pith. sign in

arxiv: 2605.26665 · v1 · pith:H2YNUBZAnew · submitted 2026-05-26 · 💻 cs.CR

Resolving the Correct Library: A Loader-Level Defense Solution Against Shared Object Hijacking

Pith reviewed 2026-06-29 17:07 UTC · model grok-4.3

classification 💻 cs.CR
keywords shared library hijackingdynamic linkerLinux securityauthenticity verificationBuild-IDglibcembedded Linux
0
0 comments X

The pith

Extending the dynamic linker to verify library authenticity at resolution time prevents shared object hijacking.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper identifies that shared library hijacking succeeds because the dynamic linker resolves libraries without confirming they are the intended ones. Prior defenses either replace or harden the loader, add post-load integrity checks, or use file signatures, but none verify the resolution itself. The authors propose a loader-centric framework that adds authenticity verification using path or Build-ID identities with hashes. This is implemented in glibc and tested on Ubuntu and embedded Buildroot systems, where it stops the attacks. Readers would care if this closes the root cause in the linker's behavior rather than treating symptoms.

Core claim

Shared library hijacking is a loader-resolution authenticity problem. A verification framework in the dynamic linker enforces authenticity guarantees during resolution using path-bound and location-independent identity models combined with cryptographic hashing, and this prevents hijacking on glibc systems in both general-purpose and embedded Linux.

What carries the argument

The loader-centric verification framework enforcing authenticity for the dynamic linker's resolution process.

If this is right

  • The mechanism prevents attacks exploiting environment variables, search paths, and loader internals.
  • It supports both path-bound and Build-ID-based identity models.
  • The implementation preserves compatibility on glibc-based systems.
  • Evaluation shows it works on Ubuntu and Buildroot under emulation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • This approach could apply to other Unix-like systems with similar dynamic linkers if the resolution semantics match.
  • Moving verification into the loader might complement rather than replace file-centric integrity tools.
  • Emulation-based testing indicates potential for deployment in embedded devices without major performance hits.

Load-bearing premise

The dynamic linker can be extended with authenticity verification at resolution time while preserving compatibility and without creating new exploitable surfaces in the loader itself.

What would settle it

A successful shared library hijacking attack on a system running the modified dynamic linker, or a failure to load a correct library due to the verification step.

Figures

Figures reproduced from arXiv: 2605.26665 by Can Ozkan, Dave Singelee.

Figure 1
Figure 1. Figure 1: Proposed offline provisioning and online runtime enforcement workflow [PITH_FULL_IMAGE:figures/full_fig_p007_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Steps for case studies We then enabled our proposed path-based enforcement mechanism using the LD_AUDIT interface. During shared￾object resolution, the verifier compared the resolved canonical path against the authenticated whitelist manifest and rejected the unauthorized library before application execution pro￾ceeded. The verifier terminated execution because the attacker￾controlled library path did not … view at source ↗
read the original abstract

Shared library hijacking attacks in the Linux ecosystem, including embedded Linux, are a significant concern. It fundamentally exploits the dynamic linker's library-resolution semantics rather than modifying trusted libraries directly. Prior research has extensively analyzed attack vectors exploiting environment variables, embedded search paths, and dynamic loader internals, demonstrating that hijacking is rooted in fundamental loader behavior rather than isolated misconfigurations. Existing defenses either harden or replace the loader, enforce control-flow integrity after libraries are loaded, or apply file-centric integrity mechanisms such as signatures and measurement frameworks. However, these approaches fail to address a critical gap: none verify whether the shared object actually resolved by the loader is the intended and trusted one. In this paper, we argue that shared library hijacking is fundamentally a loader-resolution authenticity problem and present a loader-centric verification framework that enforces authenticity guarantees for the dynamic linker's resolution process. Our design supports both path-bound and location-independent (i.e., Build-ID-based) identity models combined with cryptographic hashing. We implement our approach on GNU libc (glibc) systems and evaluate it on both general-purpose Linux (e.g., Ubuntu) and embedded Linux (e.g., Buildroot) environments under emulation. Our results demonstrate that our proposed mechanism indeed prevents shared library hijacking attacks.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper claims that shared library hijacking exploits dynamic linker resolution semantics rather than direct library modification. It argues this is fundamentally a loader-resolution authenticity problem and presents a loader-centric verification framework supporting path-bound and Build-ID-based identities combined with cryptographic hashing. The approach is implemented on glibc and evaluated on Ubuntu and Buildroot under emulation, with the claim that results demonstrate prevention of such attacks.

