Memory usage on relays

Nick Mathewson nickm at freehaven.net
Tue Jan 19 16:54:13 UTC 2010


On Tue, Jan 19, 2010 at 4:18 AM, Olaf Selke <olaf.selke at blutmagie.de> wrote:
> Nn6eumtr wrote:
>> Binaries are staticly linked so that someone can't substitute a
>> replacement library. Otherwise you can replace the library or set
>> LDPRELOAD to implement a variety of attacks.
>
> can you give an example what's wrong with
> LD_PRELOAD"/foo/bar/libssl.so /foo/bar/libcrypto.so"
> in /etc/init.d/tor?
>
> That's how I enable special openssl versions on Debian.

The failure mode is if you somehow wind up in a position where an
adversary is in control of your environment; they could  set
LD_PRELOAD or LD_PATH to whatever they wanted.

Personally, I'm not convinced that this is a reason not to dynamically
link.  Most attacks that would give somebody write access to your
environment would let them subvert your system in ways that don't
require dynamic linking. (That is, If the attacker can run arbitrary
shell commands, put stuff in your ~/.profile, or mess with your shell
process's memory, then they're in a great position whether your
binaries are static or not.)  I'm not alone in thinking this: there
are some pretty paranoid applications out there (gnupg and openssh for
example) that are happy to use the dynamic linker.

yrs,
-- 
Nick
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list