Running 100% statically linked executables

[robgjansen]

When running a 100% statically-linked binary (that does not link to the dynamic loader ld-linux-x86-64.so) in shadow, the LD_PRELOAD env variable will be ignored. This means that the shim library that we try to preload and inject will never be initialized, so we won't have a control channel between shadow and the managed process.

We may be able to hack around it by using ptrace upon forking the managed process to inject the shim into the process at init time. We would have a flow like
fork() -> exec() -> ptrace() -> [in child] dlopen("libshim.so") -> ptrace(detach)

From this point, we would rely on seccomp in the shim for function interception (LD_PRELOAD may still be ignored at this point).

Except, because dlopen would not be available, we would have to instead manually mmap some space, open the shim, copy the contents into memory, and call the constructor ourselves.

More information here:
https://stackoverflow.com/questions/24355344/inject-shared-library-into-a-process

(Thanks @rwails!)

[sporksmith]

It'd be nice if we could avoid ptrace, since it's not always available, interferes with gdb, etc.

https://www.youtube.com/watch?v=pq1XqP4-qOo uses some interesting techniques for manipulating the dynamic linker. It makes me wonder if there's a simple way to patch the elf executable to make it look like a dynamically linked executable with no dependencies. Even if this works though, it does mean "patching" the binary which is a little awkward. We could dynamically make a new copy of the binary in /tmp that we delete when shadow exits but still...

Another possibility is to write our own "loader" that loads the static executable + our shim into memory, calls the shim init code, and then calls _start in the static binary. I think this mostly just involves mmaping the sections of the elf into the addresses they're supposed to go to.

Somewhat related - we may want to avoid having our shim library depend on any other dynamically linked libraries, including libc. Otherwise we'll need to somehow get those libraries into memory as well. I think we can link against a static version of libc, but we might need to use musl instead of glibc. This might also be a good idea anyway to avoid trouble if the target executable is linked with a different version of libc than the shim was, since otherwise the dynamic libc that the shim pulls in may have symbol collisions with the version that the target binary pulls in.

[jtracey]

It makes me wonder if there's a simple way to patch the elf executable to make it look like a dynamically linked executable with no dependencies.

Not easily, no. Elf-loader used to have to deal with stuff like this (see e.g. the elfedit utility, which modifies an existing elf file to use elf-loader instead of the system ld.so). The problem is that compiled executables can make a lot of assumptions about offsets and addresses. Elfedit got around this by only modifying the existing dynamic linker path in the dynamic executable headers, and being sure to only allow replacing the path with one that is shorter than the old path, then padding with null bytes so it matched the length. Statically linked executables are allowed to make even more assumptions, and don't have those headers to begin with. At least from my understanding, the way adding those headers would modify the binary would upset offsets, alignment, and jumps so severely that the only way to do it would practically be de- then re-compiling.

Another possibility is to write our own "loader" that loads the static executable + our shim into memory, calls the shim init code, and then calls _start in the static binary. I think this mostly just involves mmaping the sections of the elf into the addresses they're supposed to go to.

FWIW, I think elf-loader could handle this. It is LGPL, and C, so might not be the best fit any more, but it exists.

Somewhat related - we may want to avoid having our shim library depend on any other dynamically linked libraries, including libc.

Elf-loader, which basically did shim operations for dynamic linking/loading, basically re-implements the necessary parts of libc itself. Feel free to poke around the hacking documentation to see what it did. Something to be aware of when mixing libcs in a single process is that things like memory allocators and thread-local storage management can clobber each other if you're not careful; a lot of the annoying bugs that crept up essentially boiled down to this.

since otherwise the dynamic libc that the shim pulls in may have symbol collisions with the version that the target binary pulls in

If you mean that a preloaded shim linked against a dynamic libc will preload those symbols as well, IIRC only the given preloaded library gets placed in the interposition order (right after the main executable), dependencies get appended to the end of symbol resolution order as usual. If you're doing something that would cause that to not be the case, symbol versioning should still prevent any problems, as long as both of the libcs used version their symbols (glibc does by default, try running e.g. readelf -s $(which ls) to see what I mean). The reason LD_PRELOAD can work on glibc symbols is because you usually explicitly don't version your symbols, which causes them to take precedence; if that's not your goal, you can version them to prevent interposing.

[sporksmith]

Thanks for the info!

the way adding those headers would modify the binary would upset offsets, alignment, and jumps so severely that the only way to do it would practically be de- then re-compiling.

Ah bummer. I thought/hoped that nothing cared about absolute offsets within the elf file, only within sections that are mmap'd in to the running program.

FWIW, I think elf-loader could handle this. It is LGPL, and C, so might not be the best fit any more, but it exists.

Cool! I'm hoping we wouldn't need the full functionality and complexity of the current elf loader since we wouldn't need to do dynamic linking/loading, but it'd be useful as a starting point that couldto be stripped down, or as a reference.

If you mean that a preloaded shim linked against a dynamic libc will preload those symbols as well, IIRC only the given preloaded library gets placed in the interposition order (right after the main executable), dependencies get appended to the end of symbol resolution order as usual. If you're doing something that would cause that to not be the case, symbol versioning should still prevent any problems, as long as both of the libcs used version their symbols (glibc does by default, try running e.g. readelf -s $(which ls) to see what I mean). The reason LD_PRELOAD can work on glibc symbols is because you usually explicitly don't version your symbols, which causes them to take precedence; if that's not your goal, you can version them to prevent interposing.

Thanks, I'll have to think about this some more. It's not a problem we've encountered in practice, but I started thinking about it recently while starting to use nix in my workflows, since a program built under nix would use a different build of libc than shadow's shim (assuming the shim wasn't also built via nix).

[sporksmith]

We should track here any real-world examples we find of statically compiled binaries we'd like to run under Shadow, to better understand the value of addressing this.

golang programs can be statically compiled, but very often aren't. In particular, programs that use cgo, which by default includes programs that use net package of the standard library, end up being dynamically linked. https://www.arp242.net/static-go.html

[sporksmith]

@rwails found https://criu.org/Compel, which may be useful

[Lestode]

Hello,
I faced similar issues during a research project. We used dynamic binary instrumentation coupled with kernel instrumentation (namely ptrace), to emulate system calls that bypass the libc.
Do you think this would be interesting to implement ?
I have my document ready to send if you're interested, even though it's not an actual publication

[sporksmith]

Thanks @Lestode; sounds interesting! In general though, I think we're unlikely to really work on this without more motivation for supporting statically linked executables (e.g. use-cases where it's impractical to recompile with dynamic linking).

I should also mention "System Call Interposition Without Compromise" both for reference here and that it might be interesting to you @Lestode since it sounds like a related approach.