Return to the Front page

LWN.net Weekly Edition for May 16, 2013

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Weekly edition	Kernel	Security	Distributions	Contact Us	Search
Archives	Calendar	Subscribe	Write for LWN	LWN.net FAQ	Sponsors

Is pre-linking worth it?

By Jake Edge
July 15, 2009

The recent problem with prelink in Fedora Rawhide has led some to wonder about what advantages pre-linking actually brings—and whether those advantages outweigh the pain it can cause. Pre-linking can reduce application start up time—and save some memory as well—but there are some downsides; not least the possibility of an unbootable system as some Rawhide users encountered. The advantages are small enough, or hard enough to completely quantify, that it leads to questions about whether it is justified as the default for Fedora.

Linux programs typically consist of a binary executable file that refers to multiple shared libraries. These libraries are loaded into memory once and shared by multiple executables. In order to make that happen, the dynamic linker (i.e. ld.so) needs to change the binary in memory such that any addresses of library objects point to the right place in memory. For applications with many shared libraries—GUI programs for example—that process can take some time.

The idea behind pre-linking is fairly simple: reduce the amount of time the dynamic linker needs to spend doing these address relocations by doing it in advance and storing the results. The prelink program processes ELF binaries and shared libraries in much the same way that ld.so would, and then adds special ELF sections to the files describing the relocations. When ld.so loads a pre-linked binary or library, it checks these sections and, if the libraries are loaded at the expected location and the library hasn't changed, it can do its job much more quickly.

But there are a few problems with that approach. For one thing, it makes the location of shared libraries very predictable. One of the ideas behind address space layout randomization (ASLR) is to randomize these locations each time a program is run—or library loaded—so that malicious programs cannot easily and reproducibly predict addresses. On Fedora and Red Hat Enterprise Linux (RHEL) systems, prelink is run every two weeks with a parameter to request random addresses to alleviate this problem, but they do stay fixed over that time period.

In addition, whenever applications or libraries are upgraded, prelink must be run again. The linker is smart enough to recognize the situation and revert to its normal linking process when something has changed, but the advantage that prelink brings is lost until the pre-linking is redone. Also, the kernel randomly locates the VDSO (virtual dynamically-linked shared object) "library", which, on 32-bit systems, can overlap one of the libraries, requiring some address relocation anyway. Overall, pre-linking is a bit of a hack, and it is far from clear that its benefits are substantial enough to overcome that.

Fedora and Red Hat Enterprise Linux (RHEL) enable pre-linking by default, while most other distributions make prelink available, but seem unconvinced that the benefits are substantial enough to make it the default. Because it is a very system-dependent feature, hard performance numbers are difficult to find. It certainly helps in some cases, but is it really something that everyone needs?

Matthew Miller brought that question up on the fedora-devel mailing list:

I see [prelink] as adding unnecessary complexity and fragility, and it makes forensic verification difficult. Binaries can't be verified without being modified, which is far from ideal. And the error about dependencies having changed since prelinking is disturbingly frequent.

On the other hand, smart people have worked on it. It's very likely that those smart people know things I don't. I can't find any good numbers anywhere demonstrating the concrete benefits provided by prelink. Is there data out there? [...]

Even assuming a benefit, the price may not be worth it. SELinux gives a definite performance hit, but it's widely accepted as being part of the price to pay for added security. Enabling prelink seems to fall on the other side of the line. What's the justification?

Glibc maintainer Ulrich Drepper noted that pre-linking avoids most or all of the cost of relocations, while also pointing out that the relatively new symbol table hashing feature in GCC reduces the gain for pre-linking. He also described an additional benefit: memory pages that do not require changes for relocations will not be copied (due to copy-on-write) and can thus be shared between multiple processes running the same executable. But his primary motivation may have more to do with his work flow: "Note, also small but frequently used apps benefit. I run gcc etc a lot and like every single saved cycle."

The effect of pre-linking can be measured by using the LD_DEBUG environment variable as Drepper described. Jakub Jelinek, who is the author of prelink, posted some results for OpenOffice.org Writer showing an order of magnitude difference in the amount of time spent doing relocations between pre-linked and regular binaries. Those results are impressive, but, at least for long-running programs, start up time doesn't really dominate—desktop applications, or often-used utilities, are the likely benefactors. As Miller puts it:

If I can get a 50% speed up to a program's startup times, that sounds great, but if I then leave that program running for days on end, I haven't actually won very much at all -- but I still pay the price continuously. (That price being: fragility, verifiability, and of course the prelinking activity itself.)

For 32-bit processors, though, which are those most likely to benefit from the memory savings, there is still the VDSO overlap problem. John Reiser did an experiment using cat and found that glibc needed to be dynamically relocated fairly frequently:

This means that glibc must be dynamically relocated about 10% of the time anyway, even though glibc has been pre-linked, and even though /bin/cat is near minimal in its use of shared libraries. When a GNOME app uses 50 or more pre-linked shared libs, as claimed in another thread on this subject, then runtime conflict and expense are even more likely.

