Page MenuHomeFreeBSD

Shared library randomization
Needs ReviewPublic

Authored by wma on Feb 23 2021, 11:02 AM.
Tags
None
Referenced Files
F108306668: D28883.diff
Thu, Jan 23, 6:01 PM
Unknown Object (File)
Dec 14 2024, 6:07 PM
Unknown Object (File)
Dec 5 2024, 10:00 AM
Unknown Object (File)
Oct 4 2024, 3:56 PM
Unknown Object (File)
Sep 16 2024, 5:52 PM
Unknown Object (File)
Sep 10 2024, 1:17 AM
Unknown Object (File)
Sep 9 2024, 3:53 AM
Unknown Object (File)
Sep 8 2024, 8:14 PM

Details

Summary
Shared library randomization

Add support for shared library loading order randomization.

Base work was done in HardenedBSD
https://github.com/HardenedBSD/hardenedBSD/commit/6fc06960ae5d374278dddc301aede21a7919b600
https://github.com/HardenedBSD/hardenedBSD/commit/6fc06960ae5d374278dddc301aede21a7919b600

This implementation takes care about libraries ordering.
Sometimes, libs must be loaded in exact order, because one
might shadow symbols from another (for example libregexp shadows
regex- functions from libc). If this order changes, the application
will most likely not work.
Here, prior randomization, needed libraries are analyzed for symbol
shadowing. If such situation is detected, these libraries are
marked as "critical" and a loading order between them won't change.

As a shuffle algorithm, Fisher-Yates shuffle is used to acheive
equal distribution.
https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle

By default the option is disabled. To enable, one must ude
WITH_SHLIBRANDOM flag in src.conf

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

wma requested review of this revision.Feb 23 2021, 11:02 AM

That's a very good point, unfortunately I don't have a clear answer.
I'm aware of the problem with grep and this patch definitely not resolves it.

Moreover, it's not only a grep issue. In all /lib and /usr/lib there are about 30k+ symbols with the same name in different so's. Most of them are just duplicates of various version of the same lib (like ncurses* stuff and similar), but some libraries are re-implementing procedures from libc which is a case with grep/libregex.

The idea here is to provide a randomization for secured embedded environments where we can and want to precisely control which applications are running. It's definitely not for typical user who values to have unix-like experience.

There are products which are running just fine with this randomization and that's why I think it's worth to integrate it and leave it as an option.

For future improvements, I consider one of following:

  1. Have a list of application/libraries for which there shall not be any randomization at all
  2. Analyze symbols during pre-load phase and provide "before/after" dependencies
  3. Always keep libc, libssl* etc. at the end of the list

#1 will increase executalbe startup time
#2 and #3 might impact uniformity of probabilistic distribution with F-Y shuffle

wma edited the summary of this revision. (Show Details)