1. 4

  2. 5

    Dynamic libraries strike again!

    With the increased amount of RAM machines have, I always wonder if it’s not just best to statically link everything all the time nowadays.

    1. 3

      You risk me agreeing with you and having the prophecies of the end of the world come true with comments such as these. The era of space over time is long done. There are just so many benefits of static linking such as utilizing runtime analysis across library code, not just, as you rightly imply, to reduce attack area.

      1. 1

        I am a huge proponent of this, even if I get a lot of grief for it. A good read on the subject is the cat-v dynamic linking page.

        1. 1

          Agreed. I would at least reach for static linking over dynamic linking as a first solution, and then only think about supporting dynamic linking if it was proved worthwhile.

          1. 1

            But then you lose out on PIE/ASLR, and the next time there’s an OpenSSL or zlib bug, you’ll have to recompile everything on your system that uses those.

            Though these days with advanced package management, I’m not sure the latter is such a big deal. The package manager (on OpenBSD at least) knows what binaries are linked to which system and package libraries and which versions of them, so getting those select packages rebuilt and reinstalled wouldn’t be a big deal.

            1. 1
              1. Nothing stopping you from making the executable position independent (PIE) and relocate on load in any predicatively odd way you wish to increase entropy.
              2. Address space layout randomization (ASLR) is possible when code is position independent (see 1); it is still done for the stack and dynamic memory regardless. If the argument is that relocating libraries randomly helps, then do it to every function of a static executable. That’s still possible.
              3. Don’t think of it as recompiling, think of it as a one-time cost per version update that reanalyzes the best way to execute your code. You can do it lazily upon first load on a case-per-case basis.