SIMD-0189

TL;DR

Imposes more restrictions on what is expected of ELF headers.

Summary

Imposes more restrictions on what is expected of ELF headers.

Motivation

After the removal of relocations in SIMD-0178 the ELF layout could be massively be simplified by constraining it to a strict subset of what ELF otherwise allows. Doing so not only reduces the complexity of validator implementations but also reduces the attack surface.

Key Changes

• e_ident.ei_mag must be [0x7F, 0x45, 0x4C, 0x46]
• e_ident.ei_class must be ELFCLASS64 (0x02)
• e_ident.ei_data must be ELFDATA2LSB (0x01)
• e_ident.ei_version must be EV_CURRENT (0x01)
• e_ident.ei_osabi must be ELFOSABI_NONE (0x00)
• e_ident.ei_abiversion must be 0x00
• e_ident.ei_pad must be [0x00; 7]
• e_type is not checked
• e_machine must be EM_BPF (0x00F7)
• e_version must be EV_CURRENT (0x00000001)
• e_entry must be within the bounds of the second program header
• e_phoff must be size_of::<Elf64Ehdr>() (64 bytes)
• e_shoff is not checked
• e_flags see SIMD-0161
• e_ehsize must be size_of::<Elf64Ehdr>() (64 bytes)
• e_phnum must be greater than or equal 0x0001
• e_phoff + e_phnum size_of::<Elf64Phdr>() must be less than or equal the file size
• e_phentsize must be size_of::<Elf64Phdr>() (56 bytes)
• e_shnum is not checked
• e_shentsize is not checked

Impact

The toolchain linker will use a new linker script to adhere to these restrictions defined here and thus the change will be transparent to the dApp developers. The section headers are ignored so arbitrary metadata can continue to be encoded there.

Security Considerations

None.