alt.hn

5/8/2026 at 12:03:38 AM

GNU IFUNC is the real culprit behind CVE-2024-3094

 https://github.com/robertdfrench/ifuncd-up

by foltik

5/8/2026 at 2:59:05 AM

This is barking up the wrong tree.

Using IFUNC to patch sshd was kind of elegant, it achieved rootkit like behaviour with a pre-existing mechanism. And sure, it might be possible for a secure daemon like sshd to drop enough privileges that it could protect itself from a malicious dynamically linked library.

But IFUNC was not required, neither was systemd. The game was lost as soon as the attacker had arbitrary code installed in a semi-common library. It doesn't have to get linked directly with sshd, it only needed to be linked into any program running as root, at least one time.

Most programs make zero effort to sandbox themselves, and as soon as one of those links with the malicious library, it could do anything. Like indirectly targeting sshd by patching its binary on disk (optionally hiding it with a rootkit), or using debug APIs to patch sshd in memory.

IFUNC, systemd, and the patched openssh are all irrelevant to the issue, that was simply the route this attacker took to leverage their foothold in libxz. There are thousands of potential routes the attacker could have taken, and we simply can't defend from all of them.

by phire

5/8/2026 at 11:20:29 AM

> Most programs make zero effort to sandbox themselves, and as soon as one of those links with the malicious library, it could do anything. Like indirectly targeting sshd by patching its binary on disk (optionally hiding it with a rootkit), or using debug APIs to patch sshd in memory.

I do not understand how you even expected sshd to sandbox itself. Its entire purposes is to (a) daemonize , (b) allow incoming connections in and then (c) forward (possibly-root) shell statements. All 3 things are 100% required for sshd and would have already allowed an attack like this. Any talk about sandboxing here (or dropping privileges) is wishful thinking.

by AshamedCaptain

5/8/2026 at 11:17:57 AM

I recently tried to make something properly sandboxed and, my goodness, we have basically crafted an ecosystem where everything needs access to everything. No wonder docker, despite all it's faults, is how everyone does it. You need an entire linux distro completely accessible in your sandbox.

by zaphar

5/8/2026 at 2:18:34 PM

POSIX is a millstone around the neck of the software industry.

If you wanted to do something really new in operating systems, you might think "POSIX is insecure" or "POSIX is bloated", etc. If you have a fundamentally different API though you have to write a whole new userspace. You're going to put in a POSIX personality so you can run bash and vim and nethack but once you do that you have the insecurity, bloat, etc.

by PaulHoule

5/8/2026 at 7:06:44 PM

POSIX is backwards in so many ways. It freezes in time the OS innovations of the 70s.

by jnwatson

5/9/2026 at 1:56:56 PM

I have a conspiracy theory, unsupported by facts, that Richard Stallman secretly invented POSIX as a way to get the proprietary UNIX vendors to waste time on something whose only value was to make it easier for folks to port their apps to GNUUUUUUUU/Linux.

by robertdfrench

5/10/2026 at 2:41:42 PM

Stallman only invented the name “POSIX”, not the standard itself.

by teddyh

5/11/2026 at 3:14:56 AM

that's what Big POSIX wants you to think pal

by robertdfrench

5/8/2026 at 8:57:06 AM

It was not essential to the exploit, but that does not mean it was irrelevant. More commonly used libraries are watched harder. The exploit was made much, much, worse by its indirect use by way of systemd. Approximately nobody wanted that feature and it still went in. That's something we need to be able to discuss.

by xorcist

5/8/2026 at 11:18:28 AM

But the fact that it was done indirectly from systemd has nothing to do with IFUNC.

by AshamedCaptain

5/8/2026 at 10:15:27 AM

There is always selinux if we want to add protection against arbitrary code running as root. Just because something operate as root does not mean it must have privileged access to everything.

by belorn

5/8/2026 at 2:21:02 PM

Ouch! SELinux sorta works for the software which is packed in with the operating system which you may or may not care about. If you want to get that software to do something different or have software that you really care about (like the application server that your web site runs on) controlled by SELinux it is difficult enough that the usual answer is "disable SELinux" or "don't apply it"

by PaulHoule

5/8/2026 at 11:59:06 AM

Did anyone look into whether OpenBSD has privilege separated sshd enough for that exploit to not be possible?

by cenamus

5/8/2026 at 12:51:02 PM

OpenBSD exposes pledge() and unveil(), which allow programs to only access things they declare they need. So, even if the running SSH process gets exploited, it can't do anything the user it's running as can't do. sshd afaik runs as a root process which after authentication forks into another process, running as the target user.

by kristjank

5/8/2026 at 4:30:33 PM

[dead]

by robertdfrench

5/8/2026 at 2:42:25 AM

1) IFUNC is hardly the only way to run code before main.

