tech-userlevel: re: RelCache (aka ELF prebinding) news

Subject: re: RelCache (aka ELF prebinding) news
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: matthew green <mrg@eterna.com.au>
List: tech-userlevel
Date: 12/04/2002 12:43:39 
 > The sole purpose of this identifier is to ensure that ld.so does not
 > mistake one legitimate .so file for another. Deliberate attempts to
 > generate hash collisions are beyond the scope; this is not a security
 > function, we simply want reasonable assurance that the prebinder will
 > not hand you the symbols for the wrong shared object file because
 > they happened to have the same unique identifier computed from their
 > contents and stamped into them.
 
 I must be missing something. How is it not a security problem if you
 get the symbols that go with a .so file of the attacker's choice rather
 than the ones that go with the .so you wanted to use? At the very
 least, it sounds like a trivial DoS to me, and probably worse
 (consider, for example, arranging to have strncpy resolve to strcpy's
 code)....
maybe i'm missing something... how does one actually perform this attack?
.mrg.

AltStyle によって変換されたページ (->オリジナル) /