There doesn't seem to be a large interest in removing the prelink default for Fedora, but one has to wonder, if the savings are as large and widespread as people seem to think, why other distributions have been reluctant to adopt it. Part of the reason may be the possibility of a prelink bug rendering systems unbootable or reluctance to rely upon something that requires modifying binaries and libraries, regularly, to keep everything in sync. The security issues may also play into their thinking, though Jelinek argues that security-sensitive programs should be position-independent executables (PIE) that are not pre-linked, and thus have ASLR done for every execution.

While not impossible, a problem like Rawhide suffered seems unlikely to occur in more polished, non-development releases. Though prelink does provide a benefit, it may be a bit hard to justify as time goes on. For some, who are extremely sensitive to start up time costs, it may make a great deal of sense, but it may well be that for the majority of users, the annoyance and dangers are just not worth it.

(Log in to post comments)

Is pre-linking worth it?

Posted Jul 15, 2009 17:06 UTC (Wed) by fuhchee (subscriber, #40059) [Link]

Looking at your last paragraph, I can't match up these two claims: ... it may well be that for the majority of users, the annoyance and dangers are just not worth it ... and ... a problem like Rawhide suffered seems unlikely to occur in more polished, non-development releases ...

What "annoyance and dangers" does "that majority" experience, other than that single rawhide bug (which by nature is not used by many people)?

Is pre-linking worth it?

Posted Jul 15, 2009 17:20 UTC (Wed) by jake (editor, #205) [Link]

hmm, "unlikely" does not mean impossible. there are potential dangers associated with pre-linking, from possible bugs to security implications, as i thought i described in the article; perhaps i didn't communicate them well, though. the annoyances are things like prelink needing to run regularly, changing binary files which makes binary integrity harder to check, etc.

and, if i am not mistaken, Fedora would like to see *more* people use rawhide.

jake

Is pre-linking worth it?

Posted Jul 15, 2009 21:11 UTC (Wed) by nix (subscriber, #2304) [Link]

On 64-bit boxes, of course, there are pretty much no security implications
of prelinking: even if ASLR *is* statically determined when prelink is
active, the address space is large enough that an attacker has little
chance of success anyway. And the address space on 32-bit is small enough
that ASLR is at best a band-aid.

The danger with prelink isn't that it lets attackers bruteforce their way
past ASLR (they can do that anyway). It's that *if* they have a multistage
attack to carry out (guess ASLRed addresses then guess something else,
say) and *if* they can tell that ASLR has been defeated and *if* each
attack round involves exec()ing a new program (rather than fork()ing an
old one or using a thread pool), then they can eliminate the effects of
ASLR more rapidly and concentrate on the second part of the attack, if
prelink is in use.

I'm not sure this actually affects many programs. openssh is the only one
I can think of that actually exec()s a new copy of itself when a request
comes in (specifically to allow ASLR to rerandomize things). Apache
doesn't do this and neither does anything else I can think of except for
services run from inetd.

Can anyone think of any other network-facing programs this might affect?

(I don't prelink my 32-bit firewalls for exactly this reason. Boxes behind
the firewall get prelinked.)

Is pre-linking worth it?

Posted Jul 15, 2009 21:53 UTC (Wed) by jake (editor, #205) [Link]

> On 64-bit boxes, of course, there are pretty much no security implications
> of prelinking: even if ASLR *is* statically determined when prelink is
> active, the address space is large enough that an attacker has little
> chance of success anyway.

Hmm, the security problems with pre-linking don't center around brute-forcing library addresses, I don't think. Instead, if an attacker can run a program and see where libc (for example) ends up in their memory map, they can be pretty sure it will be in the same place for other targets of interest. For up to two weeks.

jake

Is pre-linking worth it?

Posted Jul 15, 2009 23:12 UTC (Wed) by nix (subscriber, #2304) [Link]

A *local* attacker? If a hostile attacker has got onto your system and can
observe /proc/self/maps for security-critical programs (say, those running
as root) you have already lost, ASLR or no ASLR. If you are concerned
about hostile users, chmod such programs so that only root can execute
them, or explicitly 'prelink --undo' them to re-enable ASLR for those
programs.

I was talking about ASLR's role in stopping them from getting on in the
first place, when they have to use 'did {this part of} the exploit work?'
as an oracle.

Is pre-linking worth it?

Posted Jul 15, 2009 23:25 UTC (Wed) by jake (editor, #205) [Link]

> A *local* attacker? If a hostile attacker has got onto your system and can
> observe /proc/self/maps for security-critical programs

I think we are talking across each other. If an attacker can do 'cat /proc/self/maps', and thus see the memory map of 'cat', they will see where libc is mapped. On a pre-linked system, that is the likely place it is mapped for *other* interesting programs. So, a local attacker, or one who can get map information for simple, non-security-critical programs, can then use that information in a buffer overflow or other exploit of the security-critical program of interest (assuming it links to libc).

