“Weird Machines” in ELF: A Spotlight on the Underappreciated Metadata

Authors: 

Rebecca Shapiro, Sergey Bratus, and Sean W. Smith, Dartmouth College

Abstract: 

Although software exploitation historically started as an exercise in coaxing the target's execution into attacker supplied binary shellcode, it soon became a practical study in pushing the limits of unexpected computation that could be caused by crafted data not containing any native code. We show how the ABI metadata that drives the creation of a process' runtime can also drive arbitrary computation. We introduce our design and implementation of Cobbler, a proof-of-concept toolkit capable of compiling a Turing-complete language into well-formed ELF executable metadata that get "executed" by the runtime loader (RTLD). Our proof-of-concept toolkit highlights how important it is that defenders expand their focus beyond the code and data sections of untrusted binaries, both in static analysis and in the dynamic analysis of the early runtime setup stages as well as any time the RTLD is invoked.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {179203,
author = {Rebecca Shapiro and Sergey Bratus and Sean W. Smith},
title = {{\textquotedblleft}Weird Machines{\textquotedblright} in {ELF}: A Spotlight on the Underappreciated Metadata},
booktitle = {Presented as part of the 7th {USENIX} Workshop on Offensive Technologies},
year = {2013},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/woot13/workshop-program/presentation/Shapiro},
publisher = {{USENIX}},
}
Download
Shapiro PDF
View the slides

Presentation Video

Download Video

Presentation Audio