Resolving the Correct Library: A Loader-Level Defense Solution Against Shared Object Hijacking
Pith reviewed 2026-06-29 17:07 UTC · model grok-4.3
The pith
Extending the dynamic linker to verify library authenticity at resolution time prevents shared object hijacking.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Shared library hijacking is a loader-resolution authenticity problem. A verification framework in the dynamic linker enforces authenticity guarantees during resolution using path-bound and location-independent identity models combined with cryptographic hashing, and this prevents hijacking on glibc systems in both general-purpose and embedded Linux.
What carries the argument
The loader-centric verification framework enforcing authenticity for the dynamic linker's resolution process.
If this is right
- The mechanism prevents attacks exploiting environment variables, search paths, and loader internals.
- It supports both path-bound and Build-ID-based identity models.
- The implementation preserves compatibility on glibc-based systems.
- Evaluation shows it works on Ubuntu and Buildroot under emulation.
Where Pith is reading between the lines
- This approach could apply to other Unix-like systems with similar dynamic linkers if the resolution semantics match.
- Moving verification into the loader might complement rather than replace file-centric integrity tools.
- Emulation-based testing indicates potential for deployment in embedded devices without major performance hits.
Load-bearing premise
The dynamic linker can be extended with authenticity verification at resolution time while preserving compatibility and without creating new exploitable surfaces in the loader itself.
What would settle it
A successful shared library hijacking attack on a system running the modified dynamic linker, or a failure to load a correct library due to the verification step.
Figures
read the original abstract
Shared library hijacking attacks in the Linux ecosystem, including embedded Linux, are a significant concern. It fundamentally exploits the dynamic linker's library-resolution semantics rather than modifying trusted libraries directly. Prior research has extensively analyzed attack vectors exploiting environment variables, embedded search paths, and dynamic loader internals, demonstrating that hijacking is rooted in fundamental loader behavior rather than isolated misconfigurations. Existing defenses either harden or replace the loader, enforce control-flow integrity after libraries are loaded, or apply file-centric integrity mechanisms such as signatures and measurement frameworks. However, these approaches fail to address a critical gap: none verify whether the shared object actually resolved by the loader is the intended and trusted one. In this paper, we argue that shared library hijacking is fundamentally a loader-resolution authenticity problem and present a loader-centric verification framework that enforces authenticity guarantees for the dynamic linker's resolution process. Our design supports both path-bound and location-independent (i.e., Build-ID-based) identity models combined with cryptographic hashing. We implement our approach on GNU libc (glibc) systems and evaluate it on both general-purpose Linux (e.g., Ubuntu) and embedded Linux (e.g., Buildroot) environments under emulation. Our results demonstrate that our proposed mechanism indeed prevents shared library hijacking attacks.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper claims that shared library hijacking exploits dynamic linker resolution semantics rather than direct library modification. It argues this is fundamentally a loader-resolution authenticity problem and presents a loader-centric verification framework supporting path-bound and Build-ID-based identities combined with cryptographic hashing. The approach is implemented on glibc and evaluated on Ubuntu and Buildroot under emulation, with the claim that results demonstrate prevention of such attacks.
Significance. If the implementation details, coverage of all resolution paths, and security analysis of the loader modification can be substantiated, the work would address a noted gap in prior defenses (which focus on hardening, CFI, or file-centric integrity without verifying the resolved object at load time). This could strengthen practical security for general-purpose and embedded Linux systems against a class of attacks rooted in loader behavior.
major comments (2)
- [Abstract] Abstract: The statement that 'evaluation on Ubuntu and Buildroot under emulation shows prevention' and 'our results demonstrate that our proposed mechanism indeed prevents shared library hijacking attacks' provides no quantitative results, threat model, coverage metrics, or edge-case analysis. This is load-bearing for the central claim, as the evaluation soundness cannot be assessed from the given description.