*that* is a security hole for pre-linking ...

(btw, your email notifications are bouncing :)

jake

Is pre-linking worth it?

Posted Jul 16, 2009 0:36 UTC (Thu) by nix (subscriber, #2304) [Link]

Agreed: prelink is problematic iff you have hostile local users, but if
you avoid prelinking privileged programs, libc will be mapped elsewhere
for those programs.

(Sorry about the bounces: my ISP, Zetnet, has gone insane, changing my
static IP but failing to tell me the new IP address ahead of time, failing
to update my DNS zone even when specifically requested, so all its RRs
still point to the old address, messing up the MX relay so that all
incoming email, even to their own DNS administrator, gets bounced rather
than queued, and failing to give me a MAC code (horrid UK-specific
broadband techspeak) as they are legally obliged to, so I can't even
switch to a new ISP. It's absolutely crazy, and I can do nothing
whatsoever about it. God knows what email I've lost.

To make this Linux-relevant, let this be a lesson to everyone in the
dangers of making Debian developers redundant, especially when they know
the network from top to bottom and you're just about to carry out major
changes to that network. In fact it's better never to make Debian
developers redundant at all. Actually it's best if you just give them lots
of money without their even needing to ask. Really.)

Is pre-linking worth it?

Posted Jul 16, 2009 6:05 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

ASLR was never meant to protect against local attacks, see http://lwn.net/Articles/334027/ for more explanation. the two week period is a vulnerability however for it's plenty of time to remotely brute force guess addresses (that is, when one cannot already leak addresses). that's why ASLR is really only meaningful when you can limit brute force search.

Why modify the executable?

Posted Jul 15, 2009 17:17 UTC (Wed) by epa (subscriber, #39769) [Link]

Modifying the executable by adding another ELF section sounds messy. Why not a separate file foo.prelink storing the information? Then ld.so can use this file if it exists and if ld.so is configured to take notice of prelink info. The original binary is unchanged.

Why modify the executable?

Posted Jul 15, 2009 18:51 UTC (Wed) by i3839 (guest, #31386) [Link]

Because that would cause an extra disk seek, destroying any benefit prelink might give.

Why modify the executable?

Posted Jul 15, 2009 19:26 UTC (Wed) by Los__D (guest, #15263) [Link]

How is adding another file less messy than adding another ELF section?

Why modify the executable?

Posted Jul 15, 2009 21:04 UTC (Wed) by nix (subscriber, #2304) [Link]

That's inaccurate. prelink modifies the relocations in the executable
itself: it doesn't add a new section describing them.

It *does* add a section describing the 'conflicts' that it *cannot* ---
there are two per C++ virtual method table, for instance --- and a section
allowing it to undo its own work, but there is no new section describing
relocations. The glory of relink is that to a large extent all the dynamic
loader needed to do to work with it was to know when to get out of the
way.

And it has a huge positive benefit for KDE, so large that a kludge
(kdeinit) had to be implemented specifically to prevent a massive slowdown
when prelink wasn't active (also because without kdeinit you'd have
to execute a new program to handle *every single URL* that was loaded
while loading a webpage, for instance). That's because KDE programs link
against a lot of C++ shared libraries, and even with .gnu.hash
ameliorating the 'long C++ symbols take ages to relocate' problem, the
libraries are so large that relocation takes ages (even with DT_BIND_NOW
off: some of the relocations have to be processed immediately and can't be
handled lazily).

An example: on my KDE 3.5.10 system here, kio_http (a shared library
itself) and dependent libraries contain a total of 48929 symbols with an
average length of 31.9. (Taking C++ symbols only, the average symbol
length is 35.4: most of the symbols are C++). You can expect a
nonprelinked KDE program to use a meg or so of extra dirty nonshareable
memory just for the relocations (I haven't looked at this figure for some
time: it'll be worse on 64-bit boxes but of course they normally have more
memory anyway).

That is *not* small. prelink really does help with monsters like this,
even with DT_GNU_HASH to help speed up relocation when it must happen.

And programs are only going to get bigger.

Why modify the executable?

Posted Jul 15, 2009 22:48 UTC (Wed) by pynm0001 (guest, #18379) [Link]

A couple of small quibbles: Although KDE downloads webpages through a separate process, it does not necessarily have to fork one for every link visited. Existing kio_http processes (procs, not shared libs) are retained for some amount of time after they've been forked in case they are needed to be reused.

kdeinit existed before prelink, although essentially to fix the same problem.

Why modify the executable?

Posted Jul 15, 2009 23:15 UTC (Wed) by nix (subscriber, #2304) [Link]

Ooo, kio_http is in effect thread-pooled?

[digdig]

So it is! I never knew that. Nifty (also bleeding obvious in hindsight,
given that I can see some hanging around even now, when I'm not actively
downloading any web pages. Ah well, the glory of the Internet is that one
can display one's ignorance in front of thousands).