[gentoo-embedded] Tool for eliminating non used code or symbols?

[gentoo-embedded] Tool for eliminating non used code or symbols?

[Kfir Lavi]

Hi,
I'm looking for a way to reduce glibc code size.
It can be a way to make system smaller and minimize the impact
of attack vectors in glibc, as in return-to-libc attack.

Lets say I'm deleting the program 'mkdir', and mkdir uses a function
in glibc that non of the other parts of the system uses.
Then I want to eliminate this function from glibc. This leads to smaller
code and if this function is used in some attack scenario, maybe prevent it.

Is there a way to do it?
Can you help me think how to build a tool like this? or, integrate
with existing tools.

Thanks,
Kfir

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Markos Chandras]

On 25 March 2013 07:01, Kfir Lavi <lavi.kfir@gmail.com> wrote:
> Hi,
> I'm looking for a way to reduce glibc code size.
> It can be a way to make system smaller and minimize the impact
> of attack vectors in glibc, as in return-to-libc attack.
>
> Lets say I'm deleting the program 'mkdir', and mkdir uses a function
> in glibc that non of the other parts of the system uses.
> Then I want to eliminate this function from glibc. This leads to smaller
> code and if this function is used in some attack scenario, maybe prevent it.
>
> Is there a way to do it?
> Can you help me think how to build a tool like this? or, integrate
> with existing tools.
>
> Thanks,
> Kfir
>

You can use -Os when you compile your packages to reduce the size of
the resulting ELF file.
As for the second part of your question, I am not sure if this is
possible. I haven't thought this through, but
assuming you know no other packages depend on the function you want to
remove, you will have to mess
with the ELF file and its plt and other section entries to remove all
the references of that symbol. It's likely you
will break the file in the end.

--
Regards,
Markos Chandras - Gentoo Linux Developer
http://dev.gentoo.org/~hwoarang

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Kfir Lavi]

[-- Attachment #1: Type: text/plain, Size: 1464 bytes --]

On Sat, Mar 30, 2013 at 4:09 AM, Markos Chandras <hwoarang@gentoo.org>wrote:

> On 25 March 2013 07:01, Kfir Lavi <lavi.kfir@gmail.com> wrote:
> > Hi,
> > I'm looking for a way to reduce glibc code size.
> > It can be a way to make system smaller and minimize the impact
> > of attack vectors in glibc, as in return-to-libc attack.
> >
> > Lets say I'm deleting the program 'mkdir', and mkdir uses a function
> > in glibc that non of the other parts of the system uses.
> > Then I want to eliminate this function from glibc. This leads to smaller
> > code and if this function is used in some attack scenario, maybe prevent
> it.
> >
> > Is there a way to do it?
> > Can you help me think how to build a tool like this? or, integrate
> > with existing tools.
> >
> > Thanks,
> > Kfir
> >
>
> You can use -Os when you compile your packages to reduce the size of
> the resulting ELF file.
> As for the second part of your question, I am not sure if this is
> possible. I haven't thought this through, but
> assuming you know no other packages depend on the function you want to
> remove, you will have to mess
> with the ELF file and its plt and other section entries to remove all
> the references of that symbol. It's likely you
> will break the file in the end.
>
> --
> Regards,
> Markos Chandras - Gentoo Linux Developer
> http://dev.gentoo.org/~hwoarang
>
> Yes you right,
This is why I want to remove the function from the sources and compile it
again.

Kfir

[-- Attachment #2: Type: text/html, Size: 2079 bytes --]

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 1456 bytes --]

On Monday 25 March 2013 03:01:51 Kfir Lavi wrote:
> I'm looking for a way to reduce glibc code size.
> It can be a way to make system smaller and minimize the impact
> of attack vectors in glibc, as in return-to-libc attack.
> 
> Lets say I'm deleting the program 'mkdir', and mkdir uses a function
> in glibc that non of the other parts of the system uses.
> Then I want to eliminate this function from glibc. This leads to smaller
> code and if this function is used in some attack scenario, maybe prevent
> it.
> 
> Is there a way to do it?
> Can you help me think how to build a tool like this? or, integrate
> with existing tools.

the only thing i've seen in the past was a hacky script that utilize the 
uClibc build system to cull objects until things stopped linking.  it had very 
constrained use where i'd safely work, and was never generalized.  i don't 
remember the name of it now (was a few years ago), but having read the 
[limited] source, i wouldn't bother using it as a base.