Significance. If the implementation details, coverage of all resolution paths, and security analysis of the loader modification can be substantiated, the work would address a noted gap in prior defenses (which focus on hardening, CFI, or file-centric integrity without verifying the resolved object at load time). This could strengthen practical security for general-purpose and embedded Linux systems against a class of attacks rooted in loader behavior.

major comments (2)
  1. [Abstract] Abstract: The statement that 'evaluation on Ubuntu and Buildroot under emulation shows prevention' and 'our results demonstrate that our proposed mechanism indeed prevents shared library hijacking attacks' provides no quantitative results, threat model, coverage metrics, or edge-case analysis. This is load-bearing for the central claim, as the evaluation soundness cannot be assessed from the given description.
  2. The manuscript does not specify which dynamic linker functions were altered to insert the authenticity check, nor does it analyze whether all search-order cases (LD_LIBRARY_PATH, DT_RPATH, dlopen, etc.) are covered or whether the added verification code introduces new attack surfaces. This assumption—that the extension is both complete and safe—is load-bearing for the prevention claim but remains unexamined.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We address each major comment below and will revise the manuscript to improve clarity and completeness.

read point-by-point responses
  1. Referee: [Abstract] Abstract: The statement that 'evaluation on Ubuntu and Buildroot under emulation shows prevention' and 'our results demonstrate that our proposed mechanism indeed prevents shared library hijacking attacks' provides no quantitative results, threat model, coverage metrics, or edge-case analysis. This is load-bearing for the central claim, as the evaluation soundness cannot be assessed from the given description.

    Authors: We agree that the abstract is concise and omits explicit quantitative results, threat model details, coverage metrics, and edge-case discussion. The full manuscript contains a threat model (Section 3), quantitative evaluation results with metrics (Section 5), and coverage analysis under emulation. We will revise the abstract to briefly reference the threat model and key evaluation outcomes. revision: yes

  2. Referee: The manuscript does not specify which dynamic linker functions were altered to insert the authenticity check, nor does it analyze whether all search-order cases (LD_LIBRARY_PATH, DT_RPATH, dlopen, etc.) are covered or whether the added verification code introduces new attack surfaces. This assumption—that the extension is both complete and safe—is load-bearing for the prevention claim but remains unexamined.

    Authors: The implementation section describes modifications to glibc's dynamic linker for the authenticity checks. However, we acknowledge that an explicit enumeration of altered functions, exhaustive coverage of all search-order paths, and dedicated analysis of new attack surfaces introduced by the verification code are not sufficiently detailed. We will add this specification and analysis in the revised manuscript. revision: yes

Circularity Check

0 steps flagged

No circularity: implementation claim rests on proposed loader extension, not self-referential derivation

full rationale

The paper contains no equations, fitted parameters, or derivation chain. Its central claim—that a loader-centric authenticity check prevents hijacking—is presented as the outcome of a concrete implementation and evaluation on glibc under emulation, not as a quantity forced by definition, prior self-citation, or renaming of an input. No load-bearing step reduces to its own inputs; the work is self-contained as a systems proposal whose correctness is left to empirical verification rather than circular construction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The design rests on standard assumptions about cryptographic hash collision resistance and the feasibility of modifying the dynamic linker without breaking existing binaries; no free parameters or invented entities are introduced in the abstract.

axioms (2)
  • domain assumption Cryptographic hash functions provide reliable identity verification for shared objects.
    Implicit in the use of hashing for authenticity; standard assumption in security literature.
  • ad hoc to paper Modifying the dynamic linker to perform extra verification at resolution time is feasible without introducing new vulnerabilities or breaking compatibility.
    Required for the loader-centric approach to be practical; stated as part of the design goal.

pith-pipeline@v0.9.1-grok · 5752 in / 1294 out tokens · 23627 ms · 2026-06-29T17:07:49.977693+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

40 extracted references

  1. [1]

    https: //refspecs.linuxfoundation.org/elf/gabi4+/contents.html

    System v application binary interface: Elf gabi. https: //refspecs.linuxfoundation.org/elf/gabi4+/contents.html

  2. [2]

    Architectural support for dynamic linking

    Varun Agrawal, Abhiroop Dabral, Tapti Palit, Yongming Shen, and Michael Ferdman. Architectural support for dynamic linking. InProceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, pages 691–702, 2015

  3. [3]

    anonymous

    anonymous. anonymous. https://anonymous.4open. science/r/shareb\ object\ library\ hijacking-5E36/. [Online; accessed 25-05-2026]

  4. [4]

    anonymous2

    anonymous2. anonymous2. https://anonymous. 4open.science/r/shareb object library hijacking-5E36/ PathBasedEnforcement/CaseStudies AttackPrevention/ README.md. [Online; accessed 25-05-2026]

