[rsbac] PaX support by RSBAC

Peter Busser peter at adamantix.org
Mon Sep 29 09:55:14 MEST 2003


On Mon, Sep 29, 2003 at 09:25:51AM +0600, Arkady A Drovosekov wrote:
> On Sun, Sep 28, 2003 at 06:56:02PM +0200, Peter Busser wrote:
> > A nice feature would be support of PaX by RSBAC. Or a kernel module that can
> > be loaded to provide that support. Using chpax sucks, it changes the binary
> > file. It would be better if the flags would be stored and managed by RSBAC.
> why not to use exec-shield?

Because PaX is better than exec-shield. The protection provided by exec-shield
is based on a few assumptions. There is a saying: Assumptions are the mother
of all fuckups. One such assumption is that it assumes that exploits are done
in ASCII. What about an image function that uses memcpy() without carefully
checking the buffer size?

You can compare the protection provided by exec-shield and PaX by running the
paxtest program I wrote. You can find it on http://pageexec.virtualave.net/.
You'll see that PaX intercepts more problems than exec-shield. This also means
that PaX can cause more problems, that is why chpax exists.

Peter Busser
The Adamantix Project
Taking trustworthy software out of the labs, and into the real world

More information about the rsbac mailing list