Arcana

Arcana Research: Who are we?

Arcana Research is a boutique security research company founded by Ryan 'ElfMaster' O'Neill. At Arcana we focus on extremely innovative solutions to solving some of the most challenging problems at DARPA and beyond...

Ryan "ElfMaster" O'Neill

Ryan "ElfMaster" O'Neill is a veteran computer security researcher, reverse engineer, and ELF specialist with decades in the field since the late 1990s. He is the author of Learning Linux Binary Analysis (Packt, 2016), a contributor to iconic publications like Phrack, POC||GTFO, and tmp.0ut, and a presenter at major conferences including DEF CON (notably his 2023 talk on Shiva). His open-source work includes tools like ECFS (extended core-file snapshot technology) and libelfmaster for secure ELF parsing and forensics, and he maintains active research via GitHub (github.com/elfmaster) and earlier projects on bitlackeys.org.

DARPA Research

Arcana Research has driven major advancements in DARPA's AMP (Assured Micropatching) and E-BOSS (Enhanced SBOM for Optimized Software Sustainment) programs. In AMP Phase 2, we introduced Shiva—a custom dynamic linker with enhanced ELF linking/loading capabilities—enabling next-generation runtime binary patching for Linux AArch64/X86_64. Shiva excelled in DARPA E-BOSS as well, tackling real-world binary patching challenges with high efficiency while continuing to mature. E-BOSS also leverages Ryan O'Neill's ECFS (Extended Corefile Snapshot, created in 2015)—now serving as a metadata-enriched ELF coredump handler. It supports full process-wide symbol table and section header reconstruction, allowing high-fidelity analysis in Ghidra and seamless integration with symbolic executors or post-mortem threat analysis tools.

Recent Technologies

Shiva: Linux ELF load-time binary patching engine

Our bravest innovation is Shiva, a revolutionary Linux ELF binary patching engine and programmable dynamic linker. Developed with funding from DARPA's Assured Micropatching (AMP) program. Shiva enables dynamic, symbolically driven binary patching with precision-level program transformation on Linux x86_64 and AArch64 architectures. Shiva pushes the boundaries of ELF binary patching—leveraging enhanced DWARF support, symbol/relocation-driven linking and advanced program transformation capabilities.

Read more about Shiva →

Linux Granular ASLR for x86_64

Arcana Research has developed a powerful runtime prototype for Granular ASLR (gASLR) in Linux userland. Unlike standard ASLR—which only offsets the base address of PIE executables and is often easily bypassed—our approach randomizes at a much finer granularity: relocating individual functions, PLT entries, and global data to unpredictable locations during process execution. Implemented as a Shiva module (aka Shiva microprogram), this security module randomly re-orders the location of functions at load-time significantly hardening binaries against memory-disclosure and ROP/JOP attacks. While still in prototype stage, the design demonstrates strong effectiveness and is actively being refined for production readiness. Contact us for technical details, a live demo, or collaboration opportunities!

Custom security technologies

We offer custom software security solutions

ELF binary hacking workshops

Ryan "ElfMaster" O'Neill has trained multiple militaries including the Australian DoD, US. Westpoint Military Academy, and various private corporations including Netflix. Ryan offers several workshops for reverse engineering and security enthusiasts, or anyone else who wants to learn the depths of the ELF binary format, dynamic linking, UNIX virus infection, process image internals, binary forensics, and more... Most recently Ryan is working on a new workshop focused primarily on custom ELF interpreters, linkers, loaders, and all-things Shiva. This training can raise-the-bar for your team by equipping them with the esoteric knowledge that few reverse engineers and software developers possess. Contact us for more information.

Contact

elfmaster [at] arcana-research.io