That new CoRev paper is interesting. I haven't had time to read it in detail but it sounds like an intriguing case for compiler/linker buffs.
Slightly OT, there was a very fun ActionScript exploit published by Mark Dowd of IBM in 2008. I'm reminded of it because it's about memory protection vulnerabilities.
"Application-Specific Attacks: Leveraging the ActionScript
Virtual Machine"
ELF is pretty generally applicable to all NIX and NIX-like platforms, so I often refer to the Solaris Libraries and Linkers guide which has a lot of generally useful information and guidance:
I like your page about making Android executables, especially the quote from Carmac and comment about the vurtues of being control freak. Have you tried to do the same thing for iOS? What is the current file and directory count for Xcode?
Also it is interesting that the powerpc elf loader verifies that the e_ehsize is the same size as the allocated buffer, perhaps they had an issue at one point.
I love the fact that it's all on one page and uses HTML anchors to get around. It makes it super simple to archive and read up later if the site ever goes down.
Thanks for the article! I'm really enjoying learning this stuff. One thing that came up which doesn't appear very clear is why `ld` continues to set the entrypoint for executables at 0x08048000 when that seems like such an arbitrary number held over from a version of Unix made decades ago. Wouldn't it be better to just get rid of that and start programs at 0x00000001? (leaving 0x0 open for NUL).
1. Space for NULL should be big enough for at least a medium-sized structure, otherwise (*NULL)->field = blah will overwrite your code.
2. Because of (1), Linux (for example) doesn't even allow processes to map the first page or so of memory.
3. On many platforms the PC needs to be aligned to a word boundary.
FDE: Frame Description Entry, CIE: Common Information Entry. AFAIR, they're used to unwind the stack in exceptions.
I think it's specified by itanium C++ ABI (which sounds archaic but actually many other processors use the same one).
I don't recall if these things are ELF features or if the ELF only knows about the "eh_frame" section. It's interesting and kinda sorta related low-level stuff IMO.
I don't know about that, but I did notice the author's photo looks like a passport pic (strict, formal). An unusual thing to include on a personal site, maybe.
http://stackoverflow.com/questions/12122446/how-does-c-linki...
And then you might want to skim through An Evil Copy: How the Loader Betrays You:
https://www.microsoft.com/en-us/research/publication/evil-co...