otherwise, i haven't heard of any tools that do what you want, but i've seen 
many people request it.  unfortunately, it's a tough nut to crack, and the 
vast majority of people requesting it didn't have the technical skills to even 
think about a solution let alone implement it.

i [pessimistically] suspect we're talking many man months here, and the skill 
set involves knowledge of the ELF format at a fairly low level.
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Kfir Lavi]

[-- Attachment #1: Type: text/plain, Size: 1791 bytes --]

On Fri, Apr 26, 2013 at 11:03 PM, Mike Frysinger <vapier@gentoo.org> wrote:

> On Monday 25 March 2013 03:01:51 Kfir Lavi wrote:
> > I'm looking for a way to reduce glibc code size.
> > It can be a way to make system smaller and minimize the impact
> > of attack vectors in glibc, as in return-to-libc attack.
> >
> > Lets say I'm deleting the program 'mkdir', and mkdir uses a function
> > in glibc that non of the other parts of the system uses.
> > Then I want to eliminate this function from glibc. This leads to smaller
> > code and if this function is used in some attack scenario, maybe prevent
> > it.
> >
> > Is there a way to do it?
> > Can you help me think how to build a tool like this? or, integrate
> > with existing tools.
>
> the only thing i've seen in the past was a hacky script that utilize the
> uClibc build system to cull objects until things stopped linking.  it had
> very
> constrained use where i'd safely work, and was never generalized.  i don't
> remember the name of it now (was a few years ago), but having read the
> [limited] source, i wouldn't bother using it as a base.
>
> otherwise, i haven't heard of any tools that do what you want, but i've
> seen
> many people request it.  unfortunately, it's a tough nut to crack, and the
> vast majority of people requesting it didn't have the technical skills to
> even
> think about a solution let alone implement it.
>
> i [pessimistically] suspect we're talking many man months here, and the
> skill
> set involves knowledge of the ELF format at a fairly low level.
> -mike
>

You can look at this problem 2 ways:
1. Change the binary created after compilation.
2. Reduce glibc code and compile again. Do this iteratively.

I'm leaning toward the second, as you have the protection of the
compilation.

Kfir

[-- Attachment #2: Type: text/html, Size: 2377 bytes --]

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Bertrand Jacquin]

Hi,

Finally, two months after your mail, I remembered a project I saw last 
year (or so) that might stick your need.

http://anonscm.debian.org/gitweb/?p=d-i/mklibs.git
http://anonscm.debian.org/gitweb/?p=d-i/mklibs.git;a=blob_plain;f=src/mklibs;h=216b34c1cb221458cd0d26c6bd5c719c3bf94ab2;hb=HEAD

As describe, this tool :

- Gather all unresolved symbols and libraries needed by the programs
   and reduced libraries
- Gather all symbols provided by the already reduced libraries
   (none on the first pass)
- If all symbols are provided we are done
- go through all libraries and remember what symbols they provide
- go through all unresolved/needed symbols and mark them as used
- for each library:
   - find pic file (if not present copy and strip the so)
   - compile in only used symbols
   - strip
- back to the top

Beber

On 2013-03-25 08:01, Kfir Lavi wrote:
> Hi,
> I'm looking for a way to reduce glibc code size.
> It can be a way to make system smaller and minimize the impact
> of attack vectors in glibc, as in return-to-libc attack.
> 
> Lets say I'm deleting the program 'mkdir', and mkdir uses a function
> in glibc that non of the other parts of the system uses.
> Then I want to eliminate this function from glibc. This leads to 
> smaller
> code and if this function is used in some attack scenario, maybe 
> prevent it.
> 
> Is there a way to do it?
> Can you help me think how to build a tool like this? or, integrate
> with existing tools.
> 
> Thanks,
> Kfir

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Christopher Friedt]

[-- Attachment #1: Type: text/plain, Size: 1841 bytes --]

-Wunused -Werror


On Mon, May 27, 2013 at 9:09 AM, Bertrand Jacquin <beber@meleeweb.net>wrote:

