research-article

RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications

Authors:

Chung Hwan Kim,

Brendan Saltaformaggio,

Dongyan XuAuthors Info & Claims

ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Pages 412 - 424

https://doi.org/10.1145/3134600.3134627

Published: 04 December 2017 Publication History

Abstract

ARM is the leading processor architecture in the emerging mobile and embedded market. Unfortunately, there has been a myriad of security issues on both mobile and embedded systems. While many countermeasures of such security issues have been proposed in recent years, a majority of applications still cannot be patched or protected due to run-time and space overhead constraints and the unavailability of source code. More importantly, the rapidly evolving mobile and embedded market makes any platform-specific solution ineffective. In this paper, we propose RevARM, a binary rewriting technique capable of instrumenting ARM-based binaries without limitation on the target platform. Unlike many previous binary instrumentation tools that are designed to instrument binaries based on x86, RevARM must resolve a number of new, ARM-specific binary rewriting challenges. Moreover, RevARM is able to handle stripped binaries, requires no symbolic/semantic information, and supports Mach-O binaries, overcoming the limitations of existing approaches. Finally, we demonstrate the capabilities of RevARM in solving real-world security challenges. Our evaluation results across a variety of platforms, including popular mobile and embedded systems, show that RevARM is highly effective in instrumenting ARM binaries with an average of 3.2% run-time and 1.3% space overhead.

References

[1]

1995. Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification Version 1.2. http://refspecs.linuxbase.org/elf/elf.pdf.

[2]

2012. LLVM 3.1 release note. http://releases.llvm.org/3.1/docs/ReleaseNotes.html.

[3]

2013. Ardupilot File System Corruption Bug - DataFlash: don't try to create a directory that exists. https://github.com/ArduPilot/ardupilot/commit/4ce2555a6563939f95991621facc7ff4b9f27d1d.

[4]

2013. Hacking Drones - Overview of the Main Threats. http://resources.infosecinstitute.com/hacking-drones-overview-of-the-main-threats.

[5]

2014. Nuttx File System Corruption Bug - FAT: move cluster expansion checks to start of IO loops. https://github.com/PX4/NuttX/commit/ed45e813aff84f5646ea7ad1d7ab50f597bdebb9.

[6]

2014. Processors | ARMv7-M. https://silver.arm.com/download/ARM_and_AMBA_Architecture/AR580-DA-70000-r0p0-05rel0/DDI0403E_B_armv7m_arm.pdf.

[7]

2015. Firmware Control Output Handling Bug - IO driver: Ensure comms protocol cannot get into integer overflow. https://github.com/PX4/Firmware/commit/e09f5d2871f0c23cf8eb8154a2fa8831d9b96062.

[8]

2015. Firmware Memory Vulnerability - i2c: prevent double free of _dev pointer. https://github.com/PX4/Firmware/commit/1b8a830a38caf393cb308ad206d3c23329d58a48.

[9]

2015. Hijacking drones with a MAVLink exploit on DIY Drones. http://diydrones.com/profiles/blogs/hijacking-quadcopters-with-a-mavlink-exploit.

[10]

2015. S.F. Express Launches First Drone Delivery Service in China. http://english.cri.cn/12394/2015/03/24/1261s871432.htm.

[11]

2015. Xaircraft - Drone Vendor. http://www.xaircraft.cn.

[12]

2016. ArduPilot Autopilot Suite. http://ardupilot.org/ardupilot/index.html.

[13]

2016. Ardupilot Memory Vulnerability - GCS_MAVLink: fixed null termination bug. https://github.com/ArduPilot/ardupilot/commit/197e72acc0efa094c48070b6409d605b00b36ba6.

[14]

2016. Firmware Memory Vulnerability - Prevents the