How to protect buggy programs from security vulnerabilities under Linux and UNIX

A Buffer overflows is a serious security problem. It allows an attacker to inject executable code of their choice into an already-running application. This ability to run arbitrary code at certain memory addresses is dangerous as attacker being able to execute the instructions from anywhere in memory.

To protect bufferoverflow security vulnerabilities use diehard

With such problems in mind, Berger created a new program that prevents crashing and makes users safer, he says. Dubbed DieHard, there are versions for programs that run in Windows or Linux. DieHard is available free for non-commercial users at www.diehard-software.org.

DieHard protects applications from as-yet unfixed bugs and security vulnerabilities that exploit them. Think of DieHard as a new line of defense against hackers, together with anti-virus protection and firewalls.

DieHard library helps buggy programs run correctly and protects them from a range of security vulnerabilities. It works under

=> Microsoft Windows
=> Linux
=> Solaris UNIX operating systems

It supports almost any application for Linux and Solaris, DieHard currently protects Firefox on Windows XP and Vista – to use with Vista, right-click on the desktop shortcut, and set the Properties so it runs in Windows XP SP2 compatibility mode. DieHard works with Firefox versions 1.5.0.9 and higher, and 2.0.0.1.

Under desktop Linux you may need to protect popular program such as Mozilla Firefox.

How do I use diehard software under Linux?

First download diehard software using wget command:
$ wget 'http://www.cs.umass.edu/%7Eemery/diehard/download/1.0.1/diehard-1.0.1-linux.tar.gz'

Make an installation directory:
$ mkdir diehard

Untar diehard
$ tar -zxvf diehard-1.0.1-linux.tar.gz -C diehard

Setup LD_PRELOAD variable to protect binaries

A dynamic linker is the part of an operating system (OS) that loads and links the shared libraries for an executable when it is run. ld-linux.so is default dynamic linker on Linux (ld.so on BSD). Use LD_PRELOAD environment variable to instructs the loader to load additional libraries into a program, beyond what was specified when it was compiled. This way you can load protection provided by diehard software.

Append following line in /etc/profile or ~/.bash_profile file
$ vi ~/.bash_profile
Append LD_PRELOAD with the full path to the interposer library:
export LD_PRELOAD=/home/vivek/dirhard/libdiehard.so

Save and close the file. You can also type command at shell prompt:
export LD_PRELOAD=/home/vivek/dirhard/libdiehard.so

Now start application such as Firefox or other application:
$ fiefox & $ mozilla-thunderbird &
NOTE: Replace /home/vivek with your actual home directory name.

Verify that libdiehard.so is working for you with lsof command

$ lsof | grep libdiehard.so
Output:

startx    4386      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
xinit     4397      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
firefox   4600      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
run-mozil 4603      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
firefox-b 4608      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
lsof      4621      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
grep      4622      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
lsof      4623      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so

How do I uninstall this program?

Simply remove export command from your .bash_profile or /etc/profile file. Delete all libdiehard.* files. Reboot the system.

How do I secure Windows XP Firefox version?

Download and install this software to protect Mozilla / Firefox on Windows.

Please note that Exec Shieldproject does almost same thing. It reduces the risk of worm or other automated remote attacks on Linux server systems. It can make the exploitation of several types of security vulnerabilities much more difficult.
Update: See below for more information.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

13 comment

Thanks for the nice summary. One correction – DieHard is *very* different from ExecShield, which is primarily aimed at protecting the stack. Most of ExecShield’s compiler techniques to avoid stack overflows would complement DieHard’s protection of the heap. However, DieHard’s protection – and its ability to continue execution in the face of errors – go far beyond the checks that glibc now includes (intended to detect heap corruption that DieHard makes impossible).

— Emery

Thanks for comment and pointing out difference between two. I have updated post 🙂

woot. just downloaded and running this new stuff. thnaks for article

so what’s the evidence that it really works?

Nightfox

You can try out buffer overflow against your apps or use old version of Firefox which is affected by this kind of attacks. Get FF 1.7.3 and visit test page http://www.cs.umass.edu/%7Eemery/diehard/crash-mozilla.htm

Appreciate your post.

Can i use this on server to protect Apache?

TIA.

