[Apologies if you see this twice. This is an open case --- Resending to
psarc-ext]
I am sponsoring the following fast track for myself - timeout 7/11/2007
---------------------------------------------------------------------------
This case proposes a new command line option (-P) to elfdump. If
an object without section headers is encountered, or if the user
specifies -P, elfdump will use the program headers to synthesize
a set of section headers, and will then use those generated headers
instead of the actual ones to generate its output.
This feature improves our ability to analyze ELF objects in which
the section headers have been stripped, or altered. It does not
otherwise alter elfdump behavior or output.
This change is my solution to:
6530249 elfdump should handle ELF files with no section header table
Background Information
----------------------
ELF files contain two different types of header records. Section
headers provide detailed information about every section found in
a given object, whether or not they are mapped as part of an
executable process. Linkers, debuggers and diagnostic tools rely
on this information. Program headers provide only the information
needed by the exec() system call, and the runtime linker, to load
and execute a program.
A malicious person can remove or corrupt section headers. The
resulting program will be difficult to analyze, but is still
runnable. Hence, scribbling on the section headers or removing
them is an effective form of obfuscation. An example of this is
the recent worm that exploited a vulnerability in the Solaris
telnet daemon. The author of that worm stripped the section
headers from the executable file, limiting our ability to examine
it with the elfdump utility.
In contrast, program headers must be relatively accurate or the
program will not run. In particular, calls to routines in system
libraries (such as libc) cannot be disguised, since the runtime
linker looks these up by name. Program headers access much of
the same data as section headers, especially through the
PT_DYNAMIC header, which points to the dynamic section used to
convey information to the runtime linker (ld.so.1). This leads to
the idea of using the program headers to construct a synthetic
set of section headers, rather than relying on the actual section
headers. These fake section headers will necessarily lack information
found in the originals (particularly for non-allocable sections),
but will provide essential symbol information. The focus is on
recovering information that elfdump knows how to display, and that
might be interesting in a forensic situation.
The ability to generate and use section headers derived from the
program headers is clearly useful in a case such as the telnet
worm, where the section headers are completely missing. However,
it can also be valuable in the case where there is reason to suspect
that the section headers have been tampered with to provide misleading
information. By using elfdump with and without the -P option on
such a file and comparing the results, it is possible to detect many
such changes.
In an "arms race" situation such as this, we cannot pretend that
our response is the last word, or that a bad person won't find
another new way to circumvent our ability to analyze their
work. Indeed, some information is only accessible via section
headers, and there is no easy way to recover that. Despite that,
this feature will be a useful tool in such situations.
Supporting Materials
--------------------
Webrev for this change can be viewed within SWAN at:
http://linkers.central/webrev/6530249/index.html
To show what the -P option can do, I've placed some elfdump output
in the case materials subdirectory:
[worm.old_elfdump]
Telnet worm, as reported by the stock elfdump
[worm.new_elfdump]
Telnet worm, as reported by the new elfdump
[elfdump.std]
Standard elfdump output for the new elfdump binary
[elfdump.fake]
-P elfdump output for the new elfdump binary
Those last 2 allow you to compare results on the same file, to see what
is lost in -P mode, and what survives.
---------------------------------------------------------------------------
Release Binding: Patch/Micro
-P elfdump option: Committed
