Programming Weird Machines with ELF Metadata

Presented at DEF CON 20 (2012), July 28, 2012, 2 p.m. (50 minutes)

The Executable and Linkable Format (ELF) is omnipresent; related OS and library code is run whenever processes are set up and serviced (e.g., dynamically linked). The loader is the stage manager for every executable. Hardly anyone appreciates the work that the ELF backstage crew (including the linker and the loader) puts in to make an executable run smoothly. While the rest of the world focuses on the star, hackers such as the Grugq (in Cheating the ELF) and Skape (in Locreate: An Anagram for Relocate), and the ERESI/ELFsh crew, know to schmooze with the backstage crew. We can make a star out of the loader by tricking it into performing any computation by presenting it with crafted but otherwise well-formed ELF metadata. We will provide you with a new reason why you should appreciate the power of the ELF linker/loader by demonstrating how specially crafted ELF relocation and symbol table entries can act as instructions to coerce the linker/loader into performing arbitrary computation. We will present a proof-of-concept method of constructing ELF metadata to implement the Turing-complete Brainfuck language primitives and well as demonstrate a method of crafting relocation entries to insert a backdoor into an executable.


  • Sergey Bratus - Research Assistant Professor, Dartmouth College
    Sergey Bratus is a Northern Appalachian who hacks DWARF and ELF. It is his ambition to collect and classify all kinds of weird machines; he is also a member of the conspiracy to eliminate large classes of bugs. Twitter: @sergeybratus
  • Rebecca Shapiro / bx - PhD student, Dartmouth College   as Rebecca "bx" Shapiro
    Rebecca "bx" Shapiro is a graduate student at a small college in Northern Appalachia. She enjoys tinkering with systems in undocumented manners to find hidden sources of computation. She hopes to continue this work to find more specimens for Sergey Bratus's weird machine zoo. Twitter: @bxsays