security of static linking

Discussion in 'C Programming' started by Mohsen A. Momeni, Sep 14, 2007.

  1. Hi,
    Does it have any difference in security, whether to compile a function
    as a static lib and link it with a program or just add the function to
    the source?
    In other words, suppose we have two files, func.c containing a
    function which is called in main and main.c containing the main
    function. what is the difference when we link func.o with main.o to
    make a binary, with linking func.lib with main.o to make the binary,
    concerning security issues?

    Regards,
    Mohsen A. Momeni, Sep 14, 2007
    #1
    1. Advertising

  2. Mohsen A. Momeni

    Thad Smith Guest

    Mohsen A. Momeni wrote:

    > Does it have any difference in security, whether to compile a function
    > as a static lib and link it with a program or just add the function to
    > the source?
    > In other words, suppose we have two files, func.c containing a
    > function which is called in main and main.c containing the main
    > function. what is the difference when we link func.o with main.o to
    > make a binary, with linking func.lib with main.o to make the binary,
    > concerning security issues?


    This is not a C language issue, per se.

    [OT]
    The biggest difference, I think, is the certainty of knowing that the
    correct version of the specified function is linked. Using a library
    means knowing that the version in the library file is the one you
    expect. Possible failures are due to

    1) modifying the function source and not updating the library
    2) modifying the function source, updating the library, then linking
    with the wrong version of the library
    3) having someone alter the library file behind your bank.

    Recompiling the and directly linking the source eliminates problems 1
    and 2. Your source could still be modified behind your back, but that
    would be relatively easier to detect on inspection.

    Verified digital signatures or secure hash values can be used to help
    verify copies of the various files.
    [/OT]

    --
    Thad
    Thad Smith, Sep 14, 2007
    #2
    1. Advertising

  3. Mohsen A. Momeni

    Tor Rustad Guest

    Mohsen A. Momeni wrote:
    > Hi,
    > Does it have any difference in security, whether to compile a function
    > as a static lib and link it with a program or just add the function to
    > the source?


    It depends.

    > In other words, suppose we have two files, func.c containing a
    > function which is called in main and main.c containing the main
    > function. what is the difference when we link func.o with main.o to
    > make a binary, with linking func.lib with main.o to make the binary,
    > concerning security issues?


    In high security environment, we MAC or digitally sign the module,
    beforehand. Hence, only modules which has been certified, can be
    dynamically loaded. So, if I write new firmware for a cryptographic
    blackboks, I need to send the code away for audit, compiling and
    signing, else the boot software (of the blackboks) will reject the
    firmware to be loaded.

    In a low-security environment... well who care? A trick I have used to
    reverse-engineer modules, is to write a spy module, which has identical
    interface and name as the genuine library, and if I place the spy module
    in the current dir, it will load before the genuine library.... if that
    is searched before the other paths.

    Hence, such a spy module can intercept and log every call made, and
    change the calls on the fly...


    --
    Tor <torust [at] online [dot] no>
    Tor Rustad, Sep 14, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shuo Xiang

    const static linking problem

    Shuo Xiang, Jul 17, 2003, in forum: C++
    Replies:
    2
    Views:
    336
    Andrey Tarasevich
    Jul 18, 2003
  2. Roland Raschke
    Replies:
    1
    Views:
    1,073
    Kevin Goodsell
    Sep 22, 2003
  3. deodiaus

    static linking libgcc.a

    deodiaus, Nov 25, 2003, in forum: C++
    Replies:
    0
    Views:
    1,146
    deodiaus
    Nov 25, 2003
  4. deodiaus

    static linking libgcc.a

    deodiaus, Jan 6, 2004, in forum: C++
    Replies:
    0
    Views:
    417
    deodiaus
    Jan 6, 2004
  5. Anthony Yio

    Linking to Static library of C

    Anthony Yio, May 20, 2004, in forum: C++
    Replies:
    1
    Views:
    345
    John Harrison
    May 20, 2004
Loading...

Share This Page