-Bsymbolic changes the order in which symbols are looked up so that it
takes the one from the local library, and not the first one
... meaning that -Bsymbolic *ensures* that cryptographically significant
control flow is contained within the library. Symbol versioning allows
to avoid conflicts, but it does not *ensure* that internal symbol can't
be overridden and that control flow doesn't leave the library
boundaries, not in uncontrollable manner. In other words, that's the way
we like it. Even if we used symbol versioning (well, probably we should
and will at some point), we would still use -Bsymbolic.
I believe that -Bsymbolic only gives you a fall sense of security and only
makes it a little harder to replace some functions, but not that much.
Consider following snippet:
void foo(){}
void bar(){foo();}
Compile it with gcc -fPIC a.c -shared and disassemble output. How does
call to foo look like?
call <[EMAIL PROTECTED]>
...
<[EMAIL PROTECTED]>:
jmp *???(%ebx)
Now compile it with gcc -fPIC a.c -shared -Wl,-Bsymbolic and again
disassemble. How does call to foo look like now?
call <foo>
Examine relocations and note that there are none accounted to .text
segment, not to mention the very address of above call instruction.
-Bsymbolic resolved and "wired" this intra-library reference already at
link time! In other words once you enter module through bar, no
manipulation of symbol table at run-time will trick bar to call anything
other than foo in same module.
-Bsymbolic has some side effects. One of them is that the dynamic linker
needs to create a special symbol table for such libraries and makes
symbol lookup slower.
While not having -Bsymbolic effectively makes all calls indirect, which
negatively affects run-time performance...
- There are only a few function calls that are direct, most of the
library is PIC and uses indirect calls.
-Bsymbolic "rewires" as many indirect calls as possible at link time to
direct ones. A.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
