Revision as of 07:56, 18 August 2006 editChobot (talk | contribs)Bots167,695 editsm robot Adding: ko:DLL 지옥← Previous edit | Latest revision as of 23:03, 7 December 2024 edit undoNaruyoko (talk | contribs)500 edits →Use by malware: Rewrite with details of DLL hijacking methodsTag: 2017 wikitext editor | ||
(442 intermediate revisions by more than 100 users not shown) | |||
Line 1: | Line 1: | ||
{{Short description|Computing slang}} | |||
In ], '''DLL hell''' is a colourful phrase for complications which arise when working with ], or DLLs. The term was introduced to the general public by Rick Anderson in his January 2000 paper, ''The End of DLL Hell''<ref name="anderson">{{cite web | |||
{{Lead too short|date=November 2024}} | |||
|url=http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsetup/html/dlldanger1.asp | |||
{{more sources needed|date=November 2024}} | |||
|title=The End of DLL Hell | |||
|publisher=Microsoft | |||
|work=MSDN | |||
|last=Anderson | |||
|first=Rick | |||
|year=January 2000 | |||
|accessdate=2006-04-18 | |||
}}</ref>, after having been in use within ] for some time. | |||
'''DLL hell''' is an umbrella term for the complications that arise when one works with ] (DLLs) used with older ] ]s,<ref>{{cite web |url=http://msdn.microsoft.com/en-us/magazine/bb985026.aspx |title=Avoiding DLL Hell: Introducing Application Metadata in the Microsoft .NET Framework |publisher=Microsoft |date=October 2000}}</ref> particularly legacy ], which all run in a single memory space. DLL hell can appear in many different ways, wherein affected programs may fail to run correctly, if at all. It is the Windows ecosystem-specific form of the general concept ]. | |||
DLL Hell encompasses the difficulties of managing dynamic-link libraries (DLLs) in ] ]s. These difficulties include conflicts between DLL versions, difficulty in obtaining required DLLs, and having many unnecessary DLL copies. DLL Hell is an example of a latent operating system design flaw — that is, problems occur in well-written programs because of bad programming practice or a bug in poorly-written ] that is tolerated by the operating system. The paradigm of a latent operating system flaw is ] in Microsoft operating systems pre-dating ] and ]. With time slicing, a rogue or buggy program can effectively disable the entire computer, forcing the user to hard boot the machine. | |||
== Problems == | == Problems == | ||
DLLs are Microsoft's implementation of ]. Shared libraries allow common code to be bundled into a wrapper, the DLL, which is used by any application software on the system without loading multiple copies into memory. A simple example might be the ] text editor, which is widely used by many programs. By placing this code in a DLL, all the applications on the system can use it without using more memory. This contrasts with ], which are functionally similar but copy the code directly into the application. In this case, every application grows by the size of all the libraries it uses, and this can be quite large for modern programs. | |||
There are a number of problems commonly encountered with DLLs – especially after numerous applications have been installed and uninstalled on a system. The most common and troublesome problem was overwriting a working system DLL with a version causing some applications to fail. The DLL overwriting problem (referred to as ''DLL Stomping'' inside Microsoft) was largely solved with Windows File Protection (WFP) that was introduced in ]. Before WFP, DLL incompatibility was possible for the following reasons: | |||
*The lack of enforced standard versioning, naming, and file system location schema for DLLs. | |||
*The lack of an enforced standard method for software installation. | |||
*The lack of a centralized authoritative support for DLL ] management and safeguards allowed incompatible DLLs with the same file name and internal version numbers to be released; and | |||
*The lack of simple management tools prevents the identification of changed or problematic DLLs by users and administrators. | |||
The problem arises when the version of the DLL on the computer is different than the version that was used when the program was being created. DLLs have no built-in mechanism for backward compatibility, and even minor changes to the DLL can render its internal structure so different from previous versions that attempting to use them will generally cause the application to crash. Static libraries avoid this problem because the version that was used to build the application is included inside it, so even if a newer version exists elsewhere on the system, this does not affect the application. | |||
Some preventive measures such as '''Side-by-Side Component Sharing''' create redundant copies of DLLs, each to be loaded separately for each application that requires them – effectively eliminating one of the primary benefits of sharing DLLs between applications – reducing memory use. Other benefits such as bug fixes and security updates may be affected, and errant and insecure DLLs may not be updated during automated processes. | |||
A key reason for the version incompatibility is the structure of the DLL file. The file contains a directory of the individual methods (procedures, routines, etc.) contained within the DLL and the types of data they take and return. Even minor changes to the DLL code can cause this directory to be re-arranged, in which case an application that calls a particular method believing it to be the 4th item in the directory might end up calling an entirely different and incompatible routine, which would normally cause the application to crash. | |||
== Instances == | |||
DLL hell as described above was a very common phenomenon on pre-Windows 2000 versions of Microsoft operating systems, the primary cause being the operating system did not restrict DLL installations. Application installers were expected to be good citizens and verify DLL version information before overwriting the existing system DLLs. Standard tools to simplify application deployment (which always involves shipping the dependent operating system DLLs) were provided by Microsoft and other 3rd party tools vendors. Microsoft even required application vendors to use a standard installer and have their installation program certified to work correctly, before being granted use of the Microsoft logo. The good citizen installer approach did not mitigate the problem, as the rise in popularity of the Internet provided more opportunities to obtain non-conforming applications. | |||
