Index: pax-quickstart.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v
retrieving revision 1.12
diff -u -r1.12 pax-quickstart.xml
--- pax-quickstart.xml 11 Nov 2007 17:08:51 -0000 1.12
+++ pax-quickstart.xml 20 Mar 2009 20:56:28 -0000
@@ -14,6 +14,9 @@
-PaX is a patch to the Linux kernel that provides hardening in two ways.
+PaX is a patch to the Linux kernel that provides hardening in three ways (four on
+x86 32-bit machines).
The first,
The second protection provided by PaX is non-executable memory. This prevents a
common form of attack where executable code is inserted into memory by an
-attacker. More information on PaX can be found throughout this guide, but the
+attacker.
+
+The third, free memory sanitization, erases RAM memory pages when they are freed in
+order to avoid sensible data to stay in memory for a long time.
+
+The fourth, which is only avaiable on 32 bit x86 builds, invalid userland pointer derefrence
+prevention, adds a few checks to the kernel so it doesn't dereference userland (this is non-kernel)
+addreses when it is expected to only dereference kernel addresses.
+
+More information on PaX can be found throughout this guide, but the
homepage can be found at
+PaX ---> [*] Enable various PaX features -PaX Control -> +PaX Control ---> [ ] Support soft mode [*] Use legacy ELF header marking [*] Use ELF program header marking MAC system integration (none) ---> -Non-executable page -> +Non-executable page ---> [*] Enforce non-executable pages [*] Paging based non-executable pages [*] Segmentation based non-executable pages [*] Emulate trampolines [*] Restrict mprotect() - [ ] Disallow ELF text relocations + [*] Disallow ELF text relocations + [*] Enforce non-executable kernel pages -Address Space Layout Randomization -> +Address Space Layout Randomization ---> [*] Address Space Layout Randomization [*] Randomize kernel stack base [*] Randomize user stack base [*] Randomize mmap() base - [*] Randomize ET_EXEC base +Miscellaneous hardening features ---> + [*] Sanitize all freed memory + [*] Prevent invalid userland pointer dereference + [*] Prevent various kernel object reference counter overflows+
Build this kernel as you normally would and install it to
Luckily there is a utility to toggle protections on a per-executable basis,