fisl xiv - the elf file format and the linux loader

The ELF File Format and the Linux Loader

Divino Cesar S. Lucas

Universidade de Campinas - Instituto de ComputacaoLaboratorio de Sistemas de Computacao

(www.lsc.ic.unicamp.br)

XIV Forum Internacional de Software Livre

05 de Julho de 2013

The ELF FormatThe Linux ELF Loader

Questions

Agenda

1 The ELF (Executable and Linkable Format) Format

2 The Linux ELF Loader

3 Questions

Divino Cesar S. Lucas The ELF File Format and the Linux Loader


Questions

Relocatable, Shared Libraries and Executable FilesWhat / Why ELFs?The ELF HeaderSectionsSegments

The Pieces of a Program

gcc -c -O3 bob.c -o bob.o // relocatable filesgcc -c -O3 main.c -o main.ogcc bob.o main.o -o hello // executable file

gcc -shared -fPIC bob.c -o libhello.so // shared librarygcc main.c -lhello -L. -o hello // dynamically linked executable



Questions


What the file looks inside?

The Matrix?

Not. An ELF!



Questions


The Executable and Linkable Format (ELF)

Specification for Executable and Linkable Files.Successor of a.out and COFF formats.Besides Linux, it’s also used in: FreeBSD, OpenBSD,Solaris, HP-UX, etc.Used in many devices: PlayStation 3, Dreamcast, SomeNokia Cellphones.Support for modern programming languages and codereutilization.



Questions


The ELF Header

The ELF Header

typedef struct e l f 3 2 h d r {unsigned char e i de n t [ EI NIDENT ] ;E l f 3 2 H a l f e type ;E l f 3 2 H a l f e machine ;Elf32 Word e vers ion ;E l f32 Addr e en t r y ;E l f 3 2 O f f e pho f f ;E l f 3 2 O f f e s ho f f ;Elf32 Word e f l a g s ;E l f 3 2 H a l f e ehsize ;E l f 3 2 H a l f e phents ize ;E l f 3 2 H a l f e phnum ;E l f 3 2 H a l f e shents ize ;E l f 3 2 H a l f e shnum ;E l f 3 2 H a l f e shs t rndx ;

} El f32 Ehdr ;



Questions


The ELF Header - Example

The ELF Header$ readelf -h executavel

ELF Header:

Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00

Class: ELF64

Data: 2’s complement, little endian

Version: 1 (current)

OS/ABI: UNIX - System V

ABI Version: 0

Type: EXEC (Executable file)

Machine: Advanced Micro Devices X86-64

Version: 0x1

Entry point address: 0x400410

Start of program headers: 64 (bytes into file)

Start of section headers: 4440 (bytes into file)

Flags: 0x0

Size of this header: 64 (bytes)

Size of program headers: 56 (bytes)

Number of program headers: 9

Size of section headers: 64 (bytes)

Number of section headers: 30

Section header string table index: 27



Questions


Program Representation



Questions


ELF Sections

Mainly used during static linking process.Used to group together program portions with aresematically related (eg: data / code / constructors /destructors).



Questions


ELF Sections - Example

ELF Header

Sections Table. . .

.text

.data

.bss. . .

Allice.oELF Header

Sections Table

Segments Table. . .

.text

.text

.data

.data

.bss

.bss. . .

Executable

ELF Header

Sections Table. . .

.text

.data

.bss. . .

Bob.o



Questions


ELF Sections - Example

Section Table$ readelf -WS executavel

[Nr] Name Type Address Off Size ES Flg Lk Inf Al

[ 1] .interp PROGBITS 0000000000400238 000238 00001c 00 A 0 0 1

[11] .init PROGBITS 00000000004003c8 0003c8 000018 00 AX 0 0 4

[12] .plt PROGBITS 00000000004003e0 0003e0 000030 10 AX 0 0 16

[13] .text PROGBITS 0000000000400410 000410 000228 00 AX 0 0 16

[15] .rodata PROGBITS 0000000000400648 000648 000031 00 A 0 0 4

[22] .got PROGBITS 0000000000600fe0 000fe0 000008 08 WA 0 0 8

[24] .data PROGBITS 0000000000601010 001010 000020 00 WA 0 0 8

[25] .bss NOBITS 0000000000601030 001030 000010 00 WA 0 0 8

[28] .symtab SYMTAB 0000000000000000 0018d8 000690 18 29 48 8

[29] .strtab STRTAB 0000000000000000 001f68 00022b 00 0 0 1



Questions


ELF Segments

Used mainly during process creation (by the dynamicloader).Used to group together sections with the same flags (alltext, all data.



