Page 1 of 1

[solved]PAX_ASLR not work in centos7 x64

PostPosted: Sun May 17, 2015 10:09 am
by perlish
I used kernel-3.14.42_grsec-1.x86_64.rpm in centos7 x64 but it seems that ASLR not work.

paxtest.log
Mode: blackhat
Linux localhost.localdomain 3.14.42-grsec #1 SMP Sun May 17 07:21:20 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 29 quality bits (guessed)
Heap randomisation test (ET_EXEC) : 22 quality bits (guessed)
Heap randomisation test (PIE) : 35 quality bits (guessed)
Main executable randomisation (ET_EXEC) : 29 quality bits (guessed)
Main executable randomisation (PIE) : 29 quality bits (guessed)
Shared library randomisation test : 29 quality bits (guessed)
VDSO randomisation test : 29 quality bits (guessed)
Stack randomisation test (SEGMEXEC) : 35 quality bits (guessed)
Stack randomisation test (PAGEEXEC) : 35 quality bits (guessed)
Arg/env randomisation test (SEGMEXEC) : 39 quality bits (guessed)
Arg/env randomisation test (PAGEEXEC) : 39 quality bits (guessed)
Randomization under memory exhaustion @~0: 29 bits (guessed)
Randomization under memory exhaustion @0 : 29 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Killed
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Killed


I've also chpax the randarg1 for X and R , but it's still guessed.
Image

I've check the config about RAND
[root@localhost paxtest-0.9.13]# grep RAND /boot/config-3.14.42-grsec
CONFIG_ARCH_RANDOM=y
# CONFIG_RANDOMIZE_BASE is not set
CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
CONFIG_NET_TEAM_MODE_RANDOM=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_TIMERIOMEM=m
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
# CONFIG_HW_RANDOM_ATMEL is not set
CONFIG_HW_RANDOM_VIA=m
CONFIG_HW_RANDOM_VIRTIO=m
# CONFIG_HW_RANDOM_EXYNOS is not set
CONFIG_HW_RANDOM_TPM=m
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set
# CONFIG_RANDOM32_SELFTEST is not set

Re: PAX_ASLR not work in centos7 x64

PostPosted: Sun May 17, 2015 12:03 pm
by spender
The ASLR is working fine there -- that's the expected result. The "guessed" is because given the number of times we perform the test, the result could probabilistically be off by a bit or so.

-Brad

Re: PAX_ASLR not work in centos7 x64

PostPosted: Sun May 17, 2015 7:27 pm
by perlish
spender wrote:The ASLR is working fine there -- that's the expected result. The "guessed" is because given the number of times we perform the test, the result could probabilistically be off by a bit or so.

-Brad

Would you like to tell me which test show the ASLR is working fine ?
Thank you very much!

Re: PAX_ASLR not work in centos7 x64

PostPosted: Sun May 17, 2015 7:40 pm
by spender
All of these:

Anonymous mapping randomisation test : 29 quality bits (guessed)
Heap randomisation test (ET_EXEC) : 22 quality bits (guessed)
Heap randomisation test (PIE) : 35 quality bits (guessed)
Main executable randomisation (ET_EXEC) : 29 quality bits (guessed)
Main executable randomisation (PIE) : 29 quality bits (guessed)
Shared library randomisation test : 29 quality bits (guessed)
VDSO randomisation test : 29 quality bits (guessed)
Stack randomisation test (SEGMEXEC) : 35 quality bits (guessed)
Stack randomisation test (PAGEEXEC) : 35 quality bits (guessed)
Arg/env randomisation test (SEGMEXEC) : 39 quality bits (guessed)
Arg/env randomisation test (PAGEEXEC) : 39 quality bits (guessed)
Randomization under memory exhaustion @~0: 29 bits (guessed)
Randomization under memory exhaustion @0 : 29 bits (guessed)


-Brad