Binary analysis to verify ELF relocation code

[jethrogb]

The SGX binary may be loaded at any address. This means that e.g. pointers contained in global variables can't be completely determined at compile-time. At compile-time, you only know the offset w.r.t. the location of the field itself. Therefore, when the binary is loaded, it needs to be relocated. For this purpose, the ELF binary contains a relocation table. You can see this with e.g. readelf -r. On Linux, the dynamic loader (ld.so) normally does the relocation.

In SGX, we need to do this ourselves on first entry. So there's some Rust code that does this in the SGX port of std. However, this Rust code must not itself require any relocations, because it runs before those are done.

This enhancement is to build a static binary analysis tools that verifies no relocations are required from the SGX entry point until the relocation is done.

[jethrogb]

Possibly angr.io may be used?

[jethrogb]

Here's an example of a piece of code that may occur (e.g. in tcs_init) if the linker didn't properly elide the relocations:

48 8b 0d 78 69 04 00    mov    0x46978(%rip),%rcx        # d7170 <_DYNAMIC+0x178>

With the following relocation:

00000000000d7170 R_X86_64_RELATIVE  *ABS*+0x000000000003a0b8

What it should've been:

48 8d 0d 00 92 07 00    lea    0x79200(%rip),%rcx        # 9fc38 <RELACOUNT>