2) The alternative they present is arguably less secure because the function pointer will remain writable for the life of the process, whereas with IFUNC the GOT will eventually be made immutable (or can be... not sure if that's the default behavior). In general function pointers aren't great for security unless you explicitly make the memory backing the pointer(s) unwritable, which at least is easier to do for a global table than it is for things like C++ vtables (because there's the extra indirection through data pointers involved to get to the table).

by wahern

5/8/2026 at 2:46:42 AM

Yeah, this blog is misguided. As a higher level criticism: it's confusing[1] the technical details with the payload with the exploit chain that deployed it.

The interesting thing is obviously not that you can get code to run at high privilege level by modifying a system component. I mean, duh, as it were.

The interesting thing is that the attackers (almost) got downstream Linux distros to suck down and deploy that malicious component for them. And that's not down to an oddball glibc feature, it happened because they got some human beings to trust a malicious actor. GNU glibc can't patch that!

[1] Incorrectly, as you point out.

by ajross

5/8/2026 at 9:02:16 AM

> The alternative they present is arguably less secure because the function pointer will remain writable for the life of the process

They also suggest an alternative to storing the function pointer, store the bit flags that decide which function to call. That restricts the call targets to only the legitimate ones intended.

by dwattttt

5/8/2026 at 4:24:47 AM

> The alternative they present is arguably less secure because the function pointer will remain writable for the life of the process

The article mentions this, and also points to mprotect which you can use to protect the pointer.

Why people jump to criticize without reading first? BTW, you can ask an LLM to check your critique, before posting, if you don't want to read the text.

by ordu

5/8/2026 at 4:38:13 AM

Yes but at best their "solution" is equally secure, not any better.

by IAmLiterallyAB

5/8/2026 at 6:44:32 AM

They argue, and I tend to agree, that their solution is more secure.

1. It impiles some function pointers to be writable temporarily, not all of them.

2. It doesn't hide writable pointers from a cursory glance not familiar with IFUNC.

by ordu

5/8/2026 at 7:17:24 AM

The GOT has to be initially writable regardless of ifunc, even with relro, to apply relocations.

by anarazel

5/8/2026 at 6:15:22 AM

Would xz still have been able to alter opensshd without IFUNC?

by kstrauser

5/8/2026 at 10:12:46 AM

Yes, liblzma could have used multiple routes to take over sshd. Once you're running inside the process it's game over. The exact details, like how they used ifunc and an audit hook, are very interesting, but ultimately not that important.

by rwmj

5/8/2026 at 8:26:00 PM

I've updated the post and am offering $500 if you can pull this attack off without ifunc.

by robertdfrench

5/9/2026 at 7:52:01 AM

$500 isn't worth my time and I don't trust you'd pay up. But for anyone who wants to attempt to get him to pay up, here are three simple approaches:

(A1) In a POSIX constructor function in liblzma, set an alarm(2) for a few seconds later (once sshd has fully loaded).

(A2) In the alarm callback locate the original function that was patched using dlfcn, and mmap a page of modified code over the top that calls the exploit.

Or:

(B1) POSIX constructor function, call clone(2) to start a background thread.

(B2) In the background thread, sleep for a little, then patch the code as in A2 above.

Or:

(C1) POSIX constructor function that completely replaces the sshd process with a workalike that contains the exploit.

In A & B, for OSes (not Linux) that deny mmap, you'll need to find a struct or stack frame used by the function and work out how to adjust the data it uses or find a function pointer and exploit that.

by rwmj

5/9/2026 at 1:49:01 PM

You may well be right about this! What I genuinely don't understand then, is why Jia Tan relied on ifunc rather than POSIX constructors. Seems like that would have been easier and more widely applicable, right?

by robertdfrench

5/9/2026 at 9:26:33 PM

His team used ifunc because it made the attack less obvious if you are running sshd under strace. An alarm or clone system call in strace would stick out a mile, even if the code executing the syscall was obfuscated.

So it's clever to use ifunc, but not necessary for an attack to work.

Likely the existing toolkit they seem to have been using had primitives for this already, but as I said in the Veritasium video I appreciate that this was a very sophisticated attack executed by a smart team.

by rwmj

5/9/2026 at 11:53:22 AM

It is weird to limit to "the same attack". Why does it even have to be the same attack? From the moment sshd loads your modified lib, you're literally running code with root privileges on the victim machine. You can literally run _any_ attack you wanted, with zero persistence. This is worse than a OpenSSH RCE.

Even in your own talk you basically admit this, so what are you doing here? If you think there's something here that everyone is missing but you don't, why not actually explain what it is?

by AshamedCaptain

5/9/2026 at 1:27:48 PM

I don't have any secret information! Folks were giving me a hard time about claiming that ifunc is central to this attack, and I would genuinely find it valuable to know that Jia Tan could have (for example) performed this attack against a musl-based distro.

by robertdfrench

5/8/2026 at 4:01:54 PM

You can always populate .init_array section with a hidden constructor. It would work just like ifunc and would always execute at shared library load time.

by okanat

5/9/2026 at 1:53:40 PM

I think .init_array is too late in the game. ifunc lets you hijack the loader, because it is sort of like a plugin or dynamic config for the loader itself. Everything should be loaded and resolved by the point that .init_array stuff starts getting triggered, though ELF is dark and full of terrors so who knows really.

by robertdfrench

5/8/2026 at 4:18:37 AM

Isn't it the same problem with pam.

Some solaris engineer got a little too clever and decided that the modular part of the the auth system needed to be dynamic libs. Now it's all in one process space, hard to understand, hard to debug and fragile.

I really like openbsd's bsdauth, I don't know if it is actually any better than pam but because it is moduler at the process level it is possible for mere mortals to debug and make custom auth plugins. Sadly only obsd actually uses it. https://man.openbsd.org/login.conf.5#AUTHENTICATION

by somat

5/8/2026 at 5:29:08 AM

IFUNC should be implemented by software itself, like switching functions on runtime/compile checks. Why bother having a slower, insecure version that is less flexible than a function pointer? I have to agree with author. Glibc is filled with even more nasty hacks ripe for new exploits.

by countWSS

5/8/2026 at 6:03:56 AM

I agree so much and wished this was the main focus of the debate. It's more a question of why does this exist in the first place and not of how did they abuse it. Building only from source is the minimum required transparency and a CI/CD pipeline able to manipulate the artifact before release takes this away. I remember the outrage, when serde (i think it was) wanted to ship parts as pre-compiled binaries for build performance reasons...

by throwawayqqq11

5/8/2026 at 11:45:46 AM

Less indirection means faster code. If the dynamic loader is already using a level of indirection and you patch into that same indirection instead of adding another, you're not making it slower.

by pocksuppet

5/8/2026 at 2:12:04 AM

seeing LD_PRELOAD in the "less-exploitable alternatives to GNU IFUNC" section was kind of funny

by warmdarksea

5/8/2026 at 9:12:42 AM

Yeah, that suggestion made me roll my eyes. It's the wrong granularity, there's no build system support, it's inconvenient (executable wrappers? require the user to understand all transitive deps?).

It also fails to mention glibc-hwcaps, which would've been a cleaner solution in the context.

by stabbles

5/9/2026 at 2:07:00 PM

Ohhh I had no idea about hwcaps! This is great! That is the way to solve this problem.

by robertdfrench

5/8/2026 at 11:05:56 AM

The entire argumentation here is ridiculous. There's a big jump from "IFUNC slightly undermines RELRO" to "IFUNC is the real culprit". You could have gotten all but the same effect spawning a thread from a plain init or C++ constructor. No one should think that any relro, r^x or aslr or anything like this is going to deter anyone who can literally control the contents of the libraries which are linked in. They could, literally, exec a copy of sshd with a patched config if necessary.

The title is just clickbait.

by AshamedCaptain

5/8/2026 at 12:31:44 PM

I think I triggered the posting of this article in a reply elsewhere, to which you gave the same comment. And dammit, you're totally right, there's lots of other ways to stick arbitrary code into the initialization process at load time. Maybe the real problem is linking dependencies by shoving them into the same address space as whatever is using them and calling it a day. Memory-safe languages can help protect that model against accident, but it still takes just one evil insider to steal the keys to the kingdom.

by chuckadams

5/8/2026 at 2:14:32 PM

I love the recently added "In Response to Hacker News" section.

by bla3

5/8/2026 at 8:22:16 PM

Take my money!!

by robertdfrench

5/8/2026 at 2:09:14 PM

I will still hold the decision to link the biggest possible target on every server against the biggest, most privileged daemon on every server, as not very smart indeed.

