Chapter 24 Further Reading: Dynamic Linking in Depth

1. "How To Write Shared Libraries" — Ulrich Drepper https://www.akkadia.org/drepper/dsohowto.pdf

The definitive guide to shared library development on Linux, written by the glibc maintainer. Covers symbol versioning in comprehensive detail, visibility attributes (__attribute__((visibility("hidden/default/protected")))), PLT optimization, RELRO, and performance implications of different linking choices. The symbol versioning section (Chapter 3) explains the exact @@GLIBC_2.2.5 format and how version scripts work. Essential reading before writing any production shared library.

2. "How the Dynamic Linker Works" — Various LWN Articles https://lwn.net/Articles/631631/ — "How programs get run: ELF binaries" series

David Drysdale's LWN series covering execve → kernel ELF loader → dynamic linker bootstrap → main. Part 2 specifically covers dynamic libraries. The series is concrete and code-level: it references actual Linux kernel source functions (load_elf_binary, setup_arg_pages) and glibc dynamic linker code. Bridging the gap between the specification (System V ABI) and the implementation (glibc ld.so source).

3. "PLT and GOT — the Key to Code Sharing and Dynamic Libraries" — Ian Lance Taylor https://www.airs.com/blog/archives/38 — "Linkers" blog series

Ian Lance Taylor (author of the gold linker and current maintainer of GNU ld) wrote a 20-part series on linkers. Parts 9-12 cover dynamic linking, PLT, GOT, and symbol resolution in exhaustive detail. Taylor's explanation of the COPY relocation (why executables copy variables from shared libraries into their own .bss) clarifies one of the more confusing aspects of x86-64 dynamic linking.

4. glibc Source: elf/dl-runtime.c and elf/dl-lookup.c https://sourceware.org/git/gitweb.cgi?p=glibc.git

dl-runtime.c contains _dl_runtime_resolve — the actual C code that runs when a PLT entry is called for the first time. dl-lookup.c contains _dl_lookup_symbol_x — the symbol search algorithm that traverses loaded libraries in order, checking hash tables. Reading these functions makes the abstract "dynamic linker resolves the symbol" concrete. Search for _dl_fixup to find the function that updates the GOT entry.

5. "The Backdoor in XZ Utils: A Technical Deep Dive" https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

The 2024 XZ utils backdoor (CVE-2024-3094) worked by using IFUNC (indirect function) resolver abuse and LD_PRELOAD-like interposition to hook RSA_public_decrypt in OpenSSH's sshd. The backdoor code was hidden in the test suite, injected into the build system, and only activated under specific conditions. Understanding this attack requires deep knowledge of PLT/GOT, constructors (DT_INIT_ARRAY abuse), and the dynamic linker's symbol resolution order — exactly the topics of this chapter.

6. "ret2plt Attack and GOT Overwrite" — CTF Exploit Techniques https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/ret2plt

CTF (Capture the Flag) security challenge write-ups explain GOT overwrite attacks concretely. The "ret2plt" technique uses a buffer overflow to redirect execution to a PLT stub (to call system("/bin/sh") instead of the intended function). The "GOT overwrite" technique directly writes to GOT entries to redirect subsequent calls. Reading these write-ups after understanding PLT/GOT theory turns the attack from abstract to mechanically comprehensible.

7. "Android's Bionic libc — Dynamic Linker Implementation" https://android.googlesource.com/platform/bionic/ (linker/ directory)

Android's Bionic dynamic linker is a clean, well-commented reimplementation of the ELF dynamic linking process. The linker.cpp file (in the linker/ directory) implements symbol resolution, RELRO application, IFUNC resolution, and the Android-specific namespace isolation system. Comparing Bionic's linker to glibc's linker shows which parts of the ELF spec are mandatory (symbol resolution algorithm, relocation types) vs. implementation-specific (namespace isolation, preloaded library handling).

8. "Frida — Dynamic Instrumentation Toolkit" https://frida.re

Frida is a dynamic binary instrumentation framework that works by injecting a JavaScript runtime into a running process and hooking functions via PLT/GOT manipulation, inline patching, and trampoline-based interception. Understanding Frida's architecture reinforces PLT/GOT knowledge: Frida patches GOT entries (just like LD_PRELOAD), reads the .dynamic section to find symbol tables, and uses dlsym to locate original function addresses. Frida is widely used in mobile security research and reverse engineering.

9. "Symbol Resolution in the GNU Linker" — Gold Linker Design Documents https://sourceware.org/ml/binutils/2008-01/msg00470.html — Ian Lance Taylor's gold design

The design documents for the gold linker (a faster alternative to GNU ld, written by Ian Lance Taylor) explain symbol resolution algorithms, --as-needed optimization (only link libraries whose symbols are actually used), --gc-sections, and COMDAT handling. These documents are unusually clear technical writing about a complex topic. The --as-needed flag explanation is particularly useful for understanding why library order matters.

10. "Security Hardening Techniques for ELF Binaries" — Various https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro — Red Hat Blog https://blog.quarkslab.com/clang-hardening-cheat-sheet.html — Quarkslab

Red Hat's and Quarkslab's hardening guides document every available ELF security mitigation: RELRO (partial and full), PIE, stack canaries, FORTIFY_SOURCE, SafeStack, CFI (Control Flow Integrity), and shadow call stacks. The checksec tool output format is explained, along with the GCC/Clang flags that enable each protection. Understanding the "why" of each protection requires the PLT/GOT and ELF knowledge from Chapters 23-24.