How to prevent LD_PRELOAD or ld.so.preload configuration?

Question

Due to license problem, few libraries cannot be linked statically.

So is it possible to prevent/detect preloaded library, either through LD_PRELOAD environment variable or through /etc/ld.so.preload configuration?

The previous can be detected through getenv(). But I have no idea about the other method.

I think there might be a general way to do it, is it?

Answer 1

is it possible to prevent/detect preloaded library, either through LD_PRELOAD environment variable or through /etc/ld.so.preload configuration?

You appear to be trying to implement some kind of anti-hacking protection. If so, it would be worth your while to study existing crackproofing techniques. This book describes a few.

Note that there are many other techniques to inject "foreign" code into your application, besides LD_PRELOAD and /etc/ld.so.preload. A couple that immediately come to mind are: LD_AUDIT, running under debugger, and renaming/replacing libc.so.

You have very little hope of stopping a moderately-sophisticated attacker. On Linux, I can build my own libc.so.6, and I can rename LD_PRELOAD to something else. I can also build my own kernel, and have it automatically inject myhack.so into your process without any user-space visible effects. Or I can simply make system calls do something else when executed by your application.

... the LD_PRELOAD ... can be detected through getenv()

That would stop only the least sophisticated attacker, for two reasons:

• the preloaded library could itself interpose getenv(), and can hide LD_PRELOAD from your application, and
• the LD_PRELOAD only matters at process startup. After the process has started, the preloaded library can easily remove LD_PRELOAD from the environment before your application has any chance to examine it.