Programming Weird Machines with ELF Metadata

DEF CON 20

Presented by: Sergey Bratus, Rebecca Shapiro (BX)
Date: Saturday July 28, 2012
Time: 14:00 - 14:50
Location: Track 5 / Penn & Teller

The Executable and Linkable Format (ELF) is omnipresent; related OS and library code is run whenever processes are set up and serviced (e.g., dynamically linked). The loader is the stage manager for every executable. Hardly anyone appreciates the work that the ELF backstage crew (including the linker and the loader) puts in to make an executable run smoothly. While the rest of the world focuses on the star, hackers such as the Grugq (in Cheating the ELF) and Skape (in Locreate: An Anagram for Relocate), and the ERESI/ELFsh crew, know to schmooze with the backstage crew. We can make a star out of the loader by tricking it into performing any computation by presenting it with crafted but otherwise well-formed ELF metadata. We will provide you with a new reason why you should appreciate the power of the ELF linker/loader by demonstrating how specially crafted ELF relocation and symbol table entries can act as instructions to coerce the linker/loader into performing arbitrary computation. We will present a proof-of-concept method of constructing ELF metadata to implement the Turing-complete Brainfuck language primitives and well as demonstrate a method of crafting relocation entries to insert a backdoor into an executable.

Rebecca Shapiro

Rebecca "bx" Shapiro is a graduate student at a small college in Northern Appalachia. She enjoys tinkering with systems in undocumented manners to find hidden sources of computation. She hopes to continue this work to find more specimens for Sergey Bratus's weird machine zoo. Twitter: @bxsays

Sergey Bratus

Sergey Bratus is a Northern Appalachian who hacks DWARF and ELF. It is his ambition to collect and classify all kinds of weird machines; he is also a member of the http://langsec.org conspiracy to eliminate large classes of bugs. Twitter: @sergeybratus


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats