Chapter 23 Quiz: Linking, Loading, and ELF
Question 1
What does the .bss section contain?
A) Binary Segment Storage — raw binary data for the program B) The program's code (machine instructions) C) Uninitialized global and static variables; it has a size but no bytes in the file D) Symbol names and their addresses
Question 2
What is the ELF magic number that appears at the start of every ELF file?
A) \x00ELF followed by architecture bytes
B) \x7fELF followed by class, data encoding, and version bytes
C) MZ (same as Windows PE files)
D) #! (shebang) followed by the interpreter path
Question 3
What is the difference between an ELF section and an ELF segment?
A) Sections contain code; segments contain data B) Sections are for the linker (organize content by type); segments (program headers) are for the loader (describe memory mappings) C) Sections are in relocatable objects; segments are in shared libraries D) Sections are 32-bit; segments are 64-bit
Question 4
A relocation of type R_X86_64_PC32 has formula S + A - P. What do S, A, and P represent?
A) S = symbol size, A = alignment, P = program counter B) S = symbol address, A = addend (from relocation entry), P = position of the relocation in the output (program counter at that point) C) S = section offset, A = address, P = page offset D) S = stack pointer, A = accumulator, P = program base
Question 5
When the linker encounters a GLOBAL symbol defined in two different object files, it:
A) Uses the symbol from the first object file listed on the command line
B) Reports an error: "multiple definition of 'symbol'"
C) Uses the symbol with the larger st_size
D) Creates a merged symbol combining both definitions
Question 6
Why does compiling a shared library require -fPIC?
A) PIC enables faster function calls through the PLT B) PIC ensures the library can be loaded at any virtual address by using RIP-relative addressing instead of absolute addresses C) PIC adds the required ELF program headers for dynamic linking D) PIC reduces the binary size by removing debug information
Question 7
In the ELF symbol table, what does Ndx = UND (or SHN_UNDEF) mean?
A) The symbol is undefined — it references something in another object file or library B) The symbol is undefined because it was declared but never used C) The symbol has been stripped from the binary D) The symbol is a weak reference that may or may not be resolved
Question 8
What is the purpose of the PT_INTERP program header segment?
A) It contains the program's interpreter bytecode (for scripting languages)
B) It specifies the path to the dynamic linker (e.g., /lib64/ld-linux-x86-64.so.2) which the kernel will use to load and link the program
C) It marks the entry point address for the program
D) It contains the environment variables passed to the program at startup
Question 9
In a linker script, what does . = 0x400000; do?
A) Declares a symbol named "." with value 0x400000 B) Sets the current location counter to 0x400000, meaning subsequent sections will be placed starting at this virtual address C) Allocates 0x400000 bytes of zeroed memory D) Sets the maximum virtual address for the program
Question 10
Why does archive (.a) linking order matter on the command line?
A) Archives are searched right-to-left; the last library satisfies earlier undefined symbols B) Archives are searched left-to-right, once; if an undefined symbol is created after the library was scanned, it will not be resolved C) All symbols from all archives are loaded regardless of order; order only affects symbol precedence D) Archive order only matters when there are circular dependencies between archives
Question 11
What is the purpose of ASLR (Address Space Layout Randomization)?
A) It randomizes the order of function calls to prevent reverse engineering B) It randomizes the virtual addresses of the stack, heap, and shared libraries on each run, making it harder for exploits to hardcode target addresses C) It randomizes the instruction encoding to prevent code injection attacks D) It randomizes the symbol table order to prevent information leakage
Question 12
A WEAK symbol and a GLOBAL symbol with the same name exist in different object files. The linker:
A) Reports a "multiple definition" error B) Uses the GLOBAL definition; the WEAK definition is discarded C) Uses the WEAK definition (weaker binding takes precedence) D) Merges both symbols into a single definition
Question 13
The size tool reports: text=1024, data=16, bss=4194304. The actual file size is only 5 KB. Why?
A) The file is compressed; size reports decompressed sizes
B) .bss contains 4 MB but contributes zero bytes to the file — only its size is stored; .bss is zeroed by the loader at runtime
C) size reports virtual memory sizes; the actual sections are smaller due to compression
D) The debug sections (stripped) account for the size difference
Question 14
What does ldd /bin/ls show?
A) The linker directives embedded in the /bin/ls binary
B) The shared libraries that /bin/ls depends on and their resolved paths/addresses
C) The linker map showing which .o files were used to build /bin/ls
D) The symbol table of /bin/ls in dynamic format
Question 15
Why does the .text section typically have the ALLOC and EXECINSTR flags, but NOT the WRITE flag?
A) Code is too large to write at runtime; the WRITE flag is only for sections under 64 KB B) Making code non-writable (read-execute only) prevents certain code injection attacks where an attacker would overwrite instructions; a writable .text section would be a security vulnerability C) The WRITE flag is only used for the .data and .bss sections by convention; there is no security implication D) Code cannot be modified after linking because the linker strips write permissions
Question 16
What is the SHT_NOBITS section type used for?
A) Sections that have no contents (empty sections created by the linker)
B) Sections that occupy space in memory but no space in the file; .bss uses this type
C) Sections that contain no initialized bits (all zeros in the file)
D) Sections that are stripped and have no debug information
Question 17
After gcc -static main.c -o main_static, running ldd main_static shows "not a dynamic executable." This means:
A) The binary is corrupted and cannot be executed
B) All library code (including libc) is statically linked into the executable; no external libraries are needed at runtime
C) The binary is a kernel module and requires insmod to load
D) The binary cannot be run on the current system due to architecture mismatch
Question 18
The _start symbol is different from main. What is _start's role?
A) _start is the kernel entry point; main is the user program entry point
B) _start is the true ELF entry point; it sets up the C runtime (stack alignment, argc/argv from the kernel's initial stack layout) and then calls __libc_start_main, which eventually calls main
C) _start is a debug symbol added by GDB; it has no runtime function
D) _start is the first function in .text by convention; it is identical to main
Question 19
What happens to .data (initialized global variables) at program startup?
A) .data is loaded directly from the executable file into RAM; the initialized values are in the PT_LOAD segment and the kernel maps them in
B) .data is copied from the .bss section to RAM by the dynamic linker
C) .data remains on disk; the kernel only maps it into RAM when the data is first accessed (demand paging)
D) .data is initialized by the C runtime, which reads the values from a special .init_data section
Question 20
A program compiled without -fPIE -pie loads its .text section at a fixed virtual address (e.g., 0x400000) on every run. A program compiled with -fPIE -pie loads at a randomized address. What ELF type does each produce?
A) Both produce ET_EXEC; the difference is only in the symbol table
B) Non-PIE produces ET_EXEC; PIE produces ET_DYN (treated as a position-independent shared object that happens to have an entry point)
C) Non-PIE produces ET_REL (relocatable); PIE produces ET_EXEC
D) Both produce ET_DYN; the difference is a flag in the ELF header
Answer Key
- C
- B
- B
- B
- B
- B
- A
- B
- B
- B
- B
- B
- B
- B
- B
- B
- B
- B
- A
- B