Software Defense Software Defense Mechanisms: PaX and the Mechanisms: PaX and the future future past continuous past continuous
Dec 30, 2015
Software Defense Software Defense Mechanisms: PaX and the Mechanisms: PaX and the
futurefuture
past continuouspast continuous
Who am I?Who am I?
NOT Brad Spengler – I have decent NOT Brad Spengler – I have decent earsears
Tiago Assumpção Tiago Assumpção <[email protected]><[email protected]> NOT an academicNOT an academic
An undisciplined curious person with lots of An undisciplined curious person with lots of energy to be spent on whatever is valued by energy to be spent on whatever is valued by his selfhis self
Who am I? (cont.)Who am I? (cont.)
NOT a PaX developer… however…NOT a PaX developer… however… Have had delightful discussions with PaX Have had delightful discussions with PaX
Team about Team about whatever blows your hair backwhatever blows your hair back Have been Have been improving improving the project [2]the project [2] Have been Have been questioningquestioning the project [3] the project [3]
In praise of hackingIn praise of hacking
““The speculations of Thales, The speculations of Thales, Anaximander, and Anaximenes are to be Anaximander, and Anaximenes are to be regarded as scientific hypotheses (...) regarded as scientific hypotheses (...) The questions they asked were good The questions they asked were good questions, and their vigour inspired questions, and their vigour inspired subsequent investigators.subsequent investigators.””
RUSSELL, Bertrand; RUSSELL, Bertrand; History of Western Philosophy - History of Western Philosophy - 1946. p. 371946. p. 37
What is PaX?What is PaX?
Quite simply: the greatest advance in Quite simply: the greatest advance in system security in over a decade that system security in over a decade that you’ve never heard ofyou’ve never heard of
Less simply: It provides non-executable Less simply: It provides non-executable memory pages and full address space memory pages and full address space layout randomization (ASLR) for a wide layout randomization (ASLR) for a wide variety of architectures.variety of architectures.
– – Brad “grears” SpenglerBrad “grears” Spengler
What is PaX?What is PaX?
Linux kernel patchLinux kernel patch Free-software & open-source is good for Free-software & open-source is good for
the general researcherthe general researcher Universal solutions: concepts easily Universal solutions: concepts easily
extentend to any modern platformextentend to any modern platform
Why is PaX?Why is PaX?
Given a vector:Given a vector: Payload (code/data) injectionPayload (code/data) injection Context (memory/registers/etc.) Context (memory/registers/etc.)
manipulationmanipulation Intentional Control Flow modificationIntentional Control Flow modification
OutlineOutline
PaXPaX SEGMEXECSEGMEXEC PAGEEXECPAGEEXEC KERNEXECKERNEXEC ASLRASLR
RANDMMAPRANDMMAP RANDKSTACKRANDKSTACK PIEPIE
UDEREFUDEREF
Outline (cont.)Outline (cont.)
PaX’ FactsPaX’ Facts Past ContinuousPast Continuous
Control Flow VerificationControl Flow Verification KERNSEAL KERNSEAL
PaX - SEGMEXECPaX - SEGMEXEC
SEGMEXEC is PaX’s implementation SEGMEXEC is PaX’s implementation of per-page non-executable user of per-page non-executable user pages using the segmentation logic pages using the segmentation logic of IA-32 (Intel x86 architecture) and of IA-32 (Intel x86 architecture) and virtual memory area mirroring virtual memory area mirroring (developed by PaX).(developed by PaX).
PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)
The segmentation logic is fairly The segmentation logic is fairly straightforward:straightforward: Data Segment (DS)Data Segment (DS) Code Segment (CS)Code Segment (CS)
There exist these two segments for user pages There exist these two segments for user pages as well as kernel pages.as well as kernel pages.
PaX splits the address space down the middle: PaX splits the address space down the middle: the bottom half for data, the top for code.the bottom half for data, the top for code.
