Tweet
Revolutionizing ELF binary patching with Shiva: A JIT binary patching system for Linux. ,
Ryan "ElfMaster" O'Neill ,CTO @ Arcana Technologies Principle Security researcher
| Demo, Tool | 45|
The esoteric art of patching ELF binaries has a long and fascinating history
who's roots are deep within the hacking subculture; from ELF viruses to kernel
rootkits. Silvio's 1997 "UNIX Viruses" paper taught us how to insert parasitic
code into a page aligned text padding region. Many backdooring and hooking
techniques have been revealed to us over the last 20 years-- perfect for
hacking and injecting small patches and backdoors but on their own these
techniques are limited, clunky and do not support the complexities of
real-world patching problems in todays industry. Developers often need to fix
complex bugs that exist within legacy ELF Binaries, no source code is available
or the program cannot be recompiled.
Let me introduce you to Shiva. Shiva is a JIT binary patching system for ELF; A
custom ELF interpreter that loads and links ELF relocatable patches at runtime.
Shiva allows developers to write patches in rich C code to naturally express
the rewriting of binary code at runtime, in a high level language. ELF binary
patching solutions over the past two decades have been scarce; some notable
research: Katana and ERESI come to mind as pioneers in the early examples of
custom ELF linkers and binary patchers.
Shiva is a next-level solution that allows developers to quickly write patches
in C with little to no reversing knowledge. Born out of 16 years of ELF
research into virus design, binary patching, and extensive experience with
writing custom linkers and loaders.
In this talk we will discuss foundations of ELF binary patching and it's close
relationship with ELF linkers, loaders and even ELF virus technology. This
passionate body of research is combined and imbued into Shiva to create a
highly innovative and powerful product that helps bridge the gap between
Developers and Reverse engineers in modern binary patching solutions for
ELF. A new workflow for maintaning insecure legacy software with modular
patching capabilities is on the rise!
Prepare for an indepth discussion of incredible new ELF hacking techniques and
extensions. Old concepts such as userland-exec() brought back to life, and
entirely new concepts such as "Linker chaining" to bring multiple dynamic
linkers into a single process image. We will demonstrate complex patching
scenarios, function splicing, program transformation, and even the
weaponization of Shiva for writing sophisticated in-memory backdoors.
Shiva; the ultimate ELF Binary hacker... aiming to solve the worlds most
challenging binary patching problems today.
Ryan "ElfMaster" O'Neill, has been in the security scene since about 1997.
Ryan is well known for authoring the book "Learning Linux binary analysis" and
for publishing many papers and technologies in the realm of binary protection,
memory forensics, exploitation, security mitigations, virus design, kernel
hacking and reverse engineering techniques. Ryan has been published in many of
the classic journals such as Phrack, POC||GTFO, tmp.0ut and vxheaven. Much of
Ryan's independent research has been published over the years on
https://www.bitlackeys.org, and has many public technologies available on
https://github.com/elfmaster. Ryan is also the founder of Arcana technologies
https://arcana-technologies.io, a threat detection company based heavily on ELF
forensics research. Ryan is currently building a new ELF binary patching system
for Linux to solve the worlds hardest challenges in binary patching today. ,
@ryan_elfmaster
Github: https://github.com/elfmaster
REFERENCES:
--Papers--
Grugq - userland execve: https://grugq.github.io/docs/ul_exec.txt
Mayhem - Cerberus ELF interface: http://phrack.org/issues/61/8.html
Silvio - UNIX Viruses and parasites: https://vxug.fakedoma.in/archive/VxH...lib/vsc02.html
James Oakley & Sergey Bratus - Katana: A hot patching framework: https://ieeexplore.ieee.org/document/5438048
James Oakley & Sergey Bratus - Exploiting the hard working DWARF: https://www.cs.dartmouth.edu/~sergey...ley_bratus.pdf
Mlaurenzano - PEBIL (An ELF patching framework) - https://github.com/mlaurenzano/PEBIL
sd & devik - Linux on-the-fly kernel patching without LKM: phrack.org/issues/58/7.html
jbtzhm - static kernel patching - https://phrack.org/issues/60/8.html
Elfmaster - Modern ELF infection techniques of SCOP binaries (POC||GTFO: 20:07)
Elfmaster - Preloading the linker for fun and profit: https://tmpout.sh/2/6.html (This paper presents the nucleus of Shiva)
Mayhem - IA32 Advanced function hooking: http://phrack.org/issues/58/8.html
Richinseattle - Hooking the ELF loader: http://phrack.org/issues/58/8.html
Silvio - Shared library call redirection via PLT infection: http://phrack.org/issues/56/7.html
Elfmaster - Kernel instrumentation using kprobes: http://phrack.org/issues/56/7.html
Mayhem - Next generation ELF debuggers: https://www.blackhat.com/presentatio...ersi-apr19.pdf
--A note on the illustrious tmp.0ut zine: https://tmpout.sh
The crew at tmp.0ut are a tightly formed group ELF hackers and reversing
enthusiasts who are continuing to research and publish awesome ELF research on
a regular basis. I highly recommend their content, and am grateful for their
many new contributions keeping the spirit of ELF hacking alive. Translated
into nine different languages currently.
--Source code--
https://github.com/torvalds/linux/bl...s/binfmt_elf.c (Source for Linux ELF loader)
https://www.gnu.org/software/binutils (Source for for ELF /bin/ld)
https://sourceware.org/git/glibc.git (Source code for ld-linux.so)
https://github.com/elfmaster (My own ELF hacking related research)
https://github.com/elfmaster/linker_preloading_virus (My first custom ELF interpreter)
https://musl.libc.org/
https://github.com/bminor/binutils-gdb <- These GDB guys really don't get enough credit.
--Books--
Understanding the Linux kernel (Great book on kernel internals)
Learning Linux binary analysis (elfmaster)
Advanced programming in the UNIX environment (Richard Stevenson)
Turbo C (Old book from the 80s I learned C from)