There are several problems commonly encountered with DLLs, especially after numerous applications have been installed and uninstalled on a system. The difficulties include conflicts between DLL versions, difficulty in obtaining required DLLs, and having many unnecessary DLL copies. | |||
James Donald, in his 2003 paper titled ''Improved Portability of Shared Libraries'' argued that DLL Hell is worse under ] than Microsoft Windows. Several ]s have had problems with software not packaged for the distribution when updating libraries, since the ]s of some Open Source libraries are prone to change between releases. When occurring in non-Windows environments, these problems are often referred to as ]. However, it should not be confused with DLL hell, as ''DLL hell'' is a specific type of dependency hell. | |||
Solutions to these problems were known even while Microsoft was writing the DLL system.{{Citation needed|date=November 2021}} These have been incorporated into the ] replacement, "Assemblies". | |||
A modern example of dependency hell on Microsoft Windows, Linux, and Mac OS X is the ] or GRE used by ] projects. Each product released from the Mozilla foundation includes its own version of the complete Gecko Runtime Engine, due to the volatile nature of the programming interfaces used. Thus, if a user installs ], ], and ], there will be three copies of GRE on the machine. These may or may not be compatible, depending on when the GRE ] was ]. Some external projects like ] depend on specific versions of the ] to use GRE, and break if a different version is installed; while others such as ] bring their own copy of GRE. | |||
===Incompatible versions=== | |||
== Countermeasures == | |||
A particular version of a library can be compatible with some programs that use it and incompatible with others. Windows has been particularly vulnerable to this because of its emphasis on dynamic linking of C++ libraries and ] (OLE) objects. C++ classes export many methods, and a single change to the class, such as a new virtual method, can make it incompatible with programs that were built against an earlier version. Object Linking and Embedding has very strict rules to prevent this: interfaces are required to be stable, and memory managers are not shared. This is insufficient, however, because the semantics of a class can change. A bug fix for one application may result in the removal of a feature from another. Before ], Windows was vulnerable to this because the ] class table was shared across all users and processes. Only one COM object in one DLL/EXE could be declared as having a specific global COM Class ID on a system. If any program needed to create an instance of that class, it got whatever was the current centrally registered implementation. As a result, an installation of a program that installed a new version of a common object might inadvertently break other programs that were previously installed. | |||
There are several countermeasures known to avoid DLL hell, which have to be used simultaneously for optimal results: | |||
* '''Registration-free COM''': ] introduced a new mode of COM object registration called "''Registration-free COM''" that was lost in the .NET hype. This feature makes it possible for applications that need to install COM objects to store all the required COM registry information in the application's directory, instead of in the global registry, where strictly speaking if only a single application will ever use it is all that is needed. Thus, it provides a mechanism for multiple versions of the same DLL to be present at the same time as needed to cater for multiple applications (Microsoft calls this "Side-by-side Assemblies" ). DLL hell can be substantially avoided using Registration-free COM, the only limitation being it requires at least ] or later Windows versions and that it must not be used for EXE COM servers or system-wide components such as ], ], ] or ]. | |||
===DLL stomping=== | |||
* Shipping the operating system with a capable ] that is able to track the DLL dependencies, encouraging the use of the package manager and discouraging manual installation of DLLs. | |||
A common and troublesome problem occurs when a newly installed program overwrites a working system DLL with an earlier, incompatible version. Early examples of this were the <code>ctl3d.dll</code> and <code>ctl3dv2.dll</code> libraries for ]: Microsoft-created libraries that third-party publishers would distribute with their software, but each distributing the version they developed with rather than the most recent version.<ref name=Ctl3D>{{cite web |url=http://support.microsoft.com/search/default.aspx?query=CTL3Dv2.DLL |title=A summary of CTL3D.DLL articles in Microsoft Support Knowledge Base |publisher=Microsoft}}</ref> DLL stomping occurs because: | |||
* Having a central authority for distributing the library. Changes to the library can be submitted to this authority; thus, it can make sure compatibility is preserved in the developed branches. If some older software is incompatible with the current library, the authority can provide a compatibility interface for it, or bundle the old version as a distinct package. | |||
* Microsoft in the past distributed runtime DLLs as shared system components<ref>.</ref> (originally C:\WINDOWS and C:\WINDOWS\SYSTEM), as a way of efficiently sharing code in a shared-memory OS with limited RAM and disk space. Consequently, third-party developers also distributed these in such a manner. | |||
* Application installers are typically executed in a privileged security context that has access to install DLLs into the system directories and to edit the system registry to register new DLLs as ] objects. A poorly written or misconfigured installer can therefore downgrade a system library on legacy versions of Windows, on which ] or ] does not roll back the change. On Windows Vista and later, only the "trusted installer" account can make changes to core operating-system libraries. | |||
* Windows applications were permitted to include OS updates in their own installation programs. That is, many Microsoft DLLs are ''redistributable'', meaning that the applications can include them if they need the services of the particular libraries. | |||
* Before ], Windows installers historically were commercial products; many people attempted to write their own installers, overlooking or mishandling versioning problems in the process.{{Citation needed|date=August 2008}} | |||
* Some development environments did not automatically add a version resource in their compiled libraries, so many developers overlooked this aspect. Checking file dates, overwriting existing files or skipping the copy operation if the DLL was already installed were the only options available instead of correct versioning.{{Citation needed|date=June 2010}} | |||