  5. [5]

    The inside story on shared libraries and dynamic loading

    David M Beazley, Brian D Ward, and Ian R Cooke. The inside story on shared libraries and dynamic loading. Computing in Science & Engineering, 3(5):90–97, 2001

  6. [6]

    Malware memory analysis of the jynx2 linux rootkit (part 1): Investigating a publicly available linux rootkit using the volatility memory analysis frame- work

    Richard Carbone. Malware memory analysis of the jynx2 linux rootkit (part 1): Investigating a publicly available linux rootkit using the volatility memory analysis frame- work. 2014

  7. [7]

    Dynamic linkers are the narrow waist of operating systems

    Charly Castes and Adrien Ghosn. Dynamic linkers are the narrow waist of operating systems. InProceedings of the 12th Workshop on Programming Languages and Operating Systems, pages 26–33, 2023

  8. [8]

    How the{ELF}ruined christmas

    Alessandro Di Federico, Amat Cama, Yan Shoshi- taishvili, Christopher Kruegel, and Giovanni Vigna. How the{ELF}ruined christmas. In24th USENIX Security Symposium (USENIX Security 15), pages 643–658, 2015

  9. [9]

    Context check bypass to enable opening shared-object libraries, March 31 2020

    Jeff DiTullio, Michael Ryan Fenton, James Brandon Koppel, and Timothy D Lundeen. Context check bypass to enable opening shared-object libraries, March 31 2020. US Patent 10,606,612

  10. [10]

    musl libc

    Rich Felker. musl libc. https://musl.libc.org, 2026

  11. [11]

    Dynamic detection of component loading vulnerability.Journal of Tsinghua University Science and Technology, 52(10), 2012

    Jianming Fu, Bichen Peng, and Hao Du. Dynamic detection of component loading vulnerability.Journal of Tsinghua University Science and Technology, 52(10), 2012

  12. [12]

    An evil copy: How the loader betrays you

    Xinyang Ge, Mathias Payer, and Trent Jaeger. An evil copy: How the loader betrays you. InNDSS, 2017

  13. [13]

    Gnu c library (glibc)

    GNU Project. Gnu c library (glibc). https://www.gnu. org/software/libc/, 2026

  14. [14]

    Gnu linker options: –build-id

    GNU Project. Gnu linker options: –build-id. https:// sourceware.org/binutils/docs/ld/Options.html, 2026

  15. [15]

    Libvm: an architecture for shared library sandboxing

    Nuwan Goonasekera, William Caelli, and Colin Fidge. Libvm: an architecture for shared library sandboxing. Software: Practice and Experience, 45(12):1597–1617, 2015

  16. [16]

    A cfi countermeasure against got overwrite attacks.IEEE Access, 8:36267–36280, 2020

    Seunghoon Jeong, Jaejoon Hwang, Hyukjin Kwon, and Dongkyoo Shin. A cfi countermeasure against got overwrite attacks.IEEE Access, 8:36267–36280, 2020

  17. [17]

    Defense method against code reuse attack based on real-time code load- ing and unloading.Computer Science, 49(10):279–284, 2022

    HUANG Jianjun, Bin LIANG, et al. Defense method against code reuse attack based on real-time code load- ing and unloading.Computer Science, 49(10):279–284, 2022

  18. [18]

    ld.so(8) linux programmer’s man- ual

    Michael Kerrisk. ld.so(8) linux programmer’s man- ual. https://man7.org/linux/man-pages/man8/ld.so.8. html, 2026

  19. [19]

    rtld-audit(7) linux programmer’s man- ual

    Michael Kerrisk. rtld-audit(7) linux programmer’s man- ual. https://man7.org/linux/man-pages/man7/rtld-audit.7. html, 2026

  20. [20]

    Automatic detection of unsafe dynamic component loadings.IEEE Transactions on Software Engineering, 38(2):293–313, 2011

    Taeho Kwon and Zhendong Su. Automatic detection of unsafe dynamic component loadings.IEEE Transactions on Software Engineering, 38(2):293–313, 2011

  21. [21]

    Dynamic library compartmentaliza- tion

    Octave Larose. Dynamic library compartmentaliza- tion. InCompanion Proceedings of the 2023 ACM SIGPLAN International Conference on Systems, Pro- gramming, Languages, and Applications: Software for Humanity, pages 51–52, 2023

  22. [22]

    Integrity measurement ar- chitecture (ima)

    Linux Integrity Subsystem. Integrity measurement ar- chitecture (ima). https://ima-doc.readthedocs.io/en/latest/ ima-concepts.html, 2026