Segmentation is a “window” into the address Segmentation is a “window” into the address spacespace
No performance hitNo performance hit
PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)
UserCode & Data
Segments
3GB
Without SEGMEXEC
UserCode
Segment
1.5GB
UserData
Segment
1.5GB
With SEGMEXEC
PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)
PaX’s VMA mirroring involves duplicating PaX’s VMA mirroring involves duplicating every executable page in the lower half every executable page in the lower half of the address space into the upper half.of the address space into the upper half.
Instruction fetch attempts at addresses Instruction fetch attempts at addresses located in the data segment that don’t located in the data segment that don’t have any code located at its mirrored have any code located at its mirrored address will cause a page fault. PaX address will cause a page fault. PaX handles this page fault and kills the task.handles this page fault and kills the task.
PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)
08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08079000 rw-p 20000000-20014000 r-xp /lib/ld-2.3.2.so20014000-20015000 rw-p /lib/ld-2.3.2.so20015000-20016000 rw-p 2001e000-20145000 r-xp /lib/libc-2.3.2.so20145000-2014a000 rw-p /lib/libc-2.3.2.so2014a000-2014c000 rw-p 2014c000-202d1000 r--p /usr/lib/locale/locale-archive5ffff000-60000000 rw-p 68048000-6804c000 r-xp /home/bradly/cat80000000-80014000 r-xp /lib/ld-2.3.2.so8001e000-80145000 r-xp /lib/libc-2.3.2.so
08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08073000 rw-p 40000000-40014000 r-xp /lib/ld-2.3.2.so40014000-40015000 rw-p /lib/ld-2.3.2.so40015000-40016000 rw-p 4001e000-40145000 r-xp /lib/libc-2.3.2.so40145000-4014a000 rw-p /lib/libc-2.3.2.so4014a000-4014c000 rw-p 4014c000-402d1000 r--p /usr/lib/locale/locale-archivebfffe000-c0000000 rw-p
Without SEGMEXEC
With SEGMEXEC
PaX – SEGMEXEC (cont.)PaX – SEGMEXEC (cont.)
Instruction fetch attempt at 0x08049000
Segmentation logic translates 0x08049000 into 0x68049000
Does 0x68049000 belong to any mapping?
Success
Violation, process is terminated
YES
NO
PaX - PAGEEXECPaX - PAGEEXEC
PAGEEXEC was PaX’s first implementation PAGEEXEC was PaX’s first implementation of non-executable pages.of non-executable pages.
Because of SEGMEXEC, it’s not used Because of SEGMEXEC, it’s not used anymore on x86 (so I won’t discuss the anymore on x86 (so I won’t discuss the implementation).implementation).
Platforms which support the executable bit Platforms which support the executable bit in hardware are implemented under in hardware are implemented under PAGEEXEC (currently alpha, ppc, parisc, PAGEEXEC (currently alpha, ppc, parisc, sparc, sparc64, amd64, and ia64)sparc, sparc64, amd64, and ia64)
PaX - KERNEXECPaX - KERNEXEC
KERNEXEC is PaX’s implementation of KERNEXEC is PaX’s implementation of proper page protection in the kernelproper page protection in the kernel ‘‘const’ finally means read only in the kernelconst’ finally means read only in the kernel Read-only system call tableRead-only system call table Read-only interrupt descriptor table (IDT)Read-only interrupt descriptor table (IDT) Read-only global descriptor table (GDT)Read-only global descriptor table (GDT) Data is non-executableData is non-executable Uses the same concept of segmentation as Uses the same concept of segmentation as
SEGMEXEC SEGMEXEC Cannot co-exist with module support (currently)Cannot co-exist with module support (currently)
PaX - ASLRPaX - ASLR
Full ASLR randomizes the locations of Full ASLR randomizes the locations of the following memory objects:the following memory objects: Executable imageExecutable image Brk-managed heapBrk-managed heap Library imagesLibrary images Mmap-managed heapMmap-managed heap User space stackUser space stack Kernel space stackKernel space stack
PaX – ASLR (cont.)PaX – ASLR (cont.)