* Sometimes, the OS itself removed or replaced DLLs with older or obsolete versions. For example, Windows 2000 would install black-and-white printer DLLs on top of color-aware DLLs, if a black-and-white printer was installed after the color printer.<ref>.</ref> | |||
===Incorrect COM registration=== | |||
In ] and other parts of Windows, prior to the introduction of ] registry-free assemblies,<ref>{{cite web |url=http://msdn.microsoft.com/en-us/library/ms973913.aspx |title=Registration-Free Activation of COM Components: A Walkthrough |publisher=] |author1=Leslie Muller |author2=Steve White |date=July 2005}}</ref> the ] was used for determining which underlying DLL to use. If a different version of a module was registered, this DLL would be loaded instead of the expected one. This scenario could be caused by conflicting installations that register different versions of the same libraries, in which case the last installation would prevail. | |||
===Shared in-memory modules=== | |||
16-bit versions of Windows (and ]) load only one instance of any given DLL; all applications reference the same in-memory copy, until no applications are using it and it is unloaded from memory. (For 32-bit and 64-bit versions of Windows, inter-process sharing occurs only where different executables load a module from exactly the same directory; the code but not the ] is shared between processes through a process called "memory mapping".) Thus, even when the desired DLL is located in a directory where it can be expected to be found, such as in the system directory or the application directory, neither of these instances will be used if another application has started with an incompatible version from a third directory. This issue can manifest itself as a 16-bit application error that occurs only when applications are started in a specific order. | |||
===Lack of serviceability=== | |||
In direct conflict with the DLL stomping problem: If updates to a DLL do not affect all applications that use it, then it becomes ''much'' harder to "service" the DLL – that is, to eliminate problems that exist in the current versions of the DLL. (Security fixes are a particularly compelling and painful case.) Instead of fixing just the latest version of the DLL, the implementor must ideally make their fixes and test them for compatibility on every released version of the DLL. | |||
==Causes== | |||
DLL incompatibility has been caused by: | |||
* Memory constraints, combined with lack of separation of process memory space in 16-bit versions of Windows; | |||
* Lack of enforced standard versioning, naming, and file-system location ] for DLLs; | |||
* Lack of an enforced standard method for software installation and removing (]); | |||
* Lack of centralized authoritative support for DLL ] management and safeguards, allowing incompatible DLLs with the same file name and internal version numbers to be released; | |||
* Oversimplified management tools, preventing the identification of changed or problematic DLLs by users and administrators; | |||
* Developers breaking backward compatibility of functions in shared modules; | |||
* Microsoft releasing out-of-band updates to operating-system runtime components; | |||
* Inability of earlier versions of Windows to run side-by-side conflicting versions of the same library; | |||
* Reliance on the current directory or <code>%PATH%</code> environment variable, both of which vary over time and from system to system, to find dependent DLLs (instead of loading them from an explicitly configured directory); | |||
* Developers re-using the ClassIDs from sample applications for the COM interfaces of their applications, rather than generating their own new ]. | |||
DLL hell was a very common phenomenon on pre-Windows NT versions of Microsoft operating systems, the primary cause being that the 16-bit operating systems did not restrict processes to their own memory space, thereby not allowing them to load their own version of a shared module that they were compatible with. Application installers were expected to be good citizens and verify DLL version information before overwriting the existing system DLLs. Standard tools to simplify application deployment (which always involves shipping the dependent operating-system DLLs) were provided by Microsoft and other 3rd-party tools vendors. Microsoft even required application vendors to use a standard installer and have their installation program certified to work correctly, before being granted use of the Microsoft logo. The good-citizen installer approach did not mitigate the problem, as the rise in popularity of the Internet provided more opportunities to obtain non-conforming applications. | |||
===Use by malware=== | |||
Windows searches several locations for ambiguously DLLs, i.e. ones not fully qualified. ]s can exploit this behavior in several ways collectively known as ''DLL search order hijacking''. One method is ''DLL preloading'' or a ''binary planting attack''. It places DLL files with the same name in a location that is searched earlier, such as the current working directory. When the vulnerable program tries to load the DLL, the malicious version is executed, possibly at high privilege levels if the program runs at that level.<ref name="mitre-attack">{{Cite web |last=Holston |first=Ami |last2=Liang |first2=Marina |last3=Kanthak |first3=Stefan |last4=Smith |first4=Travis |last5=Alexander |first5=Will |date=30 September 2024 |title=Hijack Execution Flow: DLL Search Order Hijacking, Sub-technique T1574.001 - Enterprise |url=https://attack.mitre.org/versions/v16/techniques/T1574/001/ |access-date=2024-12-07 |website=ATT&CK |series=Version 1.3 |publisher=MITRE |id=T1574.001}}</ref> | |||
Another method is ''relative path DLL hijacking'', which moves the vulnerable program to a location together with the malicious DLL. The DLL is loaded because the application's directory is searched early. According to ], this method is the most common.<ref name="crowdsource">{{Cite web |author=Falcon OverWatch Team |date=December 30, 2022 |title=4 Ways Adversaries Hijack DLLs |url=https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/ |access-date=2024-12-07 |website=CrowdStrike |language=en-US}}</ref> ''DLL sideloading'' delivers both the legitimate program and malicious library. It may avoid detection because the execution seems as running a reputable program.<ref name="checkpoint-research">{{Cite web |date=2024-09-25 |title=10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More |url=https://research.checkpoint.com/2024/10-years-of-dll-hijacking-and-what-we-can-do-to-prevent-10-more/ |access-date=2024-12-07 |website=Check Point Research |language=en-US}}</ref> | |||