by kristjank

5/8/2026 at 5:36:53 AM

> By letting the linker run arbitrary code before main

As I know C++ allows running arbitrary code before main too - for constructors of global variables. Does it bring security risks too?

by Panzerschrek

5/8/2026 at 6:11:25 AM

It does not, it's actually arbitrary code running during the dynamic loading process, i.e. before _start.

by bonzini

5/8/2026 at 7:34:37 AM

But what if I have a C++ dynamic library? Does it call constructors for global variables before _start function in the main program starts?

by Panzerschrek

5/8/2026 at 10:57:50 AM

_start takes care of calling the global initializers and register the atexit callback for the finalizers.

(In practice _start calls __libc_start_main, a libc function that handles all of that).

by bonzini

5/9/2026 at 3:13:25 AM

IDK I do find it funny the linked project readme is dunking on this thread.

And I am again going to mention the book Linkers and Loaders by John R. Levine from 1999, I'm not sure if there's anything comparable to it. How else does anyone know anything about this stuff?

by esbranson

5/8/2026 at 9:45:42 AM

False dichotomy. There was a series of blatant process failures from Github maintainer through Debian package maintainers. IFUNC also bad.

by theteapot

5/8/2026 at 2:58:20 AM

Yes, that nefarious nation-state threat actor known as GNU IFUNC!

Curses, thwarted again!

by octoberfranklin

5/8/2026 at 4:37:04 PM

[dead]

by robertdfrench

5/8/2026 at 5:56:38 AM

Well, also Unicode identifiers, a C11 spec bug, nobody cares to fix. Still in C26, because "users expect Unicode stability", esp. it's bugs.

by rurban

5/8/2026 at 2:47:02 AM

[flagged]

by TacticalCoder

5/8/2026 at 5:34:28 AM

Debian did not link OpenSSH with a 1.5 million-line library, because one doesn't exist. The library is libsystemd, which is comparatively tiny, and it is tiny so that sane things like Type=notify services get supported in more places with less pushback.

Yes, it could be smaller, broken up to remove compression support [0], what have you. But you should criticize the things that are actually problems, not some made-up bullshit about the whole of systemd being linked into everything that talks to it.

0: https://github.com/systemd/systemd/issues/32028

by tadfisher

5/8/2026 at 5:01:47 AM

> Great. TFA's author thinks he cherry picked a sentence to make the project look bad.

Err... What? It's just a factual, non-judgemental description. Unlike your comment, which goes out of its way to call systemd names for whatever reason. Which just makes me less interested in what you have to say. Most people who rely on appeal to emotion to that extent are not in the right.

by pwdisswordfishq

5/8/2026 at 3:57:40 AM

> systemd is a monstrous codebase and there lies shitload of exploits in it. Either intentional or accidental.

And yet...

1. practically all hyperscalers use it

2. desktops

3. container images, that power everything from docker to kubernetes use it

It helps that it's actively maintained, battle-tested as hell, and widely audited.

Point being, it's fun to hate on systemd, and maybe even hipster-like, and systemd is hardly perfect... but you are probably more likely to be exploited by a pypi or npm supply-chain attack.

by k_roy

5/8/2026 at 4:52:54 AM

> It helps that it's actively maintained, battle-tested as hell, and widely audited.

Is it actually audited? Or is it like OpenSSL... everybody uses it, but nobody looks under the hood cause it's gross in there? (Or well, nobody looked before Heartbleed anyway)

by toast0

5/8/2026 at 5:13:32 AM

Is it actually audited?

This is 2026, not 2014 when heartbleed came out.

And it runs as PID1 on many distros and these are folks like RHEL, who have a huge interest in keeping it secure.

Pypi has an almost daily exploit announced in common and popular libraries, simply because the dependency graph is so huge. And this is in things that are almost certainly deliberately and by design exposed to insecure user input.

Again, it’s fun to hate on systemd, but in reality you are much more likely to be exploited by something else.

by k_roy

5/8/2026 at 4:21:36 AM

> Point being, it's fun to hate on systemd, and maybe even hipster-like, and systemd is hardly perfect... but you are probably more likely to be exploited by a pypi or npm supply-chain attack.

Can you even imagine pypi or npm compromising ssh this way?

by lmm

5/8/2026 at 5:02:33 AM

> Can you even imagine pypi or npm compromising ssh this way?

Is ssh somehow sacrosanct in a way that any other RCE or credential stealing attack is different?

I don’t even know the last time I exposed ssh to the open internet.