Questions


ELF Segments - Example

Program Headers$ readelf -Wl executavel

Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align

PHDR 0x000040 0x0000000000400040 0x0000000000400040 0x0001f8 0x0001f8 R E 0x8

INTERP 0x000238 0x0000000000400238 0x0000000000400238 0x00001c 0x00001c R 0x1

LOAD 0x000000 0x0000000000400000 0x0000000000400000 0x00079c 0x00079c R E 0x200000

LOAD 0x000e28 0x0000000000600e28 0x0000000000600e28 0x000208 0x000218 RW 0x200000

DYNAMIC 0x000e50 0x0000000000600e50 0x0000000000600e50 0x000190 0x000190 RW 0x8

NOTE 0x000254 0x0000000000400254 0x0000000000400254 0x000044 0x000044 R 0x4

GNU_EH_FRAME 0x00067c 0x000000000040067c 0x000000000040067c 0x00003c 0x00003c R 0x4

GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x8

GNU_RELRO 0x000e28 0x0000000000600e28 0x0000000000600e28 0x0001d8 0x0001d8 R 0x1



Questions


ELF Segments - Sections to Segments

Mapping from Sections to Segments$ readelf -Wl executavel

00

01 .interp

02 .interp .gnu.hash .dynsym .dynstr .rela.dyn .rela.plt .init .plt .text .fini .rodata

03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss

04 .dynamic

05 .note.ABI-tag .note.gnu.build-id

06 .eh_frame_hdr

07

08 .ctors .dtors .jcr .dynamic .got



Questions

1) Load the main binary2) Load the main binary dependencies3) Create a symbol resolution map4 and 5) Apply data and function relocations6) Initialize libraries and jump to program start.

How a Process Start?

Function File Comment

Shell/GUI user applicationExecutes fork() to create a news process

and execve() to replace the child.

execve fs/exec.cDo some preprocessing stuff and calls

search binary handler.

search binary handler fs/exec.cIdentify which type is the binary

and calls the appropriate handler.

load elf binary fs/binfmt elf.cValidate the binary file and

do some preprocessing.start thread arch/x86/kernel/process.c Start a new thread of execution.



Questions


Loader - workflow

1 Load the main binary.2 Load the main binary dependencies (shared libraries).3 Create a symbol resolution map.4 Apply data relocations (fill the GOT table).5 Apply function relocations (fill the GOT.PLT table).6 Call libraries initializers, registry finalizers and start the

program.



Questions


Loading the main binary

Loadable Segments$ readelf -Wl executavel

Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align

PHDR 0x000040 0x0000000000400040 0x0000000000400040 0x0001f8 0x0001f8 R E 0x8

INTERP 0x000238 0x0000000000400238 0x0000000000400238 0x00001c 0x00001c R 0x1

**** LOAD 0x000000 0x0000000000400000 0x0000000000400000 0x00079c 0x00079c R E 0x200000

**** LOAD 0x000e28 0x0000000000600e28 0x0000000000600e28 0x000208 0x000218 RW 0x200000

**** DYNAMIC 0x000e50 0x0000000000600e50 0x0000000000600e50 0x000190 0x000190 RW 0x8

NOTE 0x000254 0x0000000000400254 0x0000000000400254 0x000044 0x000044 R 0x4

GNU_EH_FRAME 0x00067c 0x000000000040067c 0x000000000040067c 0x00003c 0x00003c R 0x4

GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x8

GNU_RELRO 0x000e28 0x0000000000600e28 0x0000000000600e28 0x0001d8 0x0001d8 R 0x1



Questions


The Dynamic Section/Segment

Dynamic Information Block$ readelf -dW executavel

Tag Type Name/Value

0x0000000000000001 (NEEDED) Shared library: [libc.so.6]

