Subject: Re: RelCache (aka ELF prebinding) news
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: David Laight <david@l8s.co.uk>
List: tech-kern
Date: 12/04/2002 00:41:39
On Wed, Dec 04, 2002 at 12:52:22AM +0100, der Mouse wrote:
> > The sole purpose of this identifier is to ensure that ld.so does not
> > mistake one legitimate .so file for another. Deliberate attempts to
> > generate hash collisions are beyond the scope; this is not a security
> > function, we simply want reasonable assurance that the prebinder will
> > not hand you the symbols for the wrong shared object file because
> > they happened to have the same unique identifier computed from their
> > contents and stamped into them.
>
> I must be missing something. How is it not a security problem if you
> get the symbols that go with a .so file of the attacker's choice rather
> than the ones that go with the .so you wanted to use? At the very
> least, it sounds like a trivial DoS to me, and probably worse
> (consider, for example, arranging to have strncpy resolve to strcpy's
> code)....
Deliberate collisions are MUCH easier to generate that random
collisions are likely - ie is you are creating both items.
ISTM that you could make the 'prebind' information an exectuable
(in its own right) - giving it the name of the program.
Also if you aren't going to check the hash, an errant party
could easily generate a file with the wrong value...
(is this worse that someone with root access putting in
an errant shared library?)
David
--
David Laight: david@l8s.co.uk