An Evil Copy: How the Loader Betrays You

Xinyang Ge, Mathias Payer, Trent Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations


Dynamic loading is a core feature used on current systems to (i) enable modularity and reuse, (ii) reduce memory footprint by sharing code pages of libraries and executables among processes, and (iii) simplify update procedures by eliminating the need to recompile executables when a library is updated. The Executable and Linkable Format (ELF) is a generic specification that describes how executable programs are stitched together from object files produced from source code to libraries and executables. Programming languages allow fine-grained control over variables, including access and memory protections, so programmers may write defense mechanisms assuming that the permissions specified at the source and/or compiler level will hold at runtime. Unfortunately, information about memory protection is lost during compilation. We identify one case that has significant security implications: when instantiating a process, constant external variables that are referenced in executables are forcefully relocated to a writable memory segment without warning. The loader trades security for compatibility due to the lack of memory protection information on the relocated external variables. We call this new attack vector COREV for Copy Relocation Violation. An adversary may use a memory corruption vulnerability to modify such “read-only” constant variables like vtables, function pointers, format strings, and file names to bypass defenses (like FORTIFY_SOURCE or CFI) and to escalate privileges. We have studied all Ubuntu 16.04 LTS packages and found that out of 54,045 packages, 4,570 packages have unexpected copy relocations that change read-only permissions to read-write, presenting new avenues for attack. The attack surface is broad with 29,817 libraries exporting relocatable read-only variables. The set of 6,399 programs with actual copy relocation violations includes ftp servers, apt-get, and gettext. We discuss the cause, effects, and a set of possible mitigation strategies for the COREV attack vector.

Original languageEnglish (US)
Title of host publication24th Annual Network and Distributed System Security Symposium, NDSS 2017
PublisherThe Internet Society
ISBN (Electronic)1891562460, 9781891562464
StatePublished - 2017
Event24th Annual Network and Distributed System Security Symposium, NDSS 2017 - San Diego, United States
Duration: Feb 26 2017Mar 1 2017

Publication series

Name24th Annual Network and Distributed System Security Symposium, NDSS 2017


Conference24th Annual Network and Distributed System Security Symposium, NDSS 2017
Country/TerritoryUnited States
CitySan Diego

All Science Journal Classification (ASJC) codes

  • Control and Systems Engineering
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Cite this