0x000000000000000c (INIT) 0x4003c8

0x000000000000000d (FINI) 0x400638

0x000000006ffffef5 (GNU_HASH) 0x400298

0x0000000000000005 (STRTAB) 0x400318

0x0000000000000006 (SYMTAB) 0x4002b8

0x000000000000000a (STRSZ) 63 (bytes)

0x000000000000000b (SYMENT) 24 (bytes)

0x0000000000000003 (PLTGOT) 0x600fe8

0x0000000000000002 (PLTRELSZ) 48 (bytes)

0x0000000000000014 (PLTREL) RELA

0x0000000000000017 (JMPREL) 0x400398

0x0000000000000007 (RELA) 0x400380

0x0000000000000008 (RELASZ) 24 (bytes)

0x0000000000000009 (RELAENT) 24 (bytes)



Questions


Dependences from my dependences...

Executable

libz.so

liby.so

. . .libc.so

libb.so

liba.so

libb.so

libe.so

libd.so

libc.so

liby.so

libg.so

libf.so

libe.so



Questions


Shared Libraries: ldd and ldconfig

ldconfig to find dynamic dependencies$ ldconfig -p

...

libBrokenLocale.so.1 (libc6, OS ABI: Linux 2.6.24) => /lib/i386-linux-gnu/libBrokenLocale.so.1

ld-linux-x86-64.so.2 (libc6,x86-64) => /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2

libQtXml.so.4 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libQtXml.so.4

libQtWebKit.so.4 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libQtWebKit.so.4

libQtSvg.so.4 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libQtSvg.so.4

libQtSql.so.4 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libQtSql.so.4

...



Questions


Process Address Space

Executable (.text)

Executable (.data)

Executable ( .bss)

HEAP

Library-A (.text)

Library-A (.data)

Library-A ( .bss)

Library-B (.text)

Library-B (.data)

Library-B ( .bss)

STACK

Lower Addresses

Higher Addresses

Process Address Space

Fixed distance

Fixed distance



Questions


Symbol resolution scope and ordering

Executable

libz.so

liby.so

. . .libc.so

libb.so

liba.so

libb.so

libe.so

libd.so

libc.so

liby.so

libg.so

libf.so

libe.so



Questions


Relocations

Relocation is the process of connecting symbolicreferences with symbolic definitions.There are data relocations and function relocations.



Questions


Relocations - Why do we need relocations (Part 1)?

gcc -c -O3 bob.c -o bob.o // relocatable filesgcc -c -O3 main.c -o main.ogcc bob.o main.o -o hello // executable file

gcc -shared -fPIC bob.c -o libhello.so // shared librarygcc main.c -lhello -L. -o hello // dynamically linked executable



Questions


Relocations - Why do we need relocations (Part 2)?

Executable (.text)

Executable (.data)

Executable ( .bss)

HEAP

Library-A (.text)

Library-A (.data)

Library-A ( .bss)

Library-B (.text)

Library-B (.data)

Library-B ( .bss)

STACK

Process A

. . .

. . .

Library-A (.text)

Library-A (.data)

Library-A ( .bss)

Library-A (.data)

Library-A ( .bss)

Library-B (.text)

Library-B (.data)

Library-B ( .bss)

Library-C (.text)

Library-C (.data)

Library-C ( .bss)

. . .

. . .

Physical Memory

Executable (.text)

Executable (.data)

Executable ( .bss)

HEAP

Library-A (.text)

Library-A (.data)

Library-A ( .bss)

Library-C (.text)

Library-C (.data)

Library-C ( .bss)

STACK

Process B



Questions


Relocations - Where are them?

