paxtest on 64bit

Discuss and suggest new grsecurity features

paxtest on 64bit

Postby cormander » Fri Feb 12, 2010 4:44 pm

Hello,

The paxtest suite doesn't compile on 64bit (I'm using a fedora 10 machine). I get the error below:

make -f Makefile.psm
make[1]: Entering directory `/root/paxtest-0.9.7-pre6'
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -fPIE -Wa,--noexecstack -o crt1S.o -c crt1S.S
crt1S.S: Assembler messages:
crt1S.S:5: Error: suffix or operands invalid for `pop'
crt1S.S:10: Error: suffix or operands invalid for `pop'
crt1S.S:12: Error: suffix or operands invalid for `push'
crt1S.S:13: Error: suffix or operands invalid for `push'
crt1S.S:14: Error: suffix or operands invalid for `push'
crt1S.S:15: Error: suffix or operands invalid for `push'
crt1S.S:16: Error: suffix or operands invalid for `push'
crt1S.S:17: Error: suffix or operands invalid for `push'
crt1S.S:18: Error: suffix or operands invalid for `push'
crt1S.S:19: Error: suffix or operands invalid for `push'
crt1S.S:20: Error: suffix or operands invalid for `push'
crt1S.S:21: Error: suffix or operands invalid for `push'
make[1]: *** [crt1S.o] Error 1
make[1]: Leaving directory `/root/paxtest-0.9.7-pre6'
make: *** [linux] Error 2


I'm using the paxtest-0.9.7-pre6 package.

This has been a problem for quite some time. I'm most interested now in getting it to work, however, because I'm implementing an auto-regression testing system for grsecurity. As it stands right now in my environment, after the kernel is compiled, it gets launched inside a XEN virtual machine and test are kicked off. Right now it's just the grsecurity regression tests, and I'd like to add paxtest into here as well.

Each time I rebuild the kernel, code update or not, these tests happen. I imagine this will become more useful as time goes on and the internals of the kernel change, it'll automatically shout out when a test that has been previously working starts to fail.

As far as the PAX test are concerned, my understanding of the code in these tests is limited and as I learn more I'll write more tests. Soon I'll be picking up where I left off on a test suite for the RBAC system.

Any help to get paxtest to work on a 64bit compiler would be greatly appreciated.
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: paxtest on 64bit

Postby spender » Fri Feb 12, 2010 8:03 pm

I've uploaded a -pre7 version that should work properly. It's running fine here on RHEL 5.4 x64.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: paxtest on 64bit

Postby cormander » Fri Feb 12, 2010 11:22 pm

Thanks, that did the trick!

By the way, you say "randomisation" when it's spelled " randomization" :wink:

Just in case you were interested, the results from the test:

Linux grsec64.cormander.com 2.6.32.8-grsec #5 SMP Wed Feb 10 16:56:29 EST 2010 x86_64 x86_64 x86_64 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (PIE) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 32 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte.
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed


And the test ran on vanilla of the same version:

Linux grsec64.cormander.com 2.6.32.8 #1 SMP Wed Feb 10 12:15:54 EST 2010 x86_64 x86_64 x86_64 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 28 bits (guessed)
Heap randomisation test (ET_EXEC) : 14 bits (guessed)
Heap randomisation test (PIE) : 28 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 28 bits (guessed)
Shared library randomisation test : 28 bits (guessed)
Stack randomisation test (SEGMEXEC) : 28 bits (guessed)
Stack randomisation test (PAGEEXEC) : 28 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte.
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed


So the first 5 tests are also killed on a vanilla kernel. Is this a recent change?
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: paxtest on 64bit

Postby PaX Team » Sun Feb 14, 2010 10:35 am

cormander wrote:By the way, you say "randomisation" when it's spelled " randomization" :wink:
i think it's a UK/US spelling thing, and Peter Busser just preferred one over the other ;).
So the first 5 tests are also killed on a vanilla kernel. Is this a recent change?
IIRC, the amd64 ABI has always mandated non-exec stacks (by default, that is), i forget about the heap now but i think its default access rights have been this way for long too.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: paxtest on 64bit