- The manuscript does not specify which dynamic linker functions were altered to insert the authenticity check, nor does it analyze whether all search-order cases (LD_LIBRARY_PATH, DT_RPATH, dlopen, etc.) are covered or whether the added verification code introduces new attack surfaces. This assumption—that the extension is both complete and safe—is load-bearing for the prevention claim but remains unexamined.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback. We address each major comment below and will revise the manuscript to improve clarity and completeness.
read point-by-point responses
-
Referee: [Abstract] Abstract: The statement that 'evaluation on Ubuntu and Buildroot under emulation shows prevention' and 'our results demonstrate that our proposed mechanism indeed prevents shared library hijacking attacks' provides no quantitative results, threat model, coverage metrics, or edge-case analysis. This is load-bearing for the central claim, as the evaluation soundness cannot be assessed from the given description.
Authors: We agree that the abstract is concise and omits explicit quantitative results, threat model details, coverage metrics, and edge-case discussion. The full manuscript contains a threat model (Section 3), quantitative evaluation results with metrics (Section 5), and coverage analysis under emulation. We will revise the abstract to briefly reference the threat model and key evaluation outcomes. revision: yes
-
Referee: The manuscript does not specify which dynamic linker functions were altered to insert the authenticity check, nor does it analyze whether all search-order cases (LD_LIBRARY_PATH, DT_RPATH, dlopen, etc.) are covered or whether the added verification code introduces new attack surfaces. This assumption—that the extension is both complete and safe—is load-bearing for the prevention claim but remains unexamined.
Authors: The implementation section describes modifications to glibc's dynamic linker for the authenticity checks. However, we acknowledge that an explicit enumeration of altered functions, exhaustive coverage of all search-order paths, and dedicated analysis of new attack surfaces introduced by the verification code are not sufficiently detailed. We will add this specification and analysis in the revised manuscript. revision: yes
Circularity Check
No circularity: implementation claim rests on proposed loader extension, not self-referential derivation
full rationale
The paper contains no equations, fitted parameters, or derivation chain. Its central claim—that a loader-centric authenticity check prevents hijacking—is presented as the outcome of a concrete implementation and evaluation on glibc under emulation, not as a quantity forced by definition, prior self-citation, or renaming of an input. No load-bearing step reduces to its own inputs; the work is self-contained as a systems proposal whose correctness is left to empirical verification rather than circular construction.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption Cryptographic hash functions provide reliable identity verification for shared objects.
- ad hoc to paper Modifying the dynamic linker to perform extra verification at resolution time is feasible without introducing new vulnerabilities or breaking compatibility.
Reference graph
Works this paper leans on
-
[1]
https: //refspecs.linuxfoundation.org/elf/gabi4+/contents.html
System v application binary interface: Elf gabi. https: //refspecs.linuxfoundation.org/elf/gabi4+/contents.html
-
[2]
Architectural support for dynamic linking
Varun Agrawal, Abhiroop Dabral, Tapti Palit, Yongming Shen, and Michael Ferdman. Architectural support for dynamic linking. InProceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, pages 691–702, 2015
2015
-
[3]
anonymous
anonymous. anonymous. https://anonymous.4open. science/r/shareb\ object\ library\ hijacking-5E36/. [Online; accessed 25-05-2026]
2026
-
[4]
anonymous2
anonymous2. anonymous2. https://anonymous. 4open.science/r/shareb object library hijacking-5E36/ PathBasedEnforcement/CaseStudies AttackPrevention/ README.md. [Online; accessed 25-05-2026]
2026
-
[5]
The inside story on shared libraries and dynamic loading
