And then you might want to skim through An Evil Copy: How the Loader Betrays You:
Slightly OT, there was a very fun ActionScript exploit published by Mark Dowd of IBM in 2008. I'm reminded of it because it's about memory protection vulnerabilities.
"Application-Specific Attacks: Leveraging the ActionScript
Also it is interesting that the powerpc elf loader verifies that the e_ehsize is the same size as the allocated buffer, perhaps they had an issue at one point.
Thoughts for chapter 2: stuff that often confuses me: PLT, GOT, FDE/CIE.
1. Space for NULL should be big enough for at least a medium-sized structure, otherwise (*NULL)->field = blah will overwrite your code.
2. Because of (1), Linux (for example) doesn't even allow processes to map the first page or so of memory.
3. On many platforms the PC needs to be aligned to a word boundary.
One more question, though: how much space should be safe to leave for NULL? Is 128MB enough? Why not only as much as required?
I suppose it doesn't really matter anyway since the entry point location is virtual at this point anyway.
Linux allows you to configure the limit at /proc/sys/vm/mmap_min_addr.
I think it's specified by itanium C++ ABI (which sounds archaic but actually many other processors use the same one).
I don't recall if these things are ELF features or if the ELF only knows about the "eh_frame" section. It's interesting and kinda sorta related low-level stuff IMO.
Anyone know of something equivalent for Mach-o?
Makes you wonder how ELF's brother (PE) and daughter (WASM) are doing.