Postby cormander » Mon Feb 15, 2010 1:55 am

A new problem for 32bit:

[root@grsec32 paxtest-0.9.7-pre7]# make linux
make -f Makefile.psm
make[1]: Entering directory `/root/paxtest-0.9.7-pre7'
gcc -o chpax chpax-0.7/aout.o chpax-0.7/chpax.o chpax-0.7/elf32.o chpax-0.7/elf64.o chpax-0.7/flags.o chpax-0.7/io.o
collect2: ld terminated with signal 11 [Segmentation fault]
/usr/bin/ld: i386:x86-64 architecture of input file `chpax-0.7/aout.o' is incompatible with i386 output
/usr/bin/ld: i386:x86-64 architecture of input file `chpax-0.7/chpax.o' is incompatible with i386 output
/usr/bin/ld: i386:x86-64 architecture of input file `chpax-0.7/elf32.o' is incompatible with i386 output
/usr/bin/ld: i386:x86-64 architecture of input file `chpax-0.7/elf64.o' is incompatible with i386 output
/usr/bin/ld: i386:x86-64 architecture of input file `chpax-0.7/flags.o' is incompatible with i386 output
/usr/bin/ld: i386:x86-64 architecture of input file `chpax-0.7/io.o' is incompatible with i386 output
make[1]: *** [chpax] Error 1
make[1]: Leaving directory `/root/paxtest-0.9.7-pre7'
make: *** [linux] Error 2


I did this to fix it:

cd chpax-0.7/
make clean


You included pre-compiled 64bit .o files in the chpax directory ;)
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: paxtest on 64bit

Postby chaoflow » Tue Mar 02, 2010 7:19 am

spender wrote:I've uploaded a -pre7 version that should work properly. It's running fine here on RHEL 5.4 x64.

-Brad


Sorry, if I am asking the obvious: Where can I find paxtest-0.9.7-pre7? It is neither here: http://pax.grsecurity.net/ nor here: http://www.grsecurity.net/~paxguy1/.

I would like to test how secure a stock ubuntu karmic x64 is.
chaoflow
 
Posts: 2
Joined: Tue Mar 02, 2010 7:07 am

Re: paxtest on 64bit

Postby spender » Tue Mar 02, 2010 8:02 am

The versions I make are located in http://grsecurity.net/~spender
The current one is 0.9.9.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: paxtest on 64bit

Postby chaoflow » Tue Mar 02, 2010 8:42 am

spender wrote:The versions I make are located in http://grsecurity.net/~spender
The current one is 0.9.9.

-Brad


Thank you very much. Compilation succeeded for 'make linux64'. The results are not too motivating (for keeping the stock ubuntu kernel) - I post here, if this is of relevance.

Can the versions in your home be considered releases? I wonder, because paxtest at least in gentoo and ubuntu is rather outdated and I'd like to change that, or at least help to change that.
chaoflow
 
Posts: 2
Joined: Tue Mar 02, 2010 7:07 am

Re: paxtest on 64bit

Postby PaX Team » Tue Mar 09, 2010 5:10 pm

chaoflow wrote:Can the versions in your home be considered releases? I wonder, because paxtest at least in gentoo and ubuntu is rather outdated and I'd like to change that, or at least help to change that.
paxtest hasn't really been released for a long time (we just happen to have more important things to care about usually), so spender's or my (depending on who hacked on it last) homedirectory is what you can consider the latest developer snapshot. we'll eventually get to a normal release, i just can't tell you now when exactly (paxtest is in some of redesign/rewrite these days, we have many more archs than x86 to support, not to mention an eventual kernel mode testsuite as well).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm



Return to grsecurity development

cron