On Thursday 22 March 2007 05:54, Kamil Monticolo wrote: > You may also stripe nearly all of your libraries, for example: > > # ls -lhS /usr/lib/libcrypto*a > -r--r--r-- 1 root bin 11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a > -r--r--r-- 1 root bin 11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a > -r--r--r-- 1 root bin 11.5M Mar 22 13:53 /usr/lib/libcrypto.a > # strip -s /usr/lib/libcrypto*a > # ls -lhS /usr/lib/libcrypto*a > -r--r--r-- 1 root bin 909K Mar 22 13:53 /usr/lib/libcrypto_pic.a > -r--r--r-- 1 root bin 865K Mar 22 13:53 /usr/lib/libcrypto_p.a > -r--r--r-- 1 root bin 835K Mar 22 13:53 /usr/lib/libcrypto.a > > looks fine?
No. You've just destroyed your libraries in a way that's worse than just deleting them since now you will need to wade through strange error messages which are trying to tell you why your stripped libraries no longer work. The most common way for software to call library functions is by symbolic function name, rather than by ordinal or by location. When you remove all of the symbolic function names in a library, you can no longer call a function by its name and all software that calls by name will break. The above is only the start of your problems. When a library is loaded, it is seldom loaded at a pre-known exact address, instead, the operating system will take the suggested load address (nearly always occupied by another library), find some available free space in memory at a different address, load the library into the available free space, and then adjust the library code for the relocation. Without the symbols necessary for relocation, the library can not be relocated and loading the library will fail because the suggested address is most likely already in use by another library. Your problems are even worse than the above (over) simplification when you realize OpenBSD uses Address Space Layout Randomization (ASLR) to intentionally prevent executable code from being located at addresses known by an attacker. If saving "disk" space is absolutely critical to your application (usually some kind of embedded system without a "disk" and highly limited flash storage) and you are *forced* by your constraints to remove symbols to save space, then use the "--strip-debug" option. $ mkdir ~/test $ cd ~/test $ cp /usr/lib/libcrypto*.a . $ sudo strip --strip-debug ./libcrypto* Password: $ ls -1 | xargs -I % mv % %.stripped $ cp /usr/lib/libcrypto*.a . $ ll total 80172 drwxr-xr-x 2 jcr jcr 512 Mar 23 09:30 ./ drwxr-xr-x 59 jcr jcr 4096 Mar 23 09:29 ../ -r--r--r-- 1 jcr jcr 12038344 Mar 23 09:30 libcrypto.a -r--r--r-- 1 jcr jcr 1454880 Mar 23 09:30 libcrypto.a.stripped -r--r--r-- 1 jcr jcr 12104302 Mar 23 09:30 libcrypto_p.a -r--r--r-- 1 jcr jcr 1520552 Mar 23 09:30 libcrypto_p.a.stripped -r--r--r-- 1 jcr jcr 12195228 Mar 23 09:30 libcrypto_pic.a -r--r--r-- 1 jcr jcr 1600072 Mar 23 09:30 libcrypto_pic.a.stripped $ Sure, you've may have saved 30MiB of "disk" (and still have working libraries) but it comes at the price of making debugging far more difficult, time consuming and costly. Outside of your suggested destruction of the libraries, even when "correctly" removing only debug symbols, every single sane, volunteer, open source developer with very limited time, would rightfully refuse to help a person with a problem when the person has *intentionally* made their problem more difficult to debug. kind regards, jcr
