On Fri, Apr 26, 2013 at 11:03 PM, Mike Frysinger <vap...@gentoo.org> wrote:
> On Monday 25 March 2013 03:01:51 Kfir Lavi wrote: > > I'm looking for a way to reduce glibc code size. > > It can be a way to make system smaller and minimize the impact > > of attack vectors in glibc, as in return-to-libc attack. > > > > Lets say I'm deleting the program 'mkdir', and mkdir uses a function > > in glibc that non of the other parts of the system uses. > > Then I want to eliminate this function from glibc. This leads to smaller > > code and if this function is used in some attack scenario, maybe prevent > > it. > > > > Is there a way to do it? > > Can you help me think how to build a tool like this? or, integrate > > with existing tools. > > the only thing i've seen in the past was a hacky script that utilize the > uClibc build system to cull objects until things stopped linking. it had > very > constrained use where i'd safely work, and was never generalized. i don't > remember the name of it now (was a few years ago), but having read the > [limited] source, i wouldn't bother using it as a base. > > otherwise, i haven't heard of any tools that do what you want, but i've > seen > many people request it. unfortunately, it's a tough nut to crack, and the > vast majority of people requesting it didn't have the technical skills to > even > think about a solution let alone implement it. > > i [pessimistically] suspect we're talking many man months here, and the > skill > set involves knowledge of the ELF format at a fairly low level. > -mike > You can look at this problem 2 ways: 1. Change the binary created after compilation. 2. Reduce glibc code and compile again. Do this iteratively. I'm leaning toward the second, as you have the protection of the compilation. Kfir
