Programming Weird Machines with ELF Metadata presented at DEF CON 20

by Sergey Bratus, Rebecca bx Shapiro,

Summary : The Executable and Linkable Format (ELF) is
omnipresent; related OS and library code is run
whenever processes are set up and serviced
(e.g., dynamically linked). The loader is the stage
manager for every executable. Hardly anyone
appreciates the work that the ELF backstage
crew (including the linker and the loader) puts
in to make an executable run smoothly. While
the rest of the world focuses on the star, hackers
such as the Grugq (in Cheating the ELF) and
Skape (in Locreate: An Anagram for Relocate),
and the ERESI/ELFsh crew, know to schmooze
with the backstage crew. We can make a star
out of the loader by tricking it into performing
any computation by presenting it with crafted
but otherwise well-formed ELF metadata. We
will provide you with a new reason why you
should appreciate the power of the ELF linker/
loader by demonstrating how specially crafted
ELF relocation and symbol table entries can act
as instructions to coerce the linker/loader into
performing arbitrary computation. We will present
a proof-of-concept method of constructing ELF
metadata to implement the Turing-complete
Brainfuck language primitives and well as
demonstrate a method of crafting relocation
entries to insert a backdoor into an executable.

Sergey Bratus: Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He enjoys wireless and wired network hacking and tries to help fellow academics to understand its value and relevance. Before coming to Dartmouth, he worked on machine learning for natural text processing at BBN Technologies. He has a Ph.D. In Mathematics from Northeastern University.