Other methods include ''phantom DLL hijacking'', where a malicious DLL file is created against references to a non-existent library, and changing registry values to abuse ''DLL redirection'', which changes the DLL search order.<ref name="mitre-attack" /> | |||
DLL hijacking was used by state-sponsored groups including ] and ].<ref name="checkpoint-research" /> | |||
==Solutions== | |||
Various forms of DLL hell have been solved or mitigated over the years. | |||
===Static linking=== | |||
A simple solution to DLL hell in an application is to ] all the libraries, i.e. to include the library version required in the program, instead of picking up a system library with a specified name.<ref name="threatormenace"/> This is common in C/C++ applications, where, instead of having to worry about which version of <code>MFC42.DLL</code> is installed, the application is compiled to be statically linked against the same libraries. This eliminates the DLLs entirely and is possible in standalone applications using only libraries that offer a static option, as ] does. However, the main purpose of DLLs – runtime library sharing between programs to reduce memory overhead – is sacrificed; duplicating library code in several programs creates ] and complicates the deployment of security fixes or newer versions of dependent software. | |||
===Windows File Protection=== | |||
The DLL overwriting problem (referred to as ''DLL Stomping'' by Microsoft) was somewhat reduced with ] (WFP),<ref>.</ref> which was introduced in ].<ref name="endofdllhell"/> This prevents unauthorized applications from overwriting system DLLs, unless they use the specific ]s that permit this. There may still be a risk that updates from Microsoft are incompatible with existing applications, but this risk is typically reduced in current versions of Windows through the use of ]. | |||
Third-party applications cannot stomp on OS files unless they bundle legitimate Windows updates with their installer, or if they disable the ] service during installation, and on Windows Vista or later also take ownership of system files and grant themselves access. The ] utility could revert these changes at any time. | |||
===Running conflicting DLLs simultaneously=== | |||
The solutions here consist of having different copies of the same DLLs for each application, both on disk and in memory. | |||
An easy manual solution to conflicts was placing the different versions of the problem DLL into the applications' folders, rather than a common system-wide folder. This works in general as long as the application is 32-bit or 64-bit, and that the DLL does not use shared memory. In the case of 16-bit applications, the two applications cannot be executed simultaneously on a 16-bit platform, or in the same 16-bit virtual machine under a 32-bit operating system. ] prevented this before Windows 98 SE/2000, because earlier versions of Windows had a single registry of COM objects for all applications. | |||
Windows 98 SE/2000 introduced a solution called '']'',<ref>{{Cite web |url=http://msdn2.microsoft.com/en-us/library/ms811700.aspx |title=Implementing Side-by-Side Component Sharing in Applications (Expanded) |publisher=Microsoft |access-date=3 January 2013 |archive-url=https://web.archive.org/web/20061210042506/http://msdn2.microsoft.com/en-us/library/ms811700.aspx |archive-date=10 December 2006}}</ref> which loads separate copies of DLLs for each application that requires them (and thus allows applications that require conflicting DLLs to run simultaneously). This approach eliminates conflicts by allowing applications to load unique versions of a module into their address space, while preserving the primary benefit of sharing DLLs between applications (i.e. reducing memory use) by using memory mapping techniques to share common code between different processes that do still use the same module. Yet DLLs using shared data between multiple processes cannot take this approach.<ref>{{cite web |url=http://msdn.microsoft.com/en-us/library/h90dkhs0(VS.71).aspx |title=How do I share data in my DLL with an application or with other DLLs? |publisher=] |access-date=2008-11-11}}</ref> One negative side effect is that orphaned instances of DLLs may not be updated during automated processes. | |||
===Portable applications=== | |||
Depending on the application architecture and runtime environment, ] may be an effective way to reduce some DLL problems, since every program bundles its own private copies of any DLLs it requires.<ref name="endofdllhell"/> The mechanism relies on applications not fully qualifying the paths to dependent DLLs when loading them, and the operating system searching the executable directory before any shared location.<ref name="sharedlibpolicy"/> However this technique can also be exploited by malware,<ref>{{cite web|url=http://support.microsoft.com/kb/2389418|title=Secure loading of libraries to prevent DLL preloading attacks|publisher=Microsoft|access-date=16 Feb 2013}}</ref> and the increased flexibility may also come at the expense of security if the private DLLs are not kept up to date with security patches in the same way that the shared ones are. | |||
] can also allow applications to run in a "bubble", which avoids installing DLL files directly into the operating system. | |||
=== Other countermeasures === | |||
There are other countermeasures to avoid DLL hell, some of which may have to be used simultaneously; | |||
some other features that help to mitigate the problem are: | |||
* Installation tools are now bundled into ], one of the main environments for Windows development. These tools perform version checking before DLL installation, and can include predefined installation packages in a .MSI installation. This allows third party applications to integrate OS component updates without having to write their own installers for these components. | |||
* ] can recover a system from a bad installation, including registry damage. Although this does not prevent the problem, it facilitates recovery therefrom. | |||
* WinSxS (]) directory, which allows multiple versions of the same libraries to co-exist. | |||
* Run 16-bit applications in a separate memory space under a 32-bit version of Windows to allow two applications to use conflicting versions of the same DLL at the same time. | |||
* Use a version of Windows that includes ]. ] and ], both released in 2000, support this form of system file protection, as do ] and ]. Its replacement, ], was introduced in Windows Vista and Windows Server 2008, and uses a different method of protecting system files from being changed. | |||