David M Beazley, Brian D Ward, and Ian R Cooke. The inside story on shared libraries and dynamic loading. Computing in Science & Engineering, 3(5):90–97, 2001
2001
-
[6]
Malware memory analysis of the jynx2 linux rootkit (part 1): Investigating a publicly available linux rootkit using the volatility memory analysis frame- work
Richard Carbone. Malware memory analysis of the jynx2 linux rootkit (part 1): Investigating a publicly available linux rootkit using the volatility memory analysis frame- work. 2014
2014
-
[7]
Dynamic linkers are the narrow waist of operating systems
Charly Castes and Adrien Ghosn. Dynamic linkers are the narrow waist of operating systems. InProceedings of the 12th Workshop on Programming Languages and Operating Systems, pages 26–33, 2023
2023
-
[8]
How the{ELF}ruined christmas
Alessandro Di Federico, Amat Cama, Yan Shoshi- taishvili, Christopher Kruegel, and Giovanni Vigna. How the{ELF}ruined christmas. In24th USENIX Security Symposium (USENIX Security 15), pages 643–658, 2015
2015
-
[9]
Context check bypass to enable opening shared-object libraries, March 31 2020
Jeff DiTullio, Michael Ryan Fenton, James Brandon Koppel, and Timothy D Lundeen. Context check bypass to enable opening shared-object libraries, March 31 2020. US Patent 10,606,612
2020
-
[10]
musl libc
Rich Felker. musl libc. https://musl.libc.org, 2026
2026
-
[11]
Dynamic detection of component loading vulnerability.Journal of Tsinghua University Science and Technology, 52(10), 2012
Jianming Fu, Bichen Peng, and Hao Du. Dynamic detection of component loading vulnerability.Journal of Tsinghua University Science and Technology, 52(10), 2012
2012
-
[12]
An evil copy: How the loader betrays you
Xinyang Ge, Mathias Payer, and Trent Jaeger. An evil copy: How the loader betrays you. InNDSS, 2017
2017
-
[13]
Gnu c library (glibc)
GNU Project. Gnu c library (glibc). https://www.gnu. org/software/libc/, 2026
2026
-
[14]
Gnu linker options: –build-id
GNU Project. Gnu linker options: –build-id. https:// sourceware.org/binutils/docs/ld/Options.html, 2026
2026
-
[15]
Libvm: an architecture for shared library sandboxing
Nuwan Goonasekera, William Caelli, and Colin Fidge. Libvm: an architecture for shared library sandboxing. Software: Practice and Experience, 45(12):1597–1617, 2015
2015
-
[16]
A cfi countermeasure against got overwrite attacks.IEEE Access, 8:36267–36280, 2020
Seunghoon Jeong, Jaejoon Hwang, Hyukjin Kwon, and Dongkyoo Shin. A cfi countermeasure against got overwrite attacks.IEEE Access, 8:36267–36280, 2020
2020
-
[17]
Defense method against code reuse attack based on real-time code load- ing and unloading.Computer Science, 49(10):279–284, 2022
HUANG Jianjun, Bin LIANG, et al. Defense method against code reuse attack based on real-time code load- ing and unloading.Computer Science, 49(10):279–284, 2022
2022
-
[18]
ld.so(8) linux programmer’s man- ual
Michael Kerrisk. ld.so(8) linux programmer’s man- ual. https://man7.org/linux/man-pages/man8/ld.so.8. html, 2026
2026
-
[19]
rtld-audit(7) linux programmer’s man- ual
Michael Kerrisk. rtld-audit(7) linux programmer’s man- ual. https://man7.org/linux/man-pages/man7/rtld-audit.7. html, 2026
2026
-
[20]
Automatic detection of unsafe dynamic component loadings.IEEE Transactions on Software Engineering, 38(2):293–313, 2011
Taeho Kwon and Zhendong Su. Automatic detection of unsafe dynamic component loadings.IEEE Transactions on Software Engineering, 38(2):293–313, 2011
2011
-
[21]
Dynamic library compartmentaliza- tion
Octave Larose. Dynamic library compartmentaliza- tion. InCompanion Proceedings of the 2023 ACM SIGPLAN International Conference on Systems, Pro- gramming, Languages, and Applications: Software for Humanity, pages 51–52, 2023
2023
-
[22]
Integrity measurement ar- chitecture (ima)
Linux Integrity Subsystem. Integrity measurement ar- chitecture (ima). https://ima-doc.readthedocs.io/en/latest/ ima-concepts.html, 2026
2026
-
[23]
fs-verity: read-only file- based authenticity protection
Linux Kernel Documentation. fs-verity: read-only file- based authenticity protection. https://docs.kernel.org/ filesystems/fsverity.html, 2024
2024
-
[24]