But the fact with npm or pypi you can be exploited just by running the software you’ve already installed because the dependencies are everywhere on your system?

by k_roy

5/8/2026 at 5:20:43 AM

> Is ssh somehow sacrosanct in a way that any other RCE or credential stealing attack is different?

I see ssh as a very fundamental part of the system - in BSD terms it's in base not ports. Random packages from npm or pypi, sure, if you installed some slop off the internet and got exploited that's not so surprising. (Even those package managers themselves are not part of the base system, much less anything you install with them). But ssh should be safe!

by lmm

5/8/2026 at 3:51:26 AM

xz-tools should scrap and reimplemented the code to the safer one , current one have safety and performance issue.

by liamgm

5/8/2026 at 1:44:17 AM

> Why do Linux Distros modify OpenSSH?

> The short answer is that they have to. OpenSSH is developed by the OpenBSD community, for the OpenBSD community, and they do not give a flying Fedora about Linux.

What complete horseshit. I stopped reading there.

The OpenSSH Portable branch is maintained by OpenBSD developers and SystemD is a completely optional add-on so why on earth would they make it a dependency? If they didn't care about the Linux community they wouldn't develop this software *for free* for them. They can go write their own GNU SSH then.

It certainly doesn't help that there are 165+ definitions of what constitutes a "complete GNU+Linux system" some of which use SystemD and some which vow never to.

It's not the OpenBSD developers' fault some Linux distros use overly complex plumbing and can't agree on one standard for their OS unlike every other OS out there, including Windows.

The xz backdoor was a Debian and Red Hat issue because they maintained patches to fix problems of their own creation. No one else was affected. Why should the OpenBSD people care? It's not their problem.

by washingupliquid

5/8/2026 at 1:58:44 AM

The OP agrees with you... if you continue reading, they wrote

> These patches never went into Portable OpenSSH, because the Portable OpenSSH folks were ["not interested in taking a dependency on libsystemd"](link). And they never went into upstream OpenSSH, because OpenBSD doesn't have any need to support SystemD.

The language may have been harsher than it needed to and therefore could be more easily misunderstood, but I believe you are actually in agreement with them

by striking

5/8/2026 at 2:02:28 AM

It makes it sound even worse, cherry picking language like "not interested" as if the OpenBSD folks should shoulder blame for not being altruistic enough.

It reeks of trashing your benefactor, who gave you well-written free software, which you then made insecure with your own patches.

If you remove the roof of your car with a chainsaw and are inevitably injured later, is it the car manufacturer's fault they didn't offer that model as a convertible from the factory?

The better question is why are people still trying to assign blame all these years later? The IT world dodged a bullet but has moved on (and likely didn't learn from their mistakes as supply chain attacks are steadily increasing).

by washingupliquid

5/8/2026 at 2:07:07 AM

Okay. You could see it that way. Or you could read what the author wrote about who is to blame:

> No one person or team really made a mistake here, but with the benefit of hindsight it's clear the attackers perceived that the left hand of Debian/Fedora SSH did not know what the right hand of xz-utils was doing.

with OpenBSD not even being mentioned here

by striking

5/8/2026 at 6:58:53 AM

I guess it's up to interpretation, but I read it the complete opposite way, as in Linux distributions should not think so highly of themselves as to expect OpenBSD to conform and adapt to their mess, and OpenBSD rightfully should not be expected to "give a flying Fedora about Linux".

by debazel

5/8/2026 at 4:35:03 PM

[dead]

by robertdfrench

5/8/2026 at 1:00:30 PM

>Did the OpenSSH folks know (or care) that ifunc was a thing? It's certainly not a thing on OpenBSD.

I do not know why you were down-voted, maybe you deserved no up-votes, but down-votes to me were a bit extreme :) But that quote tends to indicate to me the author put a little blame on OpenSSH Developers. Maybe the author did not intend it to be read in the way I read it.

OpenSSH developers should not need to know what or why systemd distros apply patches to OpenSSH, the distro I use, Slackware, did not have this vulnerability because the Slackware team, AFAIK, only adds patches if the package does not compile. If other distros did that this issue would not have occurred.

To me the issue was patching OpenSSH for some systemd thing. Maybe IFUNC was part of the issue, but the real issue was patching OpenSSH.

But I know one thing, I never heard of IFUNC and after reading about it, I will avoid that as much as I can. So at least I was educated :)

by jmclnx

5/8/2026 at 4:34:13 PM

[dead]

by robertdfrench