* Registration-free COM: ] introduced a new mode of COM object registration called "''Registration-free COM''". This feature makes it possible for applications that need to install COM objects to store all the required COM registry information in the application's own directory, instead of in the global system registry. Thus, it provides a mechanism for multiple versions of the same DLL to be registered at the same time by multiple applications (Microsoft calls this "]"<ref></ref>). DLL hell can be substantially avoided using Registration-free COM, the only limitation being it requires at least ] or later Windows versions and that it must not be used for EXE COM servers or system-wide components such as ], ], ] or ]. | |||
* Shipping the operating system with a capable ] that is able to track the DLL dependencies, encouraging the use of the package manager and discouraging manual installation of DLLs. ], included with ], ] and all later versions provides this functionality. | |||
* Having a central database or authority for DLL conflict resolution and software distribution. Changes to a library can be submitted to this authority; thus, it can make sure compatibility is preserved in the developed branches. If some older software is incompatible with the current library, the authority can provide a compatibility interface for it, or bundle the old version as a distinct package. | |||
* If software developers need to customize a library, and if the main library release is unlikely to incorporate the changes that they need, they can ship the customized DLL for the program's private use (commonly by placing it in the program's private directory) or statically link the program against the customized library. | * If software developers need to customize a library, and if the main library release is unlikely to incorporate the changes that they need, they can ship the customized DLL for the program's private use (commonly by placing it in the program's private directory) or statically link the program against the customized library. | ||
* |
* While DLLs are best for modularizing applications and the system's components and as third-party libraries, their usage is not imperative in all cases on modern systems where memory is no longer a constraint. For example, if an application needs a library that will not be used anywhere else, it can be linked statically, with no space penalty and with a speed gain. | ||
* Windows Vista and later use a special ''TrustedInstaller'' service to install operating system files. Other user accounts, including the SYSTEM, have no access to overwrite core system binaries. Windows 7 expands this functionality to some critical parts of the Registry. | |||
== See also == | |||
==DLL hell as motivation for .NET== | |||
* ] | |||
Around 2001, Microsoft introduced the ] to introduce their own version of a package deployment system, called ''assemblies'' . This framework also provided support for a common library runtime (essentially moving much DLL code to a base foundation class). This concept, along with file versioning, is often seen as one of the last operating system constructs that had failed to bridge the gap between ] and ], which shared a common operating systems ]. | |||
* ] | |||
* ] | |||
* ] | |||
* ] | |||
== |
==References== | ||
{{Reflist|2|refs=<ref name="sharedlibpolicy">{{cite web | |||
<references/> | |||
| url=http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html | |||
| title=Using static and shared libraries across platforms; Row 9: Library Path | |||
| date=2007-06-15 | |||
| archive-url=https://web.archive.org/web/20080601183608/http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html | |||
| archive-date=2008-06-01 | |||
| last=Desitter | |||
| first=Arnaud | |||
| publisher=ArnaudRecipes | |||
| access-date=2010-07-07 | |||
}}</ref> | |||
<ref name="endofdllhell">{{cite web | |||
| url=http://msdn.microsoft.com/library/techart/dlldanger1.htm | |||
| title=The End of DLL Hell | |||
| date=2000-01-11 | |||
| archive-url=https://web.archive.org/web/20010605023737/http://msdn.microsoft.com/library/techart/dlldanger1.htm | |||
| archive-date=2001-06-05 | |||
| last=Anderson | |||
| first=Rick | |||
| publisher=microsoft.com | |||
| access-date=2010-07-07 | |||
}}</ref> | |||
<ref name="threatormenace">{{cite web | |||
| url=http://www.ddj.com/184410810 | |||
| title=Windows DLLs: Threat or Menace? | |||
| date=1998-06-01 | |||
| archive-url=https://web.archive.org/web/20100807195510/http://www.ddj.com/184410810 | |||
| archive-date=2010-08-07| last=Pfeiffer | |||
| first=Tim | |||
| publisher=Dr. Dobb's Journal | |||
| access-date=2010-07-07 | |||
}}</ref>}} | |||
== |
==External links== | ||
* on |
* on Microsoft TechNet | ||
* on MSDN | * on MSDN | ||
* by Matt Pietrek | * by ] | ||
* (details on LoadLibraryEx) | |||
* {{Webarchive|url=https://web.archive.org/web/20181030172049/https://discuss.fogcreek.com/joelonsoftware/default.asp?cmd=show&ixPost=2899 |date=2018-10-30 }} | |||
* | |||
{{DEFAULTSORT:Dll Hell}} | |||
] | |||
] | ] | ||
] | |||
] | ] | ||
] | |||
] | |||
] | |||
] | |||
] | |||
] | |||
] |
Latest revision as of 23:03, 7 December 2024
Computing slangThis article's lead section may be too short to adequately summarize the key points. Please consider expanding the lead to provide an accessible overview of all important aspects of the article. (November 2024) |
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "DLL hell" – news · newspapers · books · scholar · JSTOR (November 2024) (Learn how and when to remove this message) |
DLL hell is an umbrella term for the complications that arise when one works with dynamic-link libraries (DLLs) used with older Microsoft Windows operating systems, particularly legacy 16-bit editions, which all run in a single memory space. DLL hell can appear in many different ways, wherein affected programs may fail to run correctly, if at all. It is the Windows ecosystem-specific form of the general concept dependency hell.
Problems
DLLs are Microsoft's implementation of shared libraries. Shared libraries allow common code to be bundled into a wrapper, the DLL, which is used by any application software on the system without loading multiple copies into memory. A simple example might be the GUI text editor, which is widely used by many programs. By placing this code in a DLL, all the applications on the system can use it without using more memory. This contrasts with static libraries, which are functionally similar but copy the code directly into the application. In this case, every application grows by the size of all the libraries it uses, and this can be quite large for modern programs.
