Re: Security and PAX

[rhino64%epost.ch@localhost]

On Sat, Jun 06, 2015 at 02:35:32PM +0000, Christos Zoulas wrote:
> In article <20150606142015.GA61273%nordend.local.sourire.ch@localhost>,
>  <rhino64%epost.ch@localhost> wrote:
> >Hi,
> >  I am quite new to netbsd and I am curious about 
> >the security mechanisms available.
> >
> >In the security page "http://www.netbsd.org/support/security/";,
> >I can see that the PaX module is used in the kernel
> >but without any other information.
> >
> >What should be done in order to use (and perhaps configure)
> >that feature?
> >
> >Sould the executables being compiled with the "-fpie" option?
> >
> >Any comment would be greatly appreciated?
> 
> $ man 7 sysctl look for pax
> $ man paxctl
> 
> To use ASLR effectively you need to build with MKPIE...
> 
> christos
Hi,

Thanks a lot for the info and links (which were very useful).

I have set USE_SSP=yes, USE_FORT=yes, MKPIE=yes in the file
/usr/pkg/etc/mk.conf but without any sign of something
being changed during the compilation.

Finally I have added "-fpie" and "-fstack-protector-all" to the CFLAGS
and it seems to have worked.

Where should the variable MKPIE be set (in the kernel/world config file)?

How is it possible to check if a program is running with ASLR? I suppose
that, by looking at the address space of the program,
it is possible to see  that the base address should change at each execution. 

Is that possible and how to do it?

Thanks for your help.

kind regards,

rhino64