  23. [23]

    fs-verity: read-only file- based authenticity protection

    Linux Kernel Documentation. fs-verity: read-only file- based authenticity protection. https://docs.kernel.org/ filesystems/fsverity.html, 2024

  24. [24]

    Kangjie Lu.Securing software systems by preventing information leaks.PhD thesis, Georgia Institute of Technology, Atlanta, GA, USA, 2017

  25. [25]

    Sigstore: Software signing for everybody

    Zachary Newman, John Speed Meyers, and Santiago Torres-Arias. Sigstore: Software signing for everybody. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 2353– 2367, 2022

  26. [26]

    Slsa: Supply-chain levels for software arti- facts

    OpenSSF. Slsa: Supply-chain levels for software arti- facts. https://slsa.dev, 2021

  27. [27]

    A new mechanism for os security: Selective checking of shared library calls for security

    Dae Yeon Park. A new mechanism for os security: Selective checking of shared library calls for security. InWEB Information Systems and Technologies, pages 381–388, 2005

  28. [28]

    Safe loading-a foundation for secure execution of un- trusted programs

    Mathias Payer, Tobias Hartmann, and Thomas R Gross. Safe loading-a foundation for secure execution of un- trusted programs. In2012 IEEE Symposium on Security and Privacy, pages 18–32. IEEE, 2012

  29. [29]

    Blankit library debloating: Getting what you want instead of cutting what you don’t

    Chris Porter, Girish Mururu, Prithayan Barua, and San- tosh Pande. Blankit library debloating: Getting what you want instead of cutting what you don’t. InProceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 164–180, 2020

  30. [30]

    Thread-level attack-surface reduction

    Florian Rommel, Christian Dietrich, Andreas Ziegler, Illia Ostapyshyn, and Daniel Lohmann. Thread-level attack-surface reduction. InProceedings of the 24th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems, pages 64–75, 2023

  31. [31]

    hyperfine: A command-line benchmarking tool

    sharkdp. hyperfine: A command-line benchmarking tool. https://github.com/sharkdp/hyperfine, 2026

  32. [32]

    Using virtualization to protect appli- cation address space inside untrusted environment.Pro- gramming and Computer Software, 38(1):24–33, 2012

    Denis V Silakov. Using virtualization to protect appli- cation address space inside untrusted environment.Pro- gramming and Computer Software, 38(1):24–33, 2012

  33. [33]

    in-toto: Providing farm-to-table guarantees for bits and bytes

    Santiago Torres-Arias, Hammad Afzali, Trishank Karthik Kuppusamy, Reza Curtmola, and Justin Cappos. in-toto: Providing farm-to-table guarantees for bits and bytes. In28th USENIX Security Symposium (USENIX Security 19), pages 1393–1410, 2019

  34. [34]

    The Pennsylvania State University, 2014

    Hayawardh Vijayakumar.Protecting programs during resource access. The Pennsylvania State University, 2014

  35. [35]

    Lprov: Practical library-aware prove- nance tracing

    Fei Wang, Yonghwi Kwon, Shiqing Ma, Xiangyu Zhang, and Dongyan Xu. Lprov: Practical library-aware prove- nance tracing. InProceedings of the 34th Annual Computer Security Applications Conference, pages 605– 617, 2018

  36. [36]

    Secure programming for linux and unix howto.http://www

    David A Wheeler. Secure programming for linux and unix howto.http://www. linux. org/docs/ldp/howto/Secure-Programs-HOWTO/index. html, 2001

  37. [37]

    Columbia University, 2021

    David Williams-King.Improving Security Through Egal- itarian Binary Recompilation. Columbia University, 2021

  38. [38]

    PhD thesis, University of California, Santa Cruz, 2025

    Farid Zakaria.Exploiting Stability in Software Systems: Primitives for Fast Startup, Binary Introspection, and Explicit Dependency Control. PhD thesis, University of California, Santa Cruz, 2025

  39. [39]

    Secgot: Secure global offset tables in elf executables

    Chao Zhang, Lei Duan, Tao Wei, and Wei Zou. Secgot: Secure global offset tables in elf executables. InConfer- ence of the 2nd International Conference on Computer Science and Electronics Engineering (ICCSEE 2013), pages 995–998. Atlantis Press, 2013

  40. [40]

    Control flow and code integrity for cots binaries: An effective defense against real-world rop attacks

    Mingwei Zhang and R Sekar. Control flow and code integrity for cots binaries: An effective defense against real-world rop attacks. InProceedings of the 31st Annual Computer Security Applications Conference, pages 91– 100, 2015