> Hi,
>
> Finally, two months after your mail, I remembered a project I saw last
> year (or so) that might stick your need.
>
> http://anonscm.debian.org/**gitweb/?p=d-i/mklibs.git<http://anonscm.debian.org/gitweb/?p=d-i/mklibs.git>
> http://anonscm.debian.org/**gitweb/?p=d-i/mklibs.git;a=**
> blob_plain;f=src/mklibs;h=**216b34c1cb221458cd0d26c6bd5c71**
> 9c3bf94ab2;hb=HEAD<http://anonscm.debian.org/gitweb/?p=d-i/mklibs.git;a=blob_plain;f=src/mklibs;h=216b34c1cb221458cd0d26c6bd5c719c3bf94ab2;hb=HEAD>
>
> As describe, this tool :
>
> - Gather all unresolved symbols and libraries needed by the programs
>   and reduced libraries
> - Gather all symbols provided by the already reduced libraries
>   (none on the first pass)
> - If all symbols are provided we are done
> - go through all libraries and remember what symbols they provide
> - go through all unresolved/needed symbols and mark them as used
> - for each library:
>   - find pic file (if not present copy and strip the so)
>   - compile in only used symbols
>   - strip
> - back to the top
>
> Beber
>
>
> On 2013-03-25 08:01, Kfir Lavi wrote:
>
>> Hi,
>> I'm looking for a way to reduce glibc code size.
>> It can be a way to make system smaller and minimize the impact
>> of attack vectors in glibc, as in return-to-libc attack.
>>
>> Lets say I'm deleting the program 'mkdir', and mkdir uses a function
>> in glibc that non of the other parts of the system uses.
>> Then I want to eliminate this function from glibc. This leads to smaller
>> code and if this function is used in some attack scenario, maybe prevent
>> it.
>>
>> Is there a way to do it?
>> Can you help me think how to build a tool like this? or, integrate
>> with existing tools.
>>
>> Thanks,
>> Kfir
>>
>
>

[-- Attachment #2: Type: text/html, Size: 2512 bytes --]

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Christopher Friedt]

[-- Attachment #1: Type: text/plain, Size: 2008 bytes --]

strip --strip-unneeded


On Fri, May 31, 2013 at 2:10 PM, Christopher Friedt
<chrisfriedt@gmail.com>wrote:

> -Wunused -Werror
>
>
> On Mon, May 27, 2013 at 9:09 AM, Bertrand Jacquin <beber@meleeweb.net>wrote:
>
>> Hi,
>>
>> Finally, two months after your mail, I remembered a project I saw last
>> year (or so) that might stick your need.
>>
>> http://anonscm.debian.org/**gitweb/?p=d-i/mklibs.git<http://anonscm.debian.org/gitweb/?p=d-i/mklibs.git>
>> http://anonscm.debian.org/**gitweb/?p=d-i/mklibs.git;a=**
>> blob_plain;f=src/mklibs;h=**216b34c1cb221458cd0d26c6bd5c71**
>> 9c3bf94ab2;hb=HEAD<http://anonscm.debian.org/gitweb/?p=d-i/mklibs.git;a=blob_plain;f=src/mklibs;h=216b34c1cb221458cd0d26c6bd5c719c3bf94ab2;hb=HEAD>
>>
>> As describe, this tool :
>>
>> - Gather all unresolved symbols and libraries needed by the programs
>>   and reduced libraries
>> - Gather all symbols provided by the already reduced libraries
>>   (none on the first pass)
>> - If all symbols are provided we are done
>> - go through all libraries and remember what symbols they provide
>> - go through all unresolved/needed symbols and mark them as used
>> - for each library:
>>   - find pic file (if not present copy and strip the so)
>>   - compile in only used symbols
>>   - strip
>> - back to the top
>>
>> Beber
>>
>>
>> On 2013-03-25 08:01, Kfir Lavi wrote:
>>
>>> Hi,
>>> I'm looking for a way to reduce glibc code size.
>>> It can be a way to make system smaller and minimize the impact
>>> of attack vectors in glibc, as in return-to-libc attack.
>>>
>>> Lets say I'm deleting the program 'mkdir', and mkdir uses a function
>>> in glibc that non of the other parts of the system uses.
>>> Then I want to eliminate this function from glibc. This leads to smaller
>>> code and if this function is used in some attack scenario, maybe prevent
>>> it.
>>>
>>> Is there a way to do it?
>>> Can you help me think how to build a tool like this? or, integrate
>>> with existing tools.
>>>
>>> Thanks,
>>> Kfir
>>>
>>
>>
>

