in Operating System edited by
1,659 views
7 votes
7 votes
"Dynamic linking can cause security concerns as till run time path for searching dynamic library is not known."

Can someone explain this in his own and simple words?

note : This doubt is from ‘Gate 2003-76 ‘. Type gate2003-76 in Gateoverflow search box.
in Operating System edited by
1.7k views

4 Answers

7 votes
7 votes
Best answer

How security can be compromised?

When an application dynamically loads a dynamic-link library without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories in a particular order, as described in Dynamic-Link Library Search Order. If an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory. This is sometimes called a DLL preloading attack or a binary planting attack. If the system does not find a legitimate copy of the DLL before it searches the compromised directory, it loads the malicious DLL. If the application is running with administrator privileges, the attacker may succeed in local privilege elevation.

For example, suppose an application is designed to load a DLL from the user's current directory and fail gracefully if the DLL is not found. The application calls LoadLibrary with just the name of the DLL, which causes the system to search for the DLL. Assuming safe DLL search mode is enabled and the application is not using an alternate search order, the system searches directories in the following order:

  1. The directory from which the application loaded.
  2. The system directory.
  3. The 16-bit system directory.
  4. The Windows directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable.

Continuing the example, an attacker with knowledge of the application gains control of the current directory and places a malicious copy of the DLL in that directory. When the application issues the LoadLibrary call, the system searches for the DLL, finds the malicious copy of the DLL in the current directory and loads it. The malicious copy of the DLL then runs within the application and gains the privileges of the user.

Source: https://msdn.microsoft.com/en-us/library/windows/desktop/ff919712(v=vs.85).aspx

Why bother using dynamic linking then?

Static linking is the result of the linker copying all library routines used in the program into the executable image. This may require more disk space and memory than dynamic linking

Source: https://kb.iu.edu/d/akqn

selected by

1 comment

I wish i knew this when i was cracking my PC game.

I guess it would not have mattered, because i would have played it anyways.
1
1
5 votes
5 votes

If path of libraries are known already, i.e., at compiler time then OS knows the specific memory locations it will have to go and it won't be dealing with other unknown locations. Now in dynamic linking since the path is not known at compile time, there is a risk that a process might try to access unwanted memory locations during linking. That's why dynamic linking is less secure and needs to be handled carefully by the OS.

You can comment on the answers here for more insight:

https://gateoverflow.in/850/gate2002-2-20

1 vote
1 vote

loading:- bringing the program secondary memory to main memory is colled loading.

STATIC LOADING:- loading the entire program into memory befor start of program execution is called static loading. for static loading static linking is used.

DYNAMIC LOADING ;- loading the program into memory on demand (during the execution) then it is called dynamic linking . for dynamic loading dynamic linking is used.

SO in dynamic linking searching dynamic libraries is not known till run time becz program is loaded on demand.so it is more secure.

but in case od static linking  libraries are known till run time. becz program is loaded befour execution so it is less secure

0 votes
0 votes
After reading some of the articles I found following explanations;

1. Often dynamic linking include stub code for the functions which are available in some external dynamic library. And if someone tries to inject any malicious code there in place of stub code then it can harm the libraries or even system while trying to access the function.

2. If a code doesn't know the path for the library to be linked dynamically till run time it may try to access other library too if due to any reason system intervene with the process and changes the stub code and the address.

Related questions