Kangjie Lu.Securing software systems by preventing information leaks.PhD thesis, Georgia Institute of Technology, Atlanta, GA, USA, 2017
2017
-
[25]
Sigstore: Software signing for everybody
Zachary Newman, John Speed Meyers, and Santiago Torres-Arias. Sigstore: Software signing for everybody. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 2353– 2367, 2022
2022
-
[26]
Slsa: Supply-chain levels for software arti- facts
OpenSSF. Slsa: Supply-chain levels for software arti- facts. https://slsa.dev, 2021
2021
-
[27]
A new mechanism for os security: Selective checking of shared library calls for security
Dae Yeon Park. A new mechanism for os security: Selective checking of shared library calls for security. InWEB Information Systems and Technologies, pages 381–388, 2005
2005
-
[28]
Safe loading-a foundation for secure execution of un- trusted programs
Mathias Payer, Tobias Hartmann, and Thomas R Gross. Safe loading-a foundation for secure execution of un- trusted programs. In2012 IEEE Symposium on Security and Privacy, pages 18–32. IEEE, 2012
2012
-
[29]
Blankit library debloating: Getting what you want instead of cutting what you don’t
Chris Porter, Girish Mururu, Prithayan Barua, and San- tosh Pande. Blankit library debloating: Getting what you want instead of cutting what you don’t. InProceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 164–180, 2020
2020
-
[30]
Thread-level attack-surface reduction
Florian Rommel, Christian Dietrich, Andreas Ziegler, Illia Ostapyshyn, and Daniel Lohmann. Thread-level attack-surface reduction. InProceedings of the 24th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems, pages 64–75, 2023
2023
-
[31]
hyperfine: A command-line benchmarking tool
sharkdp. hyperfine: A command-line benchmarking tool. https://github.com/sharkdp/hyperfine, 2026
2026
-
[32]
Using virtualization to protect appli- cation address space inside untrusted environment.Pro- gramming and Computer Software, 38(1):24–33, 2012
Denis V Silakov. Using virtualization to protect appli- cation address space inside untrusted environment.Pro- gramming and Computer Software, 38(1):24–33, 2012
2012
-
[33]
in-toto: Providing farm-to-table guarantees for bits and bytes
Santiago Torres-Arias, Hammad Afzali, Trishank Karthik Kuppusamy, Reza Curtmola, and Justin Cappos. in-toto: Providing farm-to-table guarantees for bits and bytes. In28th USENIX Security Symposium (USENIX Security 19), pages 1393–1410, 2019
2019
-
[34]
The Pennsylvania State University, 2014
Hayawardh Vijayakumar.Protecting programs during resource access. The Pennsylvania State University, 2014
2014
-
[35]
Lprov: Practical library-aware prove- nance tracing
Fei Wang, Yonghwi Kwon, Shiqing Ma, Xiangyu Zhang, and Dongyan Xu. Lprov: Practical library-aware prove- nance tracing. InProceedings of the 34th Annual Computer Security Applications Conference, pages 605– 617, 2018
2018
-
[36]
Secure programming for linux and unix howto.http://www
David A Wheeler. Secure programming for linux and unix howto.http://www. linux. org/docs/ldp/howto/Secure-Programs-HOWTO/index. html, 2001
2001
-
[37]
Columbia University, 2021
David Williams-King.Improving Security Through Egal- itarian Binary Recompilation. Columbia University, 2021
2021
-
[38]
PhD thesis, University of California, Santa Cruz, 2025
Farid Zakaria.Exploiting Stability in Software Systems: Primitives for Fast Startup, Binary Introspection, and Explicit Dependency Control. PhD thesis, University of California, Santa Cruz, 2025
2025
-
[39]
Secgot: Secure global offset tables in elf executables
Chao Zhang, Lei Duan, Tao Wei, and Wei Zou. Secgot: Secure global offset tables in elf executables. InConfer- ence of the 2nd International Conference on Computer Science and Electronics Engineering (ICCSEE 2013), pages 995–998. Atlantis Press, 2013
2013
-
[40]
Control flow and code integrity for cots binaries: An effective defense against real-world rop attacks
Mingwei Zhang and R Sekar. Control flow and code integrity for cots binaries: An effective defense against real-world rop attacks. InProceedings of the 31st Annual Computer Security Applications Conference, pages 91– 100, 2015
2015
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.