tech-security: Re: static linking for NetBSD

Subject: Re: static linking for NetBSD
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-security
Date: 09/15/2003 22:30:37
-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "der" == der Mouse <mouse@Rodents.Montreal.QC.CA> writes:
    >> The _benefit_ of static binaries is that the processes run from them
    >> _cannot_ dynamically load new code.

    der> If you believe that you are deluding yourself.  At most, they cannot
    der> dynamically load new code using the OS's dynamic-linker facilities,
    der> and I'm not entirely sure of even that.

  Of course, any program can open(2) a file, read it in, and perhaps even
cause it to execute. We could prevent that my making data segments
non-executable, but this would likely bite in many places.
  Still, it would be a nice "capability" to have.

    der> There is a security benefit accruing to static linking related to
    der> dynamic loading, but this isn't it.  I've had a few stabs at stating
    der> what it is, but haven't found any short way of putting it - anyone?

  I'll tell you why I don't like dynamic linking, particularly for critical
system components: file and system management.

  Do you know how many times I've had to rescue RedHat systems when the
(DUE TO SECURITY VULNERABILITY!) to the shared libraries left the system
in a state where the PAM (YES!) was broken and nobody could login? Or worse,
you can even type "ln" because /lib/ld-linux.so.2 is incompatible with
/lib/glibc-X.Y.Z?
  Linux is rapidly approaching Windows-Style DLL bit-rot.

  I find it much easier to do:
       % /sbin/md5sum /sbin/login 

  and compare that value to a known to be good (non-trojan'ed) /sbin/login,
knowing that since it doesn't load anything, it can't be trojan'ed by libc
or ld screwing. I just find static linked binaries easier to cope with,
easier to upgrade, and easier to verify.
 
  The situation is 1000x worse if you consider things like GNOME and KDE.
Remember that according to the gospel of the friendly desktop, I'm supposed
to trust a lot of these programs running as root! (This is not a rant
against NetBSD, clearly we don't believe that. But those who know I've been
doing Linux work for the past two years, might wonder why all my critical
infrastructure is still running NetBSD)

  Maybe, as some have said, this is my delusion - maybe Solaris 9 gets it
done so correctly that I'd just rave when I saw it - but RedHat sure doesn't.
Debian seems to do better - but only because they understand that making
be upgrade things to get security patches doesn't fly.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [

  


  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP2Z1zIqHRg3pndX9AQEpCwQAhKI3PnTutW9j4hh6Z0JbY2QwUv1CRrgq
638MnlnRG/mePlYdYLJvDyWIHVzcQs/Brd2wLP7LiMyNCyBCVE+7K/rDyYi2XmFl
GTDH/Y9zkMaq1gR28aY12mJIQirvzdwxBVVWNOujXwf1LNUbhhJyP1nFNFzOQcVX
ZAIo1u918zM=
=xjv8
-----END PGP SIGNATURE-----