Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > C Programming > security of static linking

Reply
Thread Tools

security of static linking

 
 
Mohsen A. Momeni
Guest
Posts: n/a
 
      09-14-2007
Hi,
Does it have any difference in security, whether to compile a function
as a static lib and link it with a program or just add the function to
the source?
In other words, suppose we have two files, func.c containing a
function which is called in main and main.c containing the main
function. what is the difference when we link func.o with main.o to
make a binary, with linking func.lib with main.o to make the binary,
concerning security issues?

Regards,

 
Reply With Quote
 
 
 
 
Thad Smith
Guest
Posts: n/a
 
      09-14-2007
Mohsen A. Momeni wrote:

> Does it have any difference in security, whether to compile a function
> as a static lib and link it with a program or just add the function to
> the source?
> In other words, suppose we have two files, func.c containing a
> function which is called in main and main.c containing the main
> function. what is the difference when we link func.o with main.o to
> make a binary, with linking func.lib with main.o to make the binary,
> concerning security issues?


This is not a C language issue, per se.

[OT]
The biggest difference, I think, is the certainty of knowing that the
correct version of the specified function is linked. Using a library
means knowing that the version in the library file is the one you
expect. Possible failures are due to

1) modifying the function source and not updating the library
2) modifying the function source, updating the library, then linking
with the wrong version of the library
3) having someone alter the library file behind your bank.

Recompiling the and directly linking the source eliminates problems 1
and 2. Your source could still be modified behind your back, but that
would be relatively easier to detect on inspection.

Verified digital signatures or secure hash values can be used to help
verify copies of the various files.
[/OT]

--
Thad
 
Reply With Quote
 
 
 
 
Tor Rustad
Guest
Posts: n/a
 
      09-14-2007
Mohsen A. Momeni wrote:
> Hi,
> Does it have any difference in security, whether to compile a function
> as a static lib and link it with a program or just add the function to
> the source?


It depends.

> In other words, suppose we have two files, func.c containing a
> function which is called in main and main.c containing the main
> function. what is the difference when we link func.o with main.o to
> make a binary, with linking func.lib with main.o to make the binary,
> concerning security issues?


In high security environment, we MAC or digitally sign the module,
beforehand. Hence, only modules which has been certified, can be
dynamically loaded. So, if I write new firmware for a cryptographic
blackboks, I need to send the code away for audit, compiling and
signing, else the boot software (of the blackboks) will reject the
firmware to be loaded.

In a low-security environment... well who care? A trick I have used to
reverse-engineer modules, is to write a spy module, which has identical
interface and name as the genuine library, and if I place the spy module
in the current dir, it will load before the genuine library.... if that
is searched before the other paths.

Hence, such a spy module can intercept and log every call made, and
change the calls on the fly...


--
Tor <torust [at] online [dot] no>
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linking to Static library of C Anthony Yio C++ 1 05-20-2004 07:36 AM
static linking libgcc.a deodiaus C++ 0 01-06-2004 09:14 PM
static linking libgcc.a deodiaus C++ 0 11-25-2003 09:56 PM
Linking static library including template Roland Raschke C++ 1 09-22-2003 07:02 PM
const static linking problem Shuo Xiang C++ 2 07-18-2003 02:02 AM



Advertisments