Notes on amount of randomization:Notes on amount of randomization: The following values are for 32bit architectures. The following values are for 32bit architectures.
They are larger on 64bit architectures, though They are larger on 64bit architectures, though not twice as large (since they generally don’t not twice as large (since they generally don’t use 64 bits for the address space).use 64 bits for the address space).
Stack – 24 bits (28 bits for argument/environment Stack – 24 bits (28 bits for argument/environment pages)pages)
Mmap – 16 bitsMmap – 16 bits Executable – 16 bitsExecutable – 16 bits Heap – 12 bits (or 24 bits if executable is randomized Heap – 12 bits (or 24 bits if executable is randomized
also)also)
PaX – ASLR (cont.)PaX – ASLR (cont.)
The randomizations applied to each memory The randomizations applied to each memory region are independent of each otherregion are independent of each other Because PaX guarantees no arbitrary code Because PaX guarantees no arbitrary code
execution, exploits will most likely need to execution, exploits will most likely need to access different memory regions.access different memory regions.
So, if the exploit needs access to libraries and So, if the exploit needs access to libraries and the stack, the bits that must be guessed are the the stack, the bits that must be guessed are the sum of the two regions: 40 bits (or 44). The sum of the two regions: 40 bits (or 44). The chance of such an attack succeeding while chance of such an attack succeeding while depending on hard coded addresses is depending on hard coded addresses is effectively zero.effectively zero.
PaX – ASLR (cont.)PaX – ASLR (cont.)08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08078000 rw-p 4edaa000-4edbe000 r-xp /lib/ld-2.3.2.so4edbe000-4edbf000 rw-p /lib/ld-2.3.2.so4edbf000-4edc0000 rw-p 4edc8000-4eeef000 r-xp /lib/libc-2.3.2.so4eeef000-4eef4000 rw-p /lib/libc-2.3.2.so4eef4000-4eef6000 rw-p4eef6000-4f07b000 r--p /usr/lib/locale/locale-archivebf3dc000-bf3dd000 rw-p
08048000-0804c000 r-xp /home/bradly/cat0804c000-0804d000 rw-p /home/bradly/cat0804d000-08070000 rw-p43d8c000-43da0000 r-xp /lib/ld-2.3.2.so43da0000-43da1000 rw-p /lib/ld-2.3.2.so43da1000-43da2000 rw-p43daa000-43ed1000 r-xp /lib/libc-2.3.2.so43ed1000-43ed6000 rw-p /lib/libc-2.3.2.so43ed6000-43ed8000 rw-p43ed8000-4405d000 r--p /usr/lib/locale/locale-archiveb54f9000-b54fa000 rw-p
Two runs of a binary with stack, mmap, and heap randomization
PaX – ASLR (cont.)PaX – ASLR (cont.)
RANDKSTACKRANDKSTACK Randomizes the kernel’s stackRandomizes the kernel’s stack Randomized on each system call, so Randomized on each system call, so
info-leaking the randomization is uselessinfo-leaking the randomization is useless Randomizes 5 bits of the stack. Brute Randomizes 5 bits of the stack. Brute
forcing generally shouldn’t be possible, forcing generally shouldn’t be possible, as each attempt will most likely crash as each attempt will most likely crash the kernel.the kernel.
PaX – ASLR (cont.)PaX – ASLR (cont.)
PIEPIE Special type of ELF binary (the same used for Special type of ELF binary (the same used for
shared libraries)shared libraries) Position independent code (PIC)Position independent code (PIC) Allows for relocation of the binary at a random Allows for relocation of the binary at a random
locationlocation Needed to achieve Full ASLRNeeded to achieve Full ASLR Requires a recompile and re-link of applicationsRequires a recompile and re-link of applications
PaX – Dangling PointersPaX – Dangling Pointers
““Dangling pointers and wild pointers Dangling pointers and wild pointers in computer programming are in computer programming are pointers that do not point to a valid pointers that do not point to a valid object of the appropriate type, or to object of the appropriate type, or to a distinguished null pointer value in a distinguished null pointer value in languages which support this”languages which support this”
WikipediaWikipedia
PaX – Dangling Pointers PaX – Dangling Pointers (cont.)(cont.)
