Linkers and Loaders

When the assembler completes its work, it produces an object file—a structured container holding machine code, data, metadata, and instructions for the linker. Object files are the lingua franca of compiled programming: they provide a standardized format that allows code compiled from different languages, by different compilers, at different times, to be combined into a single executable.

Understanding object file internals is not merely academic curiosity. This knowledge is essential for:

• Debugging — Tools like gdb, objdump, and readelf expose object file structures
• Performance analysis — Understanding sections reveals memory layout
• Security — Malware analysis and binary hardening depend on object file knowledge
• System programming — Writing linkers, loaders, and operating systems
• Interoperability — Linking libraries from different languages

Different operating systems use different object file formats, though the core concepts are remarkably similar. The three dominant formats are:

ELF (Executable and Linkable Format)

• Used by Linux, BSD, Solaris, and most Unix systems
• Standardized by the System V ABI
• Used for object files, shared libraries, and executables
• Highly flexible with extensible section types

COFF (Common Object File Format)

• Originally designed for Unix System V
• Extended for Windows as PE/COFF (Portable Executable)
• Used for .obj, .exe, and .dll files on Windows
• Simpler structure than ELF

Mach-O (Mach Object)

• Used by macOS, iOS, watchOS, and tvOS
• Descended from Mach kernel object format
• Used for .o, executables, and .dylib (dynamic libraries)
• Supports universal (fat) binaries containing multiple architectures

Why ELF matters most:

We'll focus primarily on ELF because:

1. It's the most widely used format in OS development and systems programming
2. It's extensively documented and well-understood
3. Its concepts translate directly to other formats
4. Linux, the dominant server OS, uses ELF exclusively

The principles we explore apply universally—COFF and Mach-O have analogous structures with different terminology.

An ELF file consists of several distinct parts organized hierarchically:

1. ELF Header — File identification and metadata at the very beginning
2. Program Header Table — Describes segments for execution (optional in object files)
3. Sections — The actual content: code, data, symbols, relocations
4. Section Header Table — Describes each section's properties and location

The key insight is that ELF provides two views of the same file:

• Linking view (Section Header Table): Used by the linker to combine object files
• Execution view (Program Header Table): Used by the loader to create a process

Key fields in the ELF header:

• Magic number (0x7f ELF): Identifies the file as ELF
• Class: ELF32 or ELF64 (32-bit or 64-bit addresses)
• Data encoding: Little or big endian
• Type: REL (relocatable), EXEC (executable), DYN (shared object)
• Machine: Target architecture (x86-64, ARM, RISC-V, etc.)
• Entry point: Starting address for executables (0 for object files)
• Section header table offset: Where to find section descriptions

ELF files are divided into sections—contiguous chunks of data with specific purposes. Understanding the standard sections is essential for comprehending program memory layout.

Text Section (.text)

The .text section contains executable machine code—the actual instructions the CPU will execute. Key characteristics:

• Read-only and executable permissions
• Contains compiled functions
• May be shared across multiple process instances (memory efficiency)
• Protected from modification at runtime (security)

Data Section (.data)

The .data section contains initialized global and static variables. These are variables with explicit initial values that persist for the program's lifetime.

BSS Section (.bss)

The .bss section (Block Started by Symbol) contains uninitialized global and static variables. The key insight: .bss doesn't store the actual zeros—it just records how many bytes are needed. This saves file space.

BSS optimization: A file with 1MB of uninitialized globals doesn't need 1MB of zeros in the object file. The .bss section header simply says "reserve 1MB at runtime."

Read-Only Data Section (.rodata)

The .rodata section contains constant data that should never be modified:

• String literals
• Constant global variables (const)
• Jump tables for switch statements
• Floating-point constants

Placing data in .rodata enables the memory to be mapped read-only, catching accidental writes and enabling sharing.

The symbol table is arguably the most important metadata structure in an object file. It's the registry of all named entities—functions, global variables, constants—that either:

1. Define something (provide an implementation/storage)
2. Reference something (use something defined elsewhere)

Symbol tables enable separate compilation: each source file is compiled independently, and the linker uses symbol tables to connect references to definitions across files.

Symbol Binding

Binding determines visibility and linkage behavior:

• LOCAL: Visible only within this object file (like static in C)
• GLOBAL: Visible to all object files; only one definition allowed
• WEAK: Like global, but can be overridden by a global definition

Weak symbols are powerful for providing default implementations that users can override:

String Tables

Symbol names aren't stored in the symbol table entries directly. Instead, st_name is an offset into a string table (.strtab). The string table is simply a sequence of null-terminated strings. This design:

• Allows variable-length names without fixed entry sizes
• Enables string sharing (duplicate names use same offset)
• Separates fixed-size structures from variable-size data

Relocation entries are the linker's instructions for fixing addresses. When code references a symbol whose address isn't yet known—an external function, a global variable, or even code in the same file at an undetermined location—the assembler generates a relocation entry.

Each relocation entry tells the linker:

1. Where: The location in the code that needs patching
2. What: Which symbol is being referenced
3. How: The calculation to compute the final address

Relocation Types

The relocation type specifies how to compute the final address. Different types exist because:

• Absolute vs. PC-relative: Direct address or offset from current position
• Size differences: 32-bit or 64-bit values
• Dynamic linking needs: PLT/GOT for position-independent code

PC-relative relocations are crucial for position-independent code (PIC). Instead of storing absolute addresses, code uses offsets from the current instruction pointer. This allows code to work regardless of where it's loaded in memory.

How the Linker Applies Relocations

When the linker processes relocations:

1. Assign final addresses: Determine where each section will be loaded
2. Resolve symbols: Look up the final address of each referenced symbol
3. Calculate values: Apply the relocation formula (varies by type)
4. Patch the code: Write the computed value to the specified offset

For a PC-relative relocation (R_X86_64_PC32):

final_value = symbol_address + addend - relocation_offset

This gives the distance from the current instruction to the target—exactly what a relative jump or call needs.

Beyond the core sections, object files contain numerous auxiliary sections for debugging, exception handling, and other purposes:

Debug Sections (DWARF Format)

When compiled with -g, the compiler generates DWARF debugging information in sections like:

• .debug_info: Type information, variable locations
• .debug_line: Source line to address mapping
• .debug_abbrev: Abbreviations for compact encoding
• .debug_str: Debug string table
• .debug_frame: Call frame information for stack unwinding

Exception Handling Sections

For languages with exception support (C++, Rust), special sections enable stack unwinding:

• .eh_frame: Exception handling frame information (runtime unwinding)
• .eh_frame_hdr: Lookup table for .eh_frame
• .gcc_except_table: Language-specific exception tables

Other Important Sections

• .note.GNU-stack: Indicates whether the stack should be executable (security)
• .comment: Compiler version string
• .init_array/.fini_array: Constructor/destructor function pointers
• .got/.plt: Global Offset Table and Procedure Linkage Table (dynamic linking)

Mastering object file analysis tools is essential for systems programming, debugging, and security research. Here's your toolkit:

readelf (ELF-specific)

The Swiss Army knife for ELF files. Platform-specific but comprehensive:

objdump (Cross-platform)

Disassembler and object file dumper. Works with various formats:

nm (Symbol lister)

Compact symbol table viewer:

Object files are the critical intermediaries between compilation and execution. Their structured format enables the modular compilation and linking model that makes large software development practical.

What's next:

With a solid understanding of object files, we're ready to explore linking—the process that combines multiple object files into a single executable. The next page covers static and dynamic linking in detail, explaining how symbols are resolved and how shared libraries work.