The problem arises when the version of the DLL on the computer is different than the version that was used when the program was being created. DLLs have no built-in mechanism for backward compatibility, and even minor changes to the DLL can render its internal structure so different from previous versions that attempting to use them will generally cause the application to crash. Static libraries avoid this problem because the version that was used to build the application is included inside it, so even if a newer version exists elsewhere on the system, this does not affect the application.
A key reason for the version incompatibility is the structure of the DLL file. The file contains a directory of the individual methods (procedures, routines, etc.) contained within the DLL and the types of data they take and return. Even minor changes to the DLL code can cause this directory to be re-arranged, in which case an application that calls a particular method believing it to be the 4th item in the directory might end up calling an entirely different and incompatible routine, which would normally cause the application to crash.
There are several problems commonly encountered with DLLs, especially after numerous applications have been installed and uninstalled on a system. The difficulties include conflicts between DLL versions, difficulty in obtaining required DLLs, and having many unnecessary DLL copies.
Solutions to these problems were known even while Microsoft was writing the DLL system. These have been incorporated into the .NET replacement, "Assemblies".
Incompatible versions
A particular version of a library can be compatible with some programs that use it and incompatible with others. Windows has been particularly vulnerable to this because of its emphasis on dynamic linking of C++ libraries and Object Linking and Embedding (OLE) objects. C++ classes export many methods, and a single change to the class, such as a new virtual method, can make it incompatible with programs that were built against an earlier version. Object Linking and Embedding has very strict rules to prevent this: interfaces are required to be stable, and memory managers are not shared. This is insufficient, however, because the semantics of a class can change. A bug fix for one application may result in the removal of a feature from another. Before Windows 2000, Windows was vulnerable to this because the COM class table was shared across all users and processes. Only one COM object in one DLL/EXE could be declared as having a specific global COM Class ID on a system. If any program needed to create an instance of that class, it got whatever was the current centrally registered implementation. As a result, an installation of a program that installed a new version of a common object might inadvertently break other programs that were previously installed.
DLL stomping
A common and troublesome problem occurs when a newly installed program overwrites a working system DLL with an earlier, incompatible version. Early examples of this were the ctl3d.dll
and ctl3dv2.dll
libraries for Windows 3.1: Microsoft-created libraries that third-party publishers would distribute with their software, but each distributing the version they developed with rather than the most recent version. DLL stomping occurs because:
- Microsoft in the past distributed runtime DLLs as shared system components (originally C:\WINDOWS and C:\WINDOWS\SYSTEM), as a way of efficiently sharing code in a shared-memory OS with limited RAM and disk space. Consequently, third-party developers also distributed these in such a manner.
- Application installers are typically executed in a privileged security context that has access to install DLLs into the system directories and to edit the system registry to register new DLLs as COM objects. A poorly written or misconfigured installer can therefore downgrade a system library on legacy versions of Windows, on which Windows File Protection or Windows Resource Protection does not roll back the change. On Windows Vista and later, only the "trusted installer" account can make changes to core operating-system libraries.
- Windows applications were permitted to include OS updates in their own installation programs. That is, many Microsoft DLLs are redistributable, meaning that the applications can include them if they need the services of the particular libraries.
- Before Windows Installer, Windows installers historically were commercial products; many people attempted to write their own installers, overlooking or mishandling versioning problems in the process.
- Some development environments did not automatically add a version resource in their compiled libraries, so many developers overlooked this aspect. Checking file dates, overwriting existing files or skipping the copy operation if the DLL was already installed were the only options available instead of correct versioning.
- Sometimes, the OS itself removed or replaced DLLs with older or obsolete versions. For example, Windows 2000 would install black-and-white printer DLLs on top of color-aware DLLs, if a black-and-white printer was installed after the color printer.
Incorrect COM registration
In COM and other parts of Windows, prior to the introduction of side-by-side registry-free assemblies, the Registry was used for determining which underlying DLL to use. If a different version of a module was registered, this DLL would be loaded instead of the expected one. This scenario could be caused by conflicting installations that register different versions of the same libraries, in which case the last installation would prevail.
Shared in-memory modules
16-bit versions of Windows (and Windows on Windows) load only one instance of any given DLL; all applications reference the same in-memory copy, until no applications are using it and it is unloaded from memory. (For 32-bit and 64-bit versions of Windows, inter-process sharing occurs only where different executables load a module from exactly the same directory; the code but not the stack is shared between processes through a process called "memory mapping".) Thus, even when the desired DLL is located in a directory where it can be expected to be found, such as in the system directory or the application directory, neither of these instances will be used if another application has started with an incompatible version from a third directory. This issue can manifest itself as a 16-bit application error that occurs only when applications are started in a specific order.
Lack of serviceability
In direct conflict with the DLL stomping problem: If updates to a DLL do not affect all applications that use it, then it becomes much harder to "service" the DLL – that is, to eliminate problems that exist in the current versions of the DLL. (Security fixes are a particularly compelling and painful case.) Instead of fixing just the latest version of the DLL, the implementor must ideally make their fixes and test them for compatibility on every released version of the DLL.
