Grsecurity ( www.grsecurity.net) is a Linux security project that uses a multi-layered detection, prevention, and containment model. It uses a Role-Based Access Control (RBAC) system that can generate least privilege policies for the entire system. It also provides the following additional features:

• Change root ( chroot) hardening

• /tmp race prevention

• Full-featured fine-grained auditing

• Address space modification protection provided by the PaX project

• Additional randomness in the TCP/IP stack and process IDs

• All alerts and audits support a feature that logs the IP address of the attacker with the log

• Restricted viewing of processes

• Integrated local attack response on all alerts

PaX is a separate project that is included in Grsecurity as part of its security strategy. The PaX project researches various defenses against the exploitation of software bugs that give the attacker arbitrary read/write access to the target s address space (e.g., buffer overflows and user-supplied format string bugs). PaX does not focus on finding and fixing the bugs, but rather the prevention and containment of exploit techniques. Exploit techniques can affect the target at three different levels:

• Introduce or execute arbitrary code

• Execute existing code out of original program order

• Execute existing code in original program order with arbitrary data

PaX is a patch for the Linux kernel that implements least-privilege protections for memory. It flags data memory as non-executable and program memory as non-writable, and randomly arranges the program memory (subject to operating system constraints). Prevention is implemented through PaX and hardening certain...