| 1 |
On Fri, Apr 26, 2013 at 11:03 PM, Mike Frysinger <vapier@g.o> wrote: |
| 2 |
|
| 3 |
> On Monday 25 March 2013 03:01:51 Kfir Lavi wrote: |
| 4 |
> > I'm looking for a way to reduce glibc code size. |
| 5 |
> > It can be a way to make system smaller and minimize the impact |
| 6 |
> > of attack vectors in glibc, as in return-to-libc attack. |
| 7 |
> > |
| 8 |
> > Lets say I'm deleting the program 'mkdir', and mkdir uses a function |
| 9 |
> > in glibc that non of the other parts of the system uses. |
| 10 |
> > Then I want to eliminate this function from glibc. This leads to smaller |
| 11 |
> > code and if this function is used in some attack scenario, maybe prevent |
| 12 |
> > it. |
| 13 |
> > |
| 14 |
> > Is there a way to do it? |
| 15 |
> > Can you help me think how to build a tool like this? or, integrate |
| 16 |
> > with existing tools. |
| 17 |
> |
| 18 |
> the only thing i've seen in the past was a hacky script that utilize the |
| 19 |
> uClibc build system to cull objects until things stopped linking. it had |
| 20 |
> very |
| 21 |
> constrained use where i'd safely work, and was never generalized. i don't |
| 22 |
> remember the name of it now (was a few years ago), but having read the |
| 23 |
> [limited] source, i wouldn't bother using it as a base. |
| 24 |
> |
| 25 |
> otherwise, i haven't heard of any tools that do what you want, but i've |
| 26 |
> seen |
| 27 |
> many people request it. unfortunately, it's a tough nut to crack, and the |
| 28 |
> vast majority of people requesting it didn't have the technical skills to |
| 29 |
> even |
| 30 |
> think about a solution let alone implement it. |
| 31 |
> |
| 32 |
> i [pessimistically] suspect we're talking many man months here, and the |
| 33 |
> skill |
| 34 |
> set involves knowledge of the ELF format at a fairly low level. |
| 35 |
> -mike |
| 36 |
> |
| 37 |
|
| 38 |
You can look at this problem 2 ways: |
| 39 |
1. Change the binary created after compilation. |
| 40 |
2. Reduce glibc code and compile again. Do this iteratively. |
| 41 |
|
| 42 |
I'm leaning toward the second, as you have the protection of the |
| 43 |
compilation. |
| 44 |
|
| 45 |
Kfir |
Archives