Causes
DLL incompatibility has been caused by:
- Memory constraints, combined with lack of separation of process memory space in 16-bit versions of Windows;
- Lack of enforced standard versioning, naming, and file-system location schemata for DLLs;
- Lack of an enforced standard method for software installation and removing (package management);
- Lack of centralized authoritative support for DLL application binary interface management and safeguards, allowing incompatible DLLs with the same file name and internal version numbers to be released;
- Oversimplified management tools, preventing the identification of changed or problematic DLLs by users and administrators;
- Developers breaking backward compatibility of functions in shared modules;
- Microsoft releasing out-of-band updates to operating-system runtime components;
- Inability of earlier versions of Windows to run side-by-side conflicting versions of the same library;
- Reliance on the current directory or
%PATH%
environment variable, both of which vary over time and from system to system, to find dependent DLLs (instead of loading them from an explicitly configured directory); - Developers re-using the ClassIDs from sample applications for the COM interfaces of their applications, rather than generating their own new GUIDs.
DLL hell was a very common phenomenon on pre-Windows NT versions of Microsoft operating systems, the primary cause being that the 16-bit operating systems did not restrict processes to their own memory space, thereby not allowing them to load their own version of a shared module that they were compatible with. Application installers were expected to be good citizens and verify DLL version information before overwriting the existing system DLLs. Standard tools to simplify application deployment (which always involves shipping the dependent operating-system DLLs) were provided by Microsoft and other 3rd-party tools vendors. Microsoft even required application vendors to use a standard installer and have their installation program certified to work correctly, before being granted use of the Microsoft logo. The good-citizen installer approach did not mitigate the problem, as the rise in popularity of the Internet provided more opportunities to obtain non-conforming applications.
Use by malware
Windows searches several locations for ambiguously DLLs, i.e. ones not fully qualified. Malwares can exploit this behavior in several ways collectively known as DLL search order hijacking. One method is DLL preloading or a binary planting attack. It places DLL files with the same name in a location that is searched earlier, such as the current working directory. When the vulnerable program tries to load the DLL, the malicious version is executed, possibly at high privilege levels if the program runs at that level.
Another method is relative path DLL hijacking, which moves the vulnerable program to a location together with the malicious DLL. The DLL is loaded because the application's directory is searched early. According to CrowdStrike, this method is the most common. DLL sideloading delivers both the legitimate program and malicious library. It may avoid detection because the execution seems as running a reputable program.
Other methods include phantom DLL hijacking, where a malicious DLL file is created against references to a non-existent library, and changing registry values to abuse DLL redirection, which changes the DLL search order.
DLL hijacking was used by state-sponsored groups including Lazarus Group and Tropic Trooper.
Solutions
Various forms of DLL hell have been solved or mitigated over the years.
Static linking
A simple solution to DLL hell in an application is to statically link all the libraries, i.e. to include the library version required in the program, instead of picking up a system library with a specified name. This is common in C/C++ applications, where, instead of having to worry about which version of MFC42.DLL
is installed, the application is compiled to be statically linked against the same libraries. This eliminates the DLLs entirely and is possible in standalone applications using only libraries that offer a static option, as Microsoft Foundation Class Library does. However, the main purpose of DLLs – runtime library sharing between programs to reduce memory overhead – is sacrificed; duplicating library code in several programs creates software bloat and complicates the deployment of security fixes or newer versions of dependent software.
Windows File Protection
The DLL overwriting problem (referred to as DLL Stomping by Microsoft) was somewhat reduced with Windows File Protection (WFP), which was introduced in Windows 2000. This prevents unauthorized applications from overwriting system DLLs, unless they use the specific Windows APIs that permit this. There may still be a risk that updates from Microsoft are incompatible with existing applications, but this risk is typically reduced in current versions of Windows through the use of side-by-side assemblies.
Third-party applications cannot stomp on OS files unless they bundle legitimate Windows updates with their installer, or if they disable the Windows File Protection service during installation, and on Windows Vista or later also take ownership of system files and grant themselves access. The SFC utility could revert these changes at any time.
Running conflicting DLLs simultaneously
The solutions here consist of having different copies of the same DLLs for each application, both on disk and in memory.
An easy manual solution to conflicts was placing the different versions of the problem DLL into the applications' folders, rather than a common system-wide folder. This works in general as long as the application is 32-bit or 64-bit, and that the DLL does not use shared memory. In the case of 16-bit applications, the two applications cannot be executed simultaneously on a 16-bit platform, or in the same 16-bit virtual machine under a 32-bit operating system. OLE prevented this before Windows 98 SE/2000, because earlier versions of Windows had a single registry of COM objects for all applications.
Windows 98 SE/2000 introduced a solution called side-by-side assembly, which loads separate copies of DLLs for each application that requires them (and thus allows applications that require conflicting DLLs to run simultaneously). This approach eliminates conflicts by allowing applications to load unique versions of a module into their address space, while preserving the primary benefit of sharing DLLs between applications (i.e. reducing memory use) by using memory mapping techniques to share common code between different processes that do still use the same module. Yet DLLs using shared data between multiple processes cannot take this approach. One negative side effect is that orphaned instances of DLLs may not be updated during automated processes.
Portable applications
Depending on the application architecture and runtime environment, portable applications may be an effective way to reduce some DLL problems, since every program bundles its own private copies of any DLLs it requires. The mechanism relies on applications not fully qualifying the paths to dependent DLLs when loading them, and the operating system searching the executable directory before any shared location. However this technique can also be exploited by malware, and the increased flexibility may also come at the expense of security if the private DLLs are not kept up to date with security patches in the same way that the shared ones are.
Application virtualization can also allow applications to run in a "bubble", which avoids installing DLL files directly into the operating system.