Most i386 OSs don't separate the Most i386 OSs don't separate the userland virtual address space from userland virtual address space from that of the kernel. that of the kernel.
Linux 2.6 has per-cpu GDTs; LDTs are Linux 2.6 has per-cpu GDTs; LDTs are untoucheduntouched
BSDs creates flat per-process LDTsBSDs creates flat per-process LDTs Windows creates flat per-process LDTsWindows creates flat per-process LDTs
PaX – Dangling Pointers PaX – Dangling Pointers (cont.)(cont.)
Thence, whenever userland can make Thence, whenever userland can make the kernel (unexpectedly) dereference the kernel (unexpectedly) dereference a pointer within its range of control, it a pointer within its range of control, it holds ability to controlling the data holds ability to controlling the data (and, possibly, code) flow of the kernel (and, possibly, code) flow of the kernel by virtue of providing the attack by virtue of providing the attack elements in its own address space.elements in its own address space.
Real-life [4]Real-life [4]
PaX – UDEREFPaX – UDEREF
Kernel & UserSegments
4GB
Without UDEREFKernel
Segments
1GB
UserSegments
3GB
With UDEREF
PaX – UDEREF (cont.)PaX – UDEREF (cont.)
Segment selectors are properly setSegment selectors are properly set Few modifications are done Few modifications are done
regarding user/kernel, kernel/kernel regarding user/kernel, kernel/kernel system callssystem calls
FactsFacts
PaXPaX 24/28 bit stack 24/28 bit stack
randomizationrandomization 16 bit mmap 16 bit mmap
randomizationrandomization Completely Completely
implemented in the implemented in the kernel. Can be kernel. Can be implemented implemented transparently and retain transparently and retain binary compatibility binary compatibility with all distributions.with all distributions.
Facts (cont.)Facts (cont.)
PaXPaX Cuts usable address Cuts usable address
space in half (though space in half (though this can be changed if it this can be changed if it becomes a problem)becomes a problem)
Support for non-Support for non-executable and read-executable and read-only kernel pages on only kernel pages on i386i386
PaXPaX Per-system call kernel Per-system call kernel
stack randomizationstack randomization Brk-managed heap Brk-managed heap
randomizationrandomization Ability to enable/disable Ability to enable/disable
all features on a per all features on a per binary basisbinary basis
Annihilates the Annihilates the possibility of exploiting possibility of exploiting kernel dereferencing kernel dereferencing pointer vulnerabilitiespointer vulnerabilities
Facts (cont.)Facts (cont.)
PaXPaX Supports the same user Supports the same user
space features on i386, space features on i386, alpha, ppc, parisc, alpha, ppc, parisc, sparc, sparc64, amd64, sparc, sparc64, amd64, and ia64and ia64
Supports a per-page Supports a per-page implementation of non-implementation of non-executable pages on executable pages on ppcppc
Facts (cont.)Facts (cont.)
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification Basic blocksBasic blocks
A basic block is a sequence of statements A basic block is a sequence of statements that is always entered at the beginning and that is always entered at the beginning and exited at the end, that is:exited at the end, that is:
The first statement is a LABELThe first statement is a LABEL The last statement is a JUMP or a CJUMPThe last statement is a JUMP or a CJUMP There are no other LABELs, JUMPs, or JUMPsThere are no other LABELs, JUMPs, or JUMPs
APPEL, Andrew W.; APPEL, Andrew W.; Modern Compiler Implementation in ML- Modern Compiler Implementation in ML- 2004. p. 2004. p. 180180
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification Control Flow Graph (CFG)Control Flow Graph (CFG)
““In computer science, a control flow graph In computer science, a control flow graph (CFG) is a representation, using graph (CFG) is a representation, using graph notation, of all paths that might be traversed notation, of all paths that might be traversed through a program during its execution. through a program during its execution. Each node in the graph represents a basic Each node in the graph represents a basic block, block, (…)”(…)”
WikipediaWikipedia
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification Call graphsCall graphs
““A call graph (also known as a call A call graph (also known as a call multigraph) is a directed graph that multigraph) is a directed graph that represents calling relationship among represents calling relationship among subroutines in a computer programsubroutines in a computer program””
WikipediaWikipedia
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification Static analysisStatic analysis
Build call graph for program Build call graph for program PP Build set Build set SS of callers of callers Build set Build set Q Q of calleesof callees Build set Build set RR of relationships between of relationships between S S and and QQ, ,
creating creating magicmagic value for each value for each
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification Code generationCode generation
Create proper prologues for every member Create proper prologues for every member of of SS
Create proper epilogues for every member Create proper epilogues for every member of of QQ
Magic ValuesMagic Values Hard to predict by exhaustive search values Hard to predict by exhaustive search values
kept within safe memory regions, they are kept within safe memory regions, they are verified in run-timeverified in run-time
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verificationcalleecalleeepilogue:epilogue: mov register,[esp]mov register,[esp]
cmp [register+1],MAGICcmp [register+1],MAGICjnz .1jnz .1retnretn
.1: jmp esp.1: jmp esp
caller:caller:call calleecall calleetest eax,MAGICtest eax,MAGIC
PaX – Past ContinuousPaX – Past Continuous
Control Flow Verification: Control Flow Verification: NondeterminismNondeterminism Branch tables: run-time environmentBranch tables: run-time environment OO virtual methods and function OO virtual methods and function
pointerspointers
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification
GOT entriesGOT entries Made read-only by tweaking the static and the Made read-only by tweaking the static and the
dynamic linkerdynamic linker .ctors/.dtors.ctors/.dtors
Made read-only by modifying the link-editor scriptMade read-only by modifying the link-editor script
PaX – Past ContinuousPaX – Past Continuous
Control Flow VerificationControl Flow Verification
Are of a dynamic natureAre of a dynamic nature atexit() handlersatexit() handlers malloc() callbacksmalloc() callbacks linuxthread callbacks (atfork() handlers)linuxthread callbacks (atfork() handlers)
PaX – Past Continuous PaX – Past Continuous (cont.)(cont.)
Control Flow Verification: ResultsControl Flow Verification: Results Breaks my attack [3] – Breaks my attack [3] – brief brief
explanation? explanation? – and anything that rely on – and anything that rely on the following premissesthe following premisses
execute existing code out of original execute existing code out of original program orderprogram order
execute existing code in original program execute existing code in original program order with arbitrary dataorder with arbitrary data
PaX – Past Continuous PaX – Past Continuous (cont.)(cont.)
Control Flow Verification: ResultsControl Flow Verification: Results Opens a wide range of possibilities for Opens a wide range of possibilities for
improving systemic securityimproving systemic security Call graph trust relationship ensures that (in Call graph trust relationship ensures that (in
most cases) all control flow (including intra-most cases) all control flow (including intra-procedural) can’t be broken with a very low procedural) can’t be broken with a very low performance impactperformance impact
Call graph trust relationship allows data Call graph trust relationship allows data integrity verification (KERNSEAL)integrity verification (KERNSEAL)
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness AnalysisLiveness Analysis
““We say a variable is We say a variable is livelive if it holds a value if it holds a value that may be needed in the future, so this that may be needed in the future, so this analysis is called analysis is called livenessliveness analysis”analysis”
APPEL, Andrew W.; APPEL, Andrew W.; Modern Compiler Implementation in ML- Modern Compiler Implementation in ML- 2004. p. 2004. p. 211211
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL The set of live variables at line L2 is {b, The set of live variables at line L2 is {b,
c}, but the set of live variables at line L1 c}, but the set of live variables at line L1 is only {b} since variable c is updated in is only {b} since variable c is updated in line 2. The value of variable a is never line 2. The value of variable a is never used, so the variable is never live.used, so the variable is never live.
