Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
Re: [gentoo-embedded] Tool for eliminating non used code or symbols?
vapier at gentoo
Apr 26, 2013, 1:03 PM
Post #1 of 2 (1153 views)
Permalink
On Monday 25 March 2013 03:01:51 Kfir Lavi wrote:
> I'm looking for a way to reduce glibc code size.
> It can be a way to make system smaller and minimize the impact
> of attack vectors in glibc, as in return-to-libc attack.
>
> Lets say I'm deleting the program 'mkdir', and mkdir uses a function
> in glibc that non of the other parts of the system uses.
> Then I want to eliminate this function from glibc. This leads to smaller
> code and if this function is used in some attack scenario, maybe prevent
> it.
>
> Is there a way to do it?
> Can you help me think how to build a tool like this? or, integrate
> with existing tools.

the only thing i've seen in the past was a hacky script that utilize the
uClibc build system to cull objects until things stopped linking. it had very
constrained use where i'd safely work, and was never generalized. i don't
remember the name of it now (was a few years ago), but having read the
[limited] source, i wouldn't bother using it as a base.

otherwise, i haven't heard of any tools that do what you want, but i've seen
many people request it. unfortunately, it's a tough nut to crack, and the
vast majority of people requesting it didn't have the technical skills to even
think about a solution let alone implement it.

i [pessimistically] suspect we're talking many man months here, and the skill
set involves knowledge of the ELF format at a fairly low level.
-mike

Attached Files:

Re: [gentoo-embedded] Tool for eliminating non used code or symbols? [ In reply to ]
lavi.kfir at gmail
Apr 28, 2013, 8:58 PM
Post #2 of 2 (1106 views)
Permalink
On Fri, Apr 26, 2013 at 11:03 PM, Mike Frysinger <vapier@gentoo.org> wrote:

> On Monday 25 March 2013 03:01:51 Kfir Lavi wrote:
> > I'm looking for a way to reduce glibc code size.
> > It can be a way to make system smaller and minimize the impact
> > of attack vectors in glibc, as in return-to-libc attack.
> >
> > Lets say I'm deleting the program 'mkdir', and mkdir uses a function
> > in glibc that non of the other parts of the system uses.
> > Then I want to eliminate this function from glibc. This leads to smaller
> > code and if this function is used in some attack scenario, maybe prevent
> > it.
> >
> > Is there a way to do it?
> > Can you help me think how to build a tool like this? or, integrate
> > with existing tools.
>
> the only thing i've seen in the past was a hacky script that utilize the
> uClibc build system to cull objects until things stopped linking. it had
> very
> constrained use where i'd safely work, and was never generalized. i don't
> remember the name of it now (was a few years ago), but having read the
> [limited] source, i wouldn't bother using it as a base.
>
> otherwise, i haven't heard of any tools that do what you want, but i've
> seen
> many people request it. unfortunately, it's a tough nut to crack, and the
> vast majority of people requesting it didn't have the technical skills to
> even
> think about a solution let alone implement it.
>
> i [pessimistically] suspect we're talking many man months here, and the
> skill
> set involves knowledge of the ELF format at a fairly low level.
> -mike
>

You can look at this problem 2 ways:
1. Change the binary created after compilation.
2. Reduce glibc code and compile again. Do this iteratively.

I'm leaning toward the second, as you have the protection of the
compilation.

Kfir

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal