Hacker News new | ask | show | jobs
by ongy 803 days ago
dynloading libraries can have some side effects.

Which the recent xz attack used to mess with `sshd`, even if it never actually used functions from the library.

dlopen loading only loads the library *when it's actually used*, and doesn't include everything and the kitchen sink on startup.

If the libraries are used seldomly enough, it might also allow to make more dependencies optional in package management.
3 comments
Tuna-Fish 803 days ago
I think it's also relevant that the xz exploit made use of the fact that by running code before main, they could modify areas of memory that later get turned read-only. Any library that does get loaded with dlopen can of course still attack the process it's in, but it has less tools available to it for evading detection.
link
marcosdumay 803 days ago
So... I repeat the GP.

What you gain is that the vulnerabilities will be harder to track down?

link
ongy 803 days ago
The specific way sshd was infected would not have happened with libxz as dlopen library.

Debian's sshd only uses libsystemd for the notify api. I.e. it doesn't need any feature that uses libxz. If it's dlopen()ed, it does not need to be loaded into the process context to use an unrelated feature.

FWIW, IMO upstream systemd should split their monolithic library and allow users to pick better that way, but this has other implications on DX.

link
Tuna-Fish 803 days ago
> FWIW, IMO upstream systemd should split their monolithic library and allow users to pick better that way, but this has other implications on DX.

FWIW, upstream systemd has the opinion that no-one should load the library for startup notification, instead they should use the well documented api and just write a message to a socket.

link
idoubtit 803 days ago
Indeed, that's what the Debian maintainer of OpenSSH did soon after the quick security fix. He replaced the dependency on libsystemd with some hand-made code that notifies systemd by socket. https://salsa.debian.org/ssh-team/openssh/-/commit/cc5f37cb8...
link
ptx 803 days ago
That's not what they said in their update to the documentation[0] last week, which says that "although using libsystemd is a good choice, this protocol can also be reimplemented without external dependencies".

It calls it a "good choice". Did they say somewhere else that no-one should do it despite it supposedly being a good choice?

[0] https://github.com/systemd/systemd/pull/32030/files

link
klooney 803 days ago
Yes- https://mastodon.social/@pid_eins/112202696589971319
link
newpavlov 803 days ago
sshd should not have used libsystemd in the first place for the trivial notification. And the ifunc stuff is its own security nightmare. Papering over this by dlopen-ing some libs in libsystemd does not address the deeper issues.
link
NewJazz 803 days ago
FWIW, IMO upstream systemd should split their monolithic library and allow users to pick better that way, but this has other implications on DX.

They've done the exact opposite afaict. Libsysd used to be split up, now it is monolithic.

link
marcosdumay 803 days ago
Upstream systemd should just cut the unused crap from their notification protocol and promise it's stable.

They probably couldn't change it anymore if they tried to.

link
Denvercoder9 803 days ago
The systemd notification protocol has been stable and documented as such for years (probably even a decade at this point): https://systemd.io/PORTABILITY_AND_STABILITY/
link
klooney 803 days ago
The whole protocol is "write READY=1 to the socket found in the NOTIFY_SOCKET environment variable".
link
cryptonector 803 days ago
> What you gain is that the vulnerabilities will be harder to track down?

No, they're just as easily tracked.

What you gain is that you can refuse to install optional dependencies because they are now optional when they used to be required.

That's a fairly big deal.

Of course, in practice all those optional dependencies will be installed anyways because of other things in the distro needing them. You can fairly object that not much changed, at least for now.

A better approach would be to eliminate a lot of these dependencies somehow. Another approach would be to sandbox the dependencies that cannot be eliminated.

link
advisedwang 803 days ago
It meant that had the bad xz version been shipped to distros, only some people would been vulnerable instead of everyone. That is valuable.
link
rcxdude 803 days ago
Though only with this particular approach to the backdoor. If systemd had always had this approach (or distros hadn't patched sshd to link it in), the attackers would have focused on a different path from delivering malicious code to widely-used distros which executes in a priviledged context to network RCE.
link
dv_dt 803 days ago
Wouldn't this systemd feature add a convenient centralized point of attack to inject libraries? Not as open at the user level, but similar to a LD_PRELOAD kind of vulnerability.
link
ajross 803 days ago
Not in a way that isn't otherwise accessible, IMHO. I mean, if you're really concerned about injected vulnerabilities into high-trust software (and you should be!) you should be suspicious of any dynamic linkage at all. But if you're going to do it, doing it late and under affirmative control is almost certainly the right choice.
link