[-- Attachment #2: Type: text/html, Size: 2950 bytes --]

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 147 bytes --]

On Friday 31 May 2013 14:11:01 Christopher Friedt wrote:
> strip --strip-unneeded

doesn't removed symbols that are exported in a shared lib
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Anthony G. Basile]

On 06/21/2013 08:23 PM, Mike Frysinger wrote:
> On Friday 31 May 2013 14:11:01 Christopher Friedt wrote:
>> strip --strip-unneeded
>
> doesn't removed symbols that are exported in a shared lib
> -mike
>

and shouldn't.  How can a shared library know what symbols will be 
consumed in the future by objects linking against it?

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Christopher Friedt]

Hmm... I didn't read the original post all the way through before
responding previously.

It sounds like a pretty niche requirement. I don't see why you
couldn't just write your own tool to do it for yourself.

Incidentally, this isn't compiling, but *linking*. You could probably
look at the "prelink" code to get an idea of how to do it.

On Sat, Jun 22, 2013 at 6:05 AM, Anthony G. Basile
<basile@opensource.dyc.edu> wrote:
> On 06/21/2013 08:23 PM, Mike Frysinger wrote:
>>
>> On Friday 31 May 2013 14:11:01 Christopher Friedt wrote:
>>>
>>> strip --strip-unneeded
>>
>>
>> doesn't removed symbols that are exported in a shared lib
>> -mike
>>
>
> and shouldn't.  How can a shared library know what symbols will be consumed
> in the future by objects linking against it?
>
> --
> Anthony G. Basile, Ph. D.
> Chair of Information Technology
> D'Youville College
> Buffalo, NY 14201
> (716) 829-8197
>

Re: [gentoo-embedded] Tool for eliminating non used code or symbols?

[Kfir Lavi]

[-- Attachment #1: Type: text/plain, Size: 1952 bytes --]

On Mon, May 27, 2013 at 4:09 PM, Bertrand Jacquin <beber@meleeweb.net>wrote:

> Hi,
>
> Finally, two months after your mail, I remembered a project I saw last
> year (or so) that might stick your need.
>
> http://anonscm.debian.org/**gitweb/?p=d-i/mklibs.git<http://anonscm.debian.org/gitweb/?p=d-i/mklibs.git>
> http://anonscm.debian.org/**gitweb/?p=d-i/mklibs.git;a=**
> blob_plain;f=src/mklibs;h=**216b34c1cb221458cd0d26c6bd5c71**
> 9c3bf94ab2;hb=HEAD<http://anonscm.debian.org/gitweb/?p=d-i/mklibs.git;a=blob_plain;f=src/mklibs;h=216b34c1cb221458cd0d26c6bd5c719c3bf94ab2;hb=HEAD>
>
> As describe, this tool :
>
> - Gather all unresolved symbols and libraries needed by the programs
>   and reduced libraries
> - Gather all symbols provided by the already reduced libraries
>   (none on the first pass)
> - If all symbols are provided we are done
> - go through all libraries and remember what symbols they provide
> - go through all unresolved/needed symbols and mark them as used
> - for each library:
>   - find pic file (if not present copy and strip the so)
>   - compile in only used symbols
>   - strip
> - back to the top
>
> Beber
>
> Thanks for your post. I really appreciate it.
I'll take a deeper look on this project in the near future.

Again thanks,
Kfir


>
> On 2013-03-25 08:01, Kfir Lavi wrote:
>
>> Hi,
>> I'm looking for a way to reduce glibc code size.
>> It can be a way to make system smaller and minimize the impact
>> of attack vectors in glibc, as in return-to-libc attack.
>>
>> Lets say I'm deleting the program 'mkdir', and mkdir uses a function
>> in glibc that non of the other parts of the system uses.
>> Then I want to eliminate this function from glibc. This leads to smaller
>> code and if this function is used in some attack scenario, maybe prevent
>> it.
>>
>> Is there a way to do it?
>> Can you help me think how to build a tool like this? or, integrate
>> with existing tools.
>>
>> Thanks,
>> Kfir
>>
>
>

[-- Attachment #2: Type: text/html, Size: 2801 bytes --]