LLMpediaThe first transparent, open encyclopedia generated by LLMs

ELF

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Autotools Hop 5
Expansion Funnel Raw 78 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted78
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
ELF
NameELF
Extension.elf, .o, .so, .exe
Released1999 (System V ABI revision); original design 1989
DeveloperUNIX System V, Intel Corporation, Linux kernel
TypeExecutable and linkable format
Container forobject code, shared libraries, core dumps

ELF

Executable and Linkable Format (ELF) is a common file format for executables, object code, shared libraries, and core dumps used across many Unix-like and proprietary systems. ELF provides a flexible, extensible binary layout employed by implementations for Linux kernel, FreeBSD, NetBSD, OpenBSD, Solaris, AIX, and embedded toolchains from GNU Project, Intel Corporation, and ARM Limited. The format's modularity supports linking, dynamic loading, and debugging facilities integrated with toolchains such as GNU Binutils, GCC, LLVM, and debuggers like GDB.

Overview

ELF defines structures for headers, sections, segments, symbol tables, and relocations that let linkers and loaders coordinate code and data placement. Implementations in Linux kernel, GNU C Library, musl libc, NetBSD libc, and FreeBSD libc parse ELF headers to perform program loading, relocation, and dynamic linking with runtime linkers such as ld.so and ld-linux.so.2. Toolchains including GNU Make, Autotools, CMake (software), and Bazel (software) produce ELF object files and shared objects consumed by linkers like GNU ld, gold, and LLVM lld. Debug information embedded in ELF uses formats specified by DWARF, enabling debuggers like GDB and LLDB to present symbols, stack frames, and source mappings.

History and Development

ELF originated during efforts to standardize object formats for System V releases and to supersede older formats such as a.out and COFF used by UNIX System V, SunOS, and HP-UX. Early adoption across projects like Linux kernel accelerated after toolchains from the GNU Project integrated ELF support. The format evolved through revisions formalized by the System V ABI and later extended by processor vendors including Intel Corporation, AMD, ARM Limited, MIPS Technologies, PowerPC, and RISC-V International to support multiple architectures. Operating systems such as Solaris and AIX adapted ELF variants or compatible extensions, while embedded ecosystems around uClibc and Newlib used trimmed ELF subsets for constrained devices. Standardization efforts intersected with projects like IEEE and vendor documentation to address cross-platform compatibility, leading to wide adoption in modern compilers, linkers, and loaders.

File Format Specification

An ELF file begins with an ELF header specifying class (32-bit or 64-bit), endianness, and target architecture fields defined for processors such as x86-64, ARMv7, ARM64, MIPS, PowerPC, and RISC-V. The header points to program headers for runtime mapping and section headers for linking and debugging. Key sections include .text, .data, .bss, .rodata, .symtab, .dynsym, .rel*, .rela*, and .debug_* which interact with symbol resolution and relocation types defined by architecture manuals from Intel Corporation, ARM Limited, and MIPS Technologies. Dynamic linking metadata uses tables like DT_NEEDED, DT_SONAME, DT_RPATH parsed by runtime linkers such as ld.so and ld-linux.so.2. ELF supports program interpreter specification to invoke loaders used by GNU C Library and alternatives like musl libc. Extension mechanisms include program header types for stack executability, GNU-specific attributes for TLS and stack protection used by PaX and SELinux-aware loaders.

Use Cases and Implementations

ELF is used for executables on distributions such as Debian, Fedora, Ubuntu, Arch Linux, and CentOS, and in commercial systems like Oracle Solaris and HP-UX variants that adopted ELF-like formats. Shared libraries (.so) enable dynamic linking for applications built with GCC or Clang and for runtimes like Java Virtual Machine, Mono (software), and Python extensions. Embedded toolchains from ARM Limited and RISC-V International produce ELF firmware and bootloaders consumed by bootloaders like GRUB and U-Boot. Core dumps in ELF facilitate post-mortem analysis with GDB, crash reporters like Google Breakpad, and observability tools used in Kubernetes clusters and systemd-managed systems.

Tools and Ecosystem

A rich ecosystem surrounds ELF: binary utilities from GNU Binutils (ar, as, objdump, nm, readelf), linkers such as GNU ld, gold, LLVM lld, and analysis tools like Valgrind, strace, and ltrace. Build systems including GNU Make, CMake (software), Meson (software), and continuous integration services integrate ELF-producing toolchains. Packaging systems like dpkg, rpm, and snap distribute ELF binaries for distributions including Debian and Red Hat Enterprise Linux. Debugging and introspection leverage GDB, LLDB, perf, and profiling suites from Intel Corporation and AMD.

Security and Vulnerabilities

ELF has been central to many vulnerability classes addressed by mitigations developed by projects like PaX, SELinux, and AppArmor. Common attack vectors include crafted ELF loaders, symbol hijacking via DT_RPATH/DT_RUNPATH, and relocation-based exploits against executables on architectures including x86-64 and ARM64. Hardening features—Position Independent Executables (PIE), RELRO, Stack Canary support from GCC, and ASLR implemented in Linux kernel—reduce exploitability. Incident response and reverse engineering employ tools such as radare2, Ghidra, and IDA Pro to analyze malicious or corrupted ELF artifacts. Security advisories from distributions like Debian and Red Hat track ELF-related vulnerabilities and coordinate mitigations across ecosystems.

Category:Executable file formats