CS38, Security and Privacy, Spring 2005

The ELF format is key to many exploits. In particular, infecting executables requires an intimate understanding of it. The ELF spec is somewhat dense, and does not describe many sections that are present in any executable or shared object file on a modern GNU/Linux system. Levin's books is a gentler introduction to the subject, especially to relocation, but referring to the ELF spec is still inevitable.

You might find it interesting that the accompanying debugging format to ELF, an intimate friend, is called DWARF.

ELF hackery

• Executable and Linkable Format (ELF),
  http://www.muppetlabs.com/~breadbox/software/ELF.txt  [local ELF.txt]
  The spec. Same thing in PDF for bedside reading: http://www.tachyonsoft.com/elf.pdf

• Cheating the ELF, the grugq
  http://downloads.securityfocus.com/library/subversiveld.pdf  [local subversiveld.pdf]
  A useful and less painful introduction to dynamic linking and subverting thereof for nefarious purposes.

• The ELF Virus Writing HOWTO, Alexander Bartolich
  http://www.lwfug.org/~abartoli/virus-writing-HOWTO/_html/
  In order to infect it and hide in it, and yet not break it, we must understand how it works really well. This article covers a number of practical finer points of ELF. This document has changed a lot between revisions, as to be practically unrecognizable. This older version http://redvip.homelinux.net/varios/virus-writing-HOWTO/index.html is more suitable for a start, and generally more fun. I suggest you start with it, and then switch to the newer, somewhat drier version for more detail.

• A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux,
  http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html  [local teensy.html]
  Nice hackery, worth a read.

• Reverse Engineering Linux x86 Binaries, Sean Burford
  http://www.ultri.cx/talks/reverse/  [local reveng-0.2.pdf]  [local reverse-talk.pdf]
  A nice summary of basic reverse engineering techniques, both static an dynamic. Explains Gnu/Linux tools for process observation and debugging.

• Playing with binary formats, Alessandro Rubini
  http://www.linux.it/~rubini/docs/binfmt/binfmt.html  [local binfmt.tar.gz ]
  A good explanation of how files get loaded and executed, and the role of the Linux kernel in it. This goes well with Phrack papers on kernel hijacking and redirection, or the advanced buffer overflow techniques that use ELF structures.

ELF tools

Useful tools to be aware of:

• objdump -- part of the GCC toolchain
• readelf -- sometimes its representation of data is more convenient
• elfsh -- manipulate ELF files with shell-like commands
• xxd -- binary viewer (not related to ELF, but useful)
• hexedit -- ditto

Back to Dartmouth CS Home Page