Date: Wed, 16 Sep 1998 11:18:47 +0800
From: David Luyer <luyer@UCS.UWA.EDU.AU>
To: BUGTRAQ@netspace.org
Subject: Re: Dump a mode --x--x--x binary on Linux 2.0.x
The question of whether being able to retrieve an exact copy of a mode 111
binary by a simple LD_PRELOAD is a bug or not has been raised. I think that
it is a bug in that it's something that some programs depend on not being
possible, and yet it is possible. I've only ever installed one program which
installed mode 111 (a restrictively-licensed program distributed as source) but
I expect if I didn't try to keep to the rule of only using programs with
available source I'd have more of them.
I think permitting this _is_ clearly a linker bug. Unreadable binaries should
be protected against preloads and varied library paths when run by someone
who can't read them the same way SUID programs are considered to have access
to privileged data and hence protected.
The fact some programs install mode 111 means that it is expected to protect
the binary.
The fact that you can't core dump or directly read a mode 111 binary means that
there is an expectation of security.
Yet with the trivial little program I posted here as a preload you can
reconstruct the binary. And with a slight variation you can maintain
it as an installed signal handler (install it from getpid() and override
the singal-setting syscall to prevent it being changed and yet to return
the "correct" answers to the program) you *can* core-dump the binary. A
third variation is to override all syscalls with wrapper routines to implement
a poor-man's PTRACE. Basically, there are three things often done to secure
a mode 111 binary at the OS level, and LD_PRELOAD allows (except on statically
linked binaries) to avoid all three of them.
Being able to override the expectations of those programs which are installed
mode 111 _is_ a security problem in that it violates expected semantics and
that when a given Unix variant makes any attempt to enforce these semantics
it should make sure it completely enforces them, instead of giving a false
sense of security. Sound like "security by obscurity" to anyone?
David.