Bill.

Personally I have not tested it with Apache. It is recommended that you run this software in sandbox for few days.

Is there way to know when this protection is used? It is supposedly be used with all programs, but how do I make sure programs I run have understood LD_PRELOAD and have loaded this?
False belief of security is quite often more dangerous than actually knowing you’re not secured 🙂

Does this work with KDE/Gnome after this trick, or do they need something else? I don’t like starting konsole to start up my apps to get this run 🙂

Ok how do you remove it once it is installed?
Sounds like a great idea, but I can’t afford the extra memory usage especially when running Firefox.

craigevil,

Remove export LD_PRELOAD=/path/to command from .bash_profile and delete files libdiehard.so libdiehard_r.so replicated

Reboot system.

@kerbe,

According to man page LD_PRELOAD applied to all ELF shared libraries to be loaded before all others. So you can use options from menu itself. No need to start firefox from command prompt. You can verify this with lsof command

lsof | grep libdiehard.so
Output:

startx    4386      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
xinit     4397      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so

I used this on Xp w/ Firefox.

Firefox keeps running no matter what.

So, according to task manager, I have an unresponsive instance of Firefox running and it is consuming over 250mb RAM.

Stool,

Yes this program eats lots of memory.

HTH

Emery Berger says:
January 2, 2007 at 5:17 am
Thanks for the nice summary. One correction – DieHard is *very* different from ExecShield, which is primarily aimed at protecting the stack. Most of ExecShield’s compiler techniques to avoid stack overflows would complement DieHard’s protection of the heap. However, DieHard’s protection – and its ability to continue execution in the face of errors – go far beyond the checks that glibc now includes (intended to detect heap corruption that DieHard makes impossible).
— Emery
nixCraft says:
January 2, 2007 at 5:27 am
Thanks for comment and pointing out difference between two. I have updated post 🙂
jack says:
January 2, 2007 at 8:44 am
woot. just downloaded and running this new stuff. thnaks for article
nightfox says:
January 2, 2007 at 11:23 am
so what’s the evidence that it really works?
nixCraft says:
January 2, 2007 at 4:13 pm
Nightfox
You can try out buffer overflow against your apps or use old version of Firefox which is affected by this kind of attacks. Get FF 1.7.3 and visit test page http://www.cs.umass.edu/%7Eemery/diehard/crash-mozilla.htm
Appreciate your post.
bill says:
January 2, 2007 at 6:14 pm
Can i use this on server to protect Apache?
TIA.
nixCraft says:
January 2, 2007 at 6:15 pm
Bill.
Personally I have not tested it with Apache. It is recommended that you run this software in sandbox for few days.
kerbe says:
January 4, 2007 at 10:41 am
Is there way to know when this protection is used? It is supposedly be used with all programs, but how do I make sure programs I run have understood LD_PRELOAD and have loaded this?
False belief of security is quite often more dangerous than actually knowing you’re not secured 🙂
Does this work with KDE/Gnome after this trick, or do they need something else? I don’t like starting konsole to start up my apps to get this run 🙂
craigevil says:
January 4, 2007 at 11:08 am
Ok how do you remove it once it is installed?
Sounds like a great idea, but I can’t afford the extra memory usage especially when running Firefox.
nixCraft says:
January 4, 2007 at 11:20 am
craigevil,
Remove export LD_PRELOAD=/path/to command from .bash_profile and delete files libdiehard.so libdiehard_r.so replicated
Reboot system.
nixCraft says:
January 4, 2007 at 11:25 am
@kerbe,
According to man page LD_PRELOAD applied to all ELF shared libraries to be loaded before all others. So you can use options from menu itself. No need to start firefox from command prompt. You can verify this with lsof command
lsof | grep libdiehard.so
Output:
```
startx    4386      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
xinit     4397      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
```
Stool pusher says:
January 14, 2007 at 7:29 pm
I used this on Xp w/ Firefox.
Firefox keeps running no matter what.
So, according to task manager, I have an unresponsive instance of Firefox running and it is consuming over 250mb RAM.
nixCraft says:
January 14, 2007 at 11:00 pm
Stool,
Yes this program eats lots of memory.
HTH

Have a question? Post it on our forum!