sqlelf: a SQL-centric Approach to ELF Analysis
Farid Zakaria, Zheyuan Chen, Andrew Quinn, Thomas R. W. Scogland
TL;DR
sqlelf introduces a SQL-centric framework for ELF analysis by modeling ELF metadata as a relational database via SQLite, enabling cross-object queries and richer system-wide insights. The authors present a relational data model, implement it through SQLite virtual tables, and demonstrate its utility across four case studies (auditwheel, dynamic linking, symbol interposition, and aggregate analysis) along with performance benchmarks. The work argues that declarative SQL queries simplify complex analyses that traditional ELF tools handle only with ad-hoc scripting, and shows practical benefits in system administration and software-dependency management. By memoizing data into SQLite databases and leveraging existing visualization tools, sqlelf enables scalable, interactive exploration of large software ecosystems on Linux.
Abstract
The exploration and understanding of Executable and Linkable Format (ELF) objects underpin various critical activities in computer systems, from debugging to reverse engineering. Traditional UNIX tooling like readelf, nm, and objdump have served the community reliably over the years. However, as the complexity and scale of software projects has grown, there arises a need for more intuitive, flexible, and powerful methods to investigate ELF objects. In this paper, we introduce sqlelf, an innovative tool that empowers users to probe ELF objects through the expressive power of SQL. By modeling ELF objects as relational databases, sqlelf offers the following advantages over conventional methods. Our evaluations demonstrate that sqlelf not only provides more nuanced and comprehensive insights into ELF objects but also significantly reduces the effort and time traditionally required for ELF exploration tasks