Gentoo Wiki


This article is part of the Security series.
Wikipedia has an article on:

Pax is a kernel level memory protection system for Linux. It is deployed in Gentoo by the Hardened Gentoo subproject, and is not enabled by default. GrSecurity, a security patch based around PaX, is also supported.



PaX can create and enforce a separation between writable and executable memory. This separation goes as far as to ensure that memory may not be written to before it is executed, except by the kernel as a part of loading an executable segment into memory. This typically means that executable segments are exclusively the .text segment in the binary load image on disk; and any memory associated with an mmap() segment backed by disk and created with PROT_EXEC. No memory is created with PROT_EXEC|PROT_WRITE; and no memory without PROT_EXEC may be given PROT_EXEC via mprotect().

PaX also randomly arranges the memory space. By using PIE binaries, this randomization can be extended to program load modules. The randomization thus applies to the stack, heap, and any mmap() segments, and causes the base of everything in memory to be randomly offset. The locations of particular data can no longer be intuited from the executable files on disk; symbols must be located in the Global Offset Table. Because the GOT offset is typically derived from a value stored in a register, it would require the injection of foreign code to locate it.

Because of the separation of data (writable) and program (executable) memory, program code cannot be injected from a foreign source. This closes off many security exploits before they are even created. This also prevents attackers from discovering the location of the GOT, which forces any attempt to execute pre-existing program code to be left up to guesses and probability.

PaX is fully documented.


PaX must be compiled into the kernel to be used. The hardened-sources kernel is patched with GrSecurity, which supplies PaX. Kernel Configuration Instructions



See also

External links


Concerns or Compliments? Please use the Discussion section.

This article is still a Stub. You can help Gentoo-Wiki by expanding it.

Retrieved from ""

Last modified: Fri, 24 Nov 2006 07:41:00 +0000 Hits: 13,025