Mithril: Cleaving parser differentials in ELF tools presented at Sec-T 2013

by Sergey Bratus, Julian Bangert,

Summary : The ELF format is generated and consumed by many different tools both in the build chain and in the runtime ABI; multiple ELF parsers exist both in the userland and in Unix kernels. Whenever a format is handled by different parsers, it tends to be implicitly assumed that these parsers seeing exactly the same structures in the streams of bytes, and, as various high-profile bugs showed (e.g., the recent Android Master Key bug and others), these assumptions can cost dearly. So how does ELF parsing code look in this regard?
From a language-theoretic standpoint, the ELF format is very context-sensitive: metadata is stored redundantly and interesting things happen with inconsistent ELF files. Not only do these dependencies make ELF binary manipulation tools hard to get right, but they prevent just about any two given ELF parsers from interpreting the same file consistently. For example, we will demonstrate an ELF file that exec() in the kernel interprets differently than, resulting in a binary that behaves completely differently when loaded as a shared library and as an executable, confusing your disassembler along the way for free.
The presenters will demonstrate the Mithril toolkit for manipulating ELF for these and other crafted cases. Mithril is a Ruby framework that takes care of most implicit ELF dependencies (except those that you specifically want to violate to make the result trigger this or that parser differential). It would also allow you to write your own linker in less than a hundred lines of Ruby.

Sergey Bratus: Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He enjoys wireless and wired network hacking and tries to help fellow academics to understand its value and relevance. Before coming to Dartmouth, he worked on machine learning for natural text processing at BBN Technologies. He has a Ph.D. In Mathematics from Northeastern University.