On Tue, Jan 19, 2010 at 4:18 AM, Olaf Selke <[email protected]> wrote: > Nn6eumtr wrote: >> Binaries are staticly linked so that someone can't substitute a >> replacement library. Otherwise you can replace the library or set >> LDPRELOAD to implement a variety of attacks. > > can you give an example what's wrong with > LD_PRELOAD"/foo/bar/libssl.so /foo/bar/libcrypto.so" > in /etc/init.d/tor? > > That's how I enable special openssl versions on Debian.
The failure mode is if you somehow wind up in a position where an adversary is in control of your environment; they could set LD_PRELOAD or LD_PATH to whatever they wanted. Personally, I'm not convinced that this is a reason not to dynamically link. Most attacks that would give somebody write access to your environment would let them subvert your system in ways that don't require dynamic linking. (That is, If the attacker can run arbitrary shell commands, put stuff in your ~/.profile, or mess with your shell process's memory, then they're in a great position whether your binaries are static or not.) I'm not alone in thinking this: there are some pretty paranoid applications out there (gnupg and openssh for example) that are happy to use the dynamic linker. yrs, -- Nick *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
