0

On a Linux Raspbian system, I have performed variuos security checks and among those I have performed a rkhunter scan to seek for rootkits, backdoors, and other malicious software with the following warning:

Warning: Found preloaded shared library: /usr/lib/arm-linux-gnueabihf/libarmmem-${PLATFORM}.so

Potentially this is a shared library providing a way to access and manage memory on the ARM platform, such as system-level memory management and may get access to critical system resources.

As far I can understand preloaded shared library pose a security risk, meaning that it has the full access to user data, system resources, and user privileges and could be potentially manipulated to gain access to secure information or resources.

I have searched for a specific documentation on such preloaded shared library, but I am not able to find any documentation about it.

I am seeking the documentation of such preloaded shared library to better understand if it poses a security issue.

I have reviewed the available posts and none answer my question.

Any support is much appreciated.

Improve this question
3
  • This may be related to this question.
    – user1820994
    Commented Jul 28, 2023 at 10:53
  • rkhunter usually reports unknown libraries, or those that do not ship with the standard OS. These libs are not always bad by themselves, but it's still good practice to investigate nonetheless.
    – user1820994
    Commented Jul 28, 2023 at 10:54
  • Many thanks, I agree
    – Luca Spuntoni
    Commented Jul 28, 2023 at 11:07

1 Answer 1

Reset to default
0

When a shared library is preloaded, it means it's loaded into the memory before any other ordinary library is loaded. This can be a security issue if the preloaded library is malicious because it could potentially override functions and possibly gain access to sensitive data.

In your case, libarmmem-${PLATFORM}.so sounds like it could be a library related to ARM memory management. However, the presence of the ${PLATFORM} placeholder suggests that this is dynamically determined based on the platform the software is running on. It's usually used for legitimate purposes, but if a library with the same name was placed by a malicious entity, it could be problematic.

Here are some steps you could follow to investigate further:

Inspect the Library: Use nm, objdump, ldd, strings or similar tools to inspect the symbols, dependencies, and any readable text within the binary. This may give you a clue about its purpose. For example, you can use strings to find readable strings in the binary:

strings /usr/lib/arm-linux-gnueabihf/libarmmem-${PLATFORM}.so

Check the Package: If this library comes from a package installed through the package manager, you can check its documentation, source, and other files. For Debian-based systems like Raspbian, you can use the dpkg -S command to find the package that a file comes from:

dpkg -S /usr/lib/arm-linux-gnueabihf/libarmmem-${PLATFORM}.so

Once you know the package, you can use apt-cache showpkg to get more information about it, and potentially find its source code or documentation.

Check for Updates: Make sure your system and all packages are updated. If this library is part of a legitimate package, updates could include important security fixes.

Contact the Community: If you're still unsure, you can try reaching out to the Raspberry Pi or broader Linux community. Someone may be familiar with this specific library, especially if it's related to a common package or use case.

Consider a Professional Security Audit: If this system is critical and you suspect a serious security issue, it could be worth getting a professional security audit. There are firms that specialize in this kind of work, and they have the tools and expertise to thoroughly investigate potential security issues.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .