Re: Is DEP easily evadable?

To: blp@xxxxxxxxxxxxxxx
Subject: Re: Is DEP easily evadable?
From: John Richard Moser <nigelenki@xxxxxxxxxxx>
Date: Fri, 14 Jan 2005 01:04:38 -0500
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <878y6xp1b2.fsf@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <41E57B45.50306@xxxxxxxxxxx> <87fz15prjy.fsf@xxxxxxxxxxxxx> <41E6C09B.2050101@xxxxxxxxxxx> <878y6xp1b2.fsf@xxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0 (X11/20041211)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Ben Pfaff wrote:
> John Richard Moser <nigelenki@xxxxxxxxxxx> writes:
> 
> 
>>PaX does pretty nice randomization.  I think 15/16 for heap and stack
>>and 24 for mmap(), though I could be overshooting the 24.  I'm on amd64
>>so I can't just run paxtest and see; though I could read the source code.
> 
> 
> In some fairly reasonable circumstances, this may not be enough.
> I wonder whether the security community is generally aware of a
> paper I co-authored on defeating PaX and address space
> randomization in general on 32-bit systems, titled "On the
> Effectiveness of Address Space Randomization".  It was presented
> at CCS 2004 and available on my webpage, among other places:
>         http://www.stanford.edu/~blp/papers/asrandom.pdf

Brad says he's seen it, and that at the time of that writing he'd
already solved that problem.

Apparently in grsecurity, once you've caused a program to segfault or
get a PaX kill, it's flagged to delay all future forks by 30 seconds, or
something like that.  I don't know the exact details.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB52D2hDd4aOud5P8RAgxVAJ9NMAhRPFwAyQ0gC9/SA8AD4NpwkQCgiCuM
bNddcz3FHs0b41VNnHOezMk=
=Khb9
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Is DEP easily evadable?
  - From: Ben Pfaff

References:
- Is DEP easily evadable?
  - From: John Richard Moser
- Re: Is DEP easily evadable?
  - From: Florian Weimer
- Re: Is DEP easily evadable?
  - From: John Richard Moser
- Re: Is DEP easily evadable?
  - From: Ben Pfaff

Prev by Date: [CLA-2005:918] Conectiva Security Announcement - twiki
Next by Date: XSS Vulnerability in Siteman v1.1.9
Previous by thread: Re: Is DEP easily evadable?
Next by thread: Re: Is DEP easily evadable?
Index(es):
- Date
- Thread