Wl,-pie -Wl,-static -fPIC testASLR.c >ld: /usr/lib/libc

Re: Security and PAX

2015-06-07 Thread rhino64
On Sun, Jun 07, 2015 at 04:14:20PM +, Christos Zoulas wrote: > 1,2,3,4 pie... > > $ cc -fpie -Wl,-pie pie.c > $ paxctl +A ./a.out > # sysctl -w security.pax.aslr.enable=1 > $ ./a.out > > christos Yes with your command ("cc -fpie -Wl,-pie pie.c"), it works. However, when compiled statically

Re: Security and PAX

2015-06-07 Thread Christos Zoulas
On Jun 7, 6:13pm, rhin...@epost.ch (rhin...@epost.ch) wrote: -- Subject: Re: Security and PAX | Hi, |I have just tested your program and only the address of the stack seems | to be different. Do I have missed someting? Did you link it with -Wl,-pie? christos

Re: Security and PAX

2015-06-07 Thread Thor Lancelot Simon
On Sun, Jun 07, 2015 at 05:09:32PM +0200, rhin...@epost.ch wrote: > > How is it possible to check if a program is running with ASLR? I suppose > that, by looking at the address space of the program, > it is possible to see that the base address should change at each execution. Well, if you can'

Re: Security and PAX

2015-06-07 Thread rhino64
Hi, I have just tested your program and only the address of the stack seems to be different. Do I have missed someting? --Log of my tests-- Script started on Sun Jun 7 18:06:49 2015 virtualisation# gcat testASLR.c #include

Re: Security and PAX

2015-06-07 Thread Christos Zoulas
1,2,3,4 pie... $ cc -fpie -Wl,-pie pie.c $ paxctl +A ./a.out # sysctl -w security.pax.aslr.enable=1 $ ./a.out christos

Re: Security and PAX

2015-06-07 Thread Christos Zoulas
On Jun 7, 5:09pm, rhin...@epost.ch (rhin...@epost.ch) wrote: -- Subject: Re: Security and PAX | Hi, | | Thanks a lot for the info and links (which were very useful). | | I have set USE_SSP=yes, USE_FORT=yes, MKPIE=yes in the file | /usr/pkg/etc/mk.conf but without any sign of something | being

Re: Security and PAX

2015-06-07 Thread Christos Zoulas
In article <20150607150930.ga67...@nordend.local.sourire.ch>, wrote: >On Sat, Jun 06, 2015 at 02:35:32PM +, Christos Zoulas wrote: >> In article <20150606142015.ga61...@nordend.local.sourire.ch>, >> wrote: >> >Hi, >> > I am quite new to netbsd and I am curious about >> >the security mecha

Re: Security and PAX

2015-06-07 Thread rhino64
On Sat, Jun 06, 2015 at 02:35:32PM +, Christos Zoulas wrote: > In article <20150606142015.ga61...@nordend.local.sourire.ch>, > wrote: > >Hi, > > I am quite new to netbsd and I am curious about > >the security mechanisms available. > > > >In the security page "http://www.netbsd.org/support/s

Re: Security and PAX

2015-06-07 Thread Martin Husemann
On Sat, Jun 06, 2015 at 08:06:06PM +, Christos Zoulas wrote: > That just changes the defaults for the sysctls > security.pax.aslr.global and security.pax.mprotect.global... > You can put 2 lines in /etc/sysctl.conf and achieve the same... Note that you better carefully check wether your archit

Re: Security and PAX

2015-06-06 Thread Christos Zoulas
In article <557315f5.6030...@gmx.com>, Kamil Rytarowski wrote: >On 06.06.2015 14:35, Christos Zoulas wrote: >> In article <20150606142015.ga61...@nordend.local.sourire.ch>, >> wrote: >>> Hi, >>> I am quite new to netbsd and I am curious about >>> the security mechanisms available. >>> >>> In

Re: Security and PAX

2015-06-06 Thread Kamil Rytarowski
On 06.06.2015 14:35, Christos Zoulas wrote: > In article <20150606142015.ga61...@nordend.local.sourire.ch>, > wrote: >> Hi, >> I am quite new to netbsd and I am curious about >> the security mechanisms available. >> >> In the security page "http://www.netbsd.org/support/security/";, >> I can se

Re: Security and PAX

2015-06-06 Thread Jeremy C. Reed
On Sat, 6 Jun 2015, rhin...@epost.ch wrote: > In the security page "http://www.netbsd.org/support/security/";, > I can see that the PaX module is used in the kernel > but without any other information. Also see http://netbsd.gw.com/cgi-bin/man-cgi?security+7+NetBSD-current

Re: Security and PAX

2015-06-06 Thread Christos Zoulas
In article <20150606142015.ga61...@nordend.local.sourire.ch>, wrote: >Hi, > I am quite new to netbsd and I am curious about >the security mechanisms available. > >In the security page "http://www.netbsd.org/support/security/";, >I can see that the PaX module is used in the kernel >but without a

Security and PAX

2015-06-06 Thread rhino64
Hi, I am quite new to netbsd and I am curious about the security mechanisms available. In the security page "http://www.netbsd.org/support/security/";, I can see that the PaX module is used in the kernel but without any other information. What should be done in order to use (and perhaps config