[Dwarf-Discuss] security implications of DWARF info
James Oakley
James.M.H.Oakley@Dartmouth.edu
Wed Nov 24 17:29:12 GMT 2010
> in ELF object files,
> even if you strip out all the DWARF there will still be the ELF
> symbol table. If you are looking at a DLL the ELF symbol table
> cannot avoid listing the names of all exported entrypoints; and
> typically it would have all entrypoints and static/global data names.
> That symbol table is sufficient for presenting a symbolic traceback
Only the contents of .dynsym are necessary for program execution/dynamic
linking. Pass -s (--strip-all) to ld and there will no longer be a .symtab
section. If we are dealing with an executable there will be very little of
interest in .dynsym. If we are dealing with a library then of course there
will be a lot more.
On 11/24/2010 12:15 PM, Robinson, Paul T (JCTL-NonStop) wrote:
>> I'm assuming that there's more information that function addresses.
>>
>> Type information, for example, or mappings to source code lines.
>
> DWARF includes names of all named entities in the object, as well
> as directory and file names of the source files and the mapping
> table correlating instructions with source locations. Names that
> identify typed entities will also describe those types. Names
> that identify entities with associated data storage will also
> describe those storage locations. Names that identify entities
> with associated instructions (functions, thunks, etc) will also
> describe those code locations.
>
>> Such information could aid reverse engineers.
>
> The point of DWARF is to provide information that will help you
> understand the execution of the code. Whether you are the one
> developing the code or reverse-engineering the code, the information
> is the same.
>
> I am not familiar with dSYM files either, but in ELF object files,
> even if you strip out all the DWARF there will still be the ELF
> symbol table. If you are looking at a DLL the ELF symbol table
> cannot avoid listing the names of all exported entrypoints; and
> typically it would have all entrypoints and static/global data names.
> That symbol table is sufficient for presenting a symbolic traceback
> of the call chain at the point of an abend, and if that's all you
> need, then stripping the DWARF completely sounds like what you want.
>
> Whether you can obfuscate the object-file's symbol table is a
> separate question for some other mailing list.
> --paulr
> _______________________________________________
> Dwarf-Discuss mailing list
> Dwarf-Discuss at lists.dwarfstd.org
> http://lists.dwarfstd.org/listinfo.cgi/dwarf-discuss-dwarfstd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3262 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.dwarfstd.org/private.cgi/dwarf-discuss-dwarfstd.org/attachments/20101124/f5580262/attachment.bin>
More information about the Dwarf-discuss
mailing list