Data and function relocations$ readelf -rW executavel

Relocation section ’.rela.dyn’ at offset 0x380 contains 1 entries:

Offset Info Type Symbol’s Value Symbol’s Name + Addend

0000000000600fe0 0000000300000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0

Relocation section ’.rela.plt’ at offset 0x398 contains 2 entries:


0000000000601000 0000000100000007 R_X86_64_JUMP_SLOT 0000000000000000 printf + 0

0000000000601008 0000000200000007 R_X86_64_JUMP_SLOT 0000000000000000 __libc_start_main + 0



Questions


Dynamic Symbol Table (dynsym)

$ readelf -Ws libtest.so

Num: Value Size Type Bind Vis Ndx Name

0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND

1: 0000000000000498 0 SECTION LOCAL DEFAULT 9

2: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__

3: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND foo

4: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses

5: 0000000000000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@GLIBC_2.2.5 (2)

6: 0000000000201018 0 NOTYPE GLOBAL DEFAULT ABS _edata

7: 0000000000201028 0 NOTYPE GLOBAL DEFAULT ABS _end

8: 0000000000201018 0 NOTYPE GLOBAL DEFAULT ABS __bss_start

9: 00000000000005ac 11 FUNC GLOBAL DEFAULT 11 function

10: 0000000000000498 0 FUNC GLOBAL DEFAULT 9 _init

11: 00000000000005f8 0 FUNC GLOBAL DEFAULT 12 _fini



Questions


Dynamic String Table (dynstr)

$ readelf -p .dynstr executavel

String dump of section ’.dynstr’:

[ 1] libhello.so

[ d] __gmon_start__

[ 1c] _Jv_RegisterClasses

[ 30] bob_speak

[ 3a] _init

[ 40] _fini

[ 46] libc.so.6

[ 50] __libc_start_main

[ 62] _edata

[ 69] __bss_start

[ 75] _end

[ 7a] GLIBC_2.2.5



Questions


Global Offset Table

gcc -shared -fPIC hello.c -o libhello.so

#include <s t d i o . h>

i n t va lo r1 ;

i n t fun1 ( void ) {

va lo r1 = 123;

p r i n t f ( ” Valor de va lo r1 = %d\n ” , va lo r1 ) ;

return 0;}



Questions


Global Offset Table

objdump -d libhello.so

5 f0 : mov 0x2009d9(% r i p ) ,% rax # 200 fd0 < DYNAMIC+0x188>5 f7 : movl $0x7b ,(% rax )



Questions


Global Offset Table

readelf -WS libhello.so

[ 2 0 ] . g o t PROGBITS 0000000000200 fc8 000 fc8 000020 08 WA 0 0 8[ 2 1 ] . g o t . p l t PROGBITS 0000000000200 fe8 000 fe8 000028 08 WA 0 0 8



Questions


Global Offset Table

readelf -Wr libhello.soRelocation section ’.rela.dyn’ at offset 0x428 contains 5 entries:


...

0000000000200fd0 0000000c00000006 R_X86_64_GLOB_DAT 0000000000201028 valor1 + 0

...



Questions


Procedure Linkage Table

objdump -d exec

4005 fd : c a l l q 400500 <fun1@plt>

400500 <fun1@plt > :400500: jmpq ∗0x200b02(% r i p ) # 601008 < GLOBAL OFFSET TABLE +0x20>400506: pushq $0x140050b : jmpq 4004e0 < i n i t +0x20>

4004e0 < l i b c s t a r t m a i n @ p l t −0x10> :4004e0 : pushq 0x200b0a(% r i p ) # 600 f f 0 < GLOBAL OFFSET TABLE +0x8>4004e6 : jmpq ∗0x200b0c(% r i p ) # 600 f f 8 < GLOBAL OFFSET TABLE +0x10>4004ec : nopl 0x0(%rax )



Questions


Procedure Linkage Table

readelf -Wr execOffset Info Type Symbol’s Value Symbol’s Name + Addend

0000000000601000 0000000100000007 R_X86_64_JUMP_SLOT 0000000000000000 __libc_start_main + 0

0000000000601008 0000000300000007 R_X86_64_JUMP_SLOT 0000000000000000 fun1 + 0



Questions


Program Initialization Flow



Questions

Thank you!

Questions?

divcesar [at] gmail [dot] comhttp://johntortugo.wordpress.com


fisl xiv - the elf file format and the linux loader

Technology