Skip to main content

SQ18112

Detected Linux executable files that were compiled without any dynamic symbol hijacking protections.

priorityCI/CD statusseverityeffortRL levelRL assessment
passmediumlowNonehardening: warning
Reason: execution hijacking risks

About the issueโ€‹

On Linux, external symbols are resolved via the procedure linkage table (PLT) and the global offset table (GOT). The global offset table is split into two tables - one for external data, and one for external functions. Without any protection, both are writable at runtime and thus leave the executable vulnerable to data overwrite attacks and pointer hijacking. Data overwrite attacks can be mitigated by using partial read-only relocations, while pointer hijacking can be mitigated with full read-only relocations. Both approaches have some drawbacks. Partial read-only relocations don't provide full protection, because the external function GOT remains writable. Full read-only relocations require that all external function symbols are resolved at load-time instead of during execution. This may increase loading time for large programs.

How to resolve the issueโ€‹

  • In most cases, it's recommended to use full read-only relocations (in GCC: -Wl,-z,relro,-z,now).
  • If the executable load-time is an issue, you should use partial read-only relocations.

Incidence statisticsโ€‹

ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.

For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.

The percentages are calculated from the total amount of packages analyzed:

  • RubyGems: 174K
  • Nuget: 189K
  • PyPi: 403K
  • NPM: 2.1M