L1: b := 3;L2: c := 5;L3: a := b + c;goto L1;
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness Analysis: Dataflow equationsLiveness Analysis: Dataflow equations
““Liveness of variables ‘flows’ around the Liveness of variables ‘flows’ around the edges of the control-flow graph; determining edges of the control-flow graph; determining the live range of each variable is na the live range of each variable is na example of a example of a dataflow dataflow problem”problem”
APPEL, Andrew W.; APPEL, Andrew W.; Modern Compiler Implementation in ML- Modern Compiler Implementation in ML- 2004. p. 2004. p. 213213
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness Analysis: TerminologyLiveness Analysis: Terminology
Out-edgesOut-edges: nodes leading to successor nodes: nodes leading to successor nodes In-edges: In-edges: nodes coming from predecesor nodes coming from predecesor
nodesnodes
predpred[n], holding the set of predecessors of [n], holding the set of predecessors of node node nn
succsucc[n], holding the set of successors of node [n], holding the set of successors of node nn
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness Analysis: TerminologyLiveness Analysis: Terminology
UsesUses: the set of variables : the set of variables in usein use at a given at a given nodenode
Defs:Defs: the set of variables the set of variables assigned assigned at a at a given nodegiven node
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness Analysis: TerminologyLiveness Analysis: Terminology
LivenessLiveness: “: “A variable is A variable is livelive on an edge if there on an edge if there is a directed path from tha edge to a is a directed path from tha edge to a useuse of of the variable that does not go through any the variable that does not go through any defdef. . A variable is A variable is live-inlive-in at a node if it is live on any at a node if it is live on any of the in-edges of that node; it is of the in-edges of that node; it is live-outlive-out at a at a node if it is live on any of the out-edges of the node if it is live on any of the out-edges of the node.”node.”
APPEL, Andrew W.; APPEL, Andrew W.; Modern Compiler Implementation in ML- Modern Compiler Implementation in ML- 2004. p. 2132004. p. 213
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness Analysis: Liveness Analysis:
The dataflow equations used for a given basic The dataflow equations used for a given basic block s and exiting block block s and exiting block ff in live variable analysis in live variable analysis
WikipediaWikipedia
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Liveness AnalysisLiveness Analysis
Allows access control of specific code Allows access control of specific code procedures – known procedures – known a priori a priori – towards– towards sensitive data (kernel data)sensitive data (kernel data)
Process structuresProcess structures Object CredentialsObject Credentials Kernel Function PointersKernel Function Pointers And othersAnd others
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL DesignDesign
Unreadablememory pages
Read-onlymemory pages
Read-writememory pages
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL Example: Example: protect user credentials infoprotect user credentials info
Perform liveness analysis for deriving Perform liveness analysis for deriving specific code blocks that may have legit specific code blocks that may have legit read/write access to itread/write access to it
Set memory properties holding the data Set memory properties holding the data structures to read-onlystructures to read-only
Embed (through instrumentation) Embed (through instrumentation) write-key write-key procedure to allowing legit code to access procedure to allowing legit code to access the structurethe structure
PaX – Past ContinuousPaX – Past Continuous
KERNSEALKERNSEAL ResultsResults
Strengthen of Trusted Computing Base Strengthen of Trusted Computing Base (TCB)(TCB)
Defense in Depth: even if compromised, Defense in Depth: even if compromised, kernel operations towards sensitive memory kernel operations towards sensitive memory areas are restricted by natureareas are restricted by nature
Provides strong trust-relationship Provides strong trust-relationship infrastructure to creating several other infrastructure to creating several other protection mechanisms in different layers of protection mechanisms in different layers of the kernel as well as of the user spacethe kernel as well as of the user space
ReferencesReferences
[1] [1] http://pax.grsecurity.net [2] [2] http://www.phrack.org/issues.html?issue=63&id=4 [3] [3]
http://assumpcao.org/content/publications/Breaking_PaX_ASLR.ppt [4] [4]
http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html