Other countermeasures
There are other countermeasures to avoid DLL hell, some of which may have to be used simultaneously; some other features that help to mitigate the problem are:
- Installation tools are now bundled into Microsoft Visual Studio, one of the main environments for Windows development. These tools perform version checking before DLL installation, and can include predefined installation packages in a .MSI installation. This allows third party applications to integrate OS component updates without having to write their own installers for these components.
- System Restore can recover a system from a bad installation, including registry damage. Although this does not prevent the problem, it facilitates recovery therefrom.
- WinSxS (Windows Side-by-Side) directory, which allows multiple versions of the same libraries to co-exist.
- Run 16-bit applications in a separate memory space under a 32-bit version of Windows to allow two applications to use conflicting versions of the same DLL at the same time.
- Use a version of Windows that includes Windows File Protection. Windows Me and Windows 2000, both released in 2000, support this form of system file protection, as do Windows XP and Windows Server 2003. Its replacement, Windows Resource Protection, was introduced in Windows Vista and Windows Server 2008, and uses a different method of protecting system files from being changed.
- Registration-free COM: Windows XP introduced a new mode of COM object registration called "Registration-free COM". This feature makes it possible for applications that need to install COM objects to store all the required COM registry information in the application's own directory, instead of in the global system registry. Thus, it provides a mechanism for multiple versions of the same DLL to be registered at the same time by multiple applications (Microsoft calls this "Side-by-Side Assembly"). DLL hell can be substantially avoided using Registration-free COM, the only limitation being it requires at least Windows XP or later Windows versions and that it must not be used for EXE COM servers or system-wide components such as MDAC, MSXML, DirectX or Internet Explorer.
- Shipping the operating system with a capable package management system that is able to track the DLL dependencies, encouraging the use of the package manager and discouraging manual installation of DLLs. Windows Installer, included with Windows Me, Windows 2000 and all later versions provides this functionality.
- Having a central database or authority for DLL conflict resolution and software distribution. Changes to a library can be submitted to this authority; thus, it can make sure compatibility is preserved in the developed branches. If some older software is incompatible with the current library, the authority can provide a compatibility interface for it, or bundle the old version as a distinct package.
- If software developers need to customize a library, and if the main library release is unlikely to incorporate the changes that they need, they can ship the customized DLL for the program's private use (commonly by placing it in the program's private directory) or statically link the program against the customized library.
- While DLLs are best for modularizing applications and the system's components and as third-party libraries, their usage is not imperative in all cases on modern systems where memory is no longer a constraint. For example, if an application needs a library that will not be used anywhere else, it can be linked statically, with no space penalty and with a speed gain.
- Windows Vista and later use a special TrustedInstaller service to install operating system files. Other user accounts, including the SYSTEM, have no access to overwrite core system binaries. Windows 7 expands this functionality to some critical parts of the Registry.
See also
References
- "Avoiding DLL Hell: Introducing Application Metadata in the Microsoft .NET Framework". Microsoft. October 2000.
- "A summary of CTL3D.DLL articles in Microsoft Support Knowledge Base". Microsoft.
- Redistribution of the shared C runtime component in Visual C++ 2005 and in Visual C++ .NET.
- KB 830490: HP Color LaserJet printer prints only in grayscale or in black-and-white on your Windows 2000 SP4-based computer.
- Leslie Muller; Steve White (July 2005). "Registration-Free Activation of COM Components: A Walkthrough". Microsoft.
- ^ Holston, Ami; Liang, Marina; Kanthak, Stefan; Smith, Travis; Alexander, Will (30 September 2024). "Hijack Execution Flow: DLL Search Order Hijacking, Sub-technique T1574.001 - Enterprise". ATT&CK. Version 1.3. MITRE. T1574.001. Retrieved 2024-12-07.
- Falcon OverWatch Team (December 30, 2022). "4 Ways Adversaries Hijack DLLs". CrowdStrike. Retrieved 2024-12-07.
- ^ "10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More". Check Point Research. 2024-09-25. Retrieved 2024-12-07.
- Pfeiffer, Tim (1998-06-01). "Windows DLLs: Threat or Menace?". Dr. Dobb's Journal. Archived from the original on 2010-08-07. Retrieved 2010-07-07.
- Windows File Protection and Windows.
- ^ Anderson, Rick (2000-01-11). "The End of DLL Hell". microsoft.com. Archived from the original on 2001-06-05. Retrieved 2010-07-07.
- "Implementing Side-by-Side Component Sharing in Applications (Expanded)". Microsoft. Archived from the original on 10 December 2006. Retrieved 3 January 2013.
- "How do I share data in my DLL with an application or with other DLLs?". Microsoft. Retrieved 2008-11-11.
- Desitter, Arnaud (2007-06-15). "Using static and shared libraries across platforms; Row 9: Library Path". ArnaudRecipes. Archived from the original on 2008-06-01. Retrieved 2010-07-07.
- "Secure loading of libraries to prevent DLL preloading attacks". Microsoft. Retrieved 16 Feb 2013.
- Side-by-side Assemblies (Windows)
External links
- Getting Out of DLL Hell on Microsoft TechNet
- Simplifying Deployment and Solving DLL Hell with the .NET Framework on MSDN
- Avoiding DLL Hell: Introducing Application Metadata in the Microsoft .NET Framework by Matt Pietrek
- Dr. Dobb's on DLL hell (details on LoadLibraryEx)
- Joel on Software discussion Archived 2018-10-30 at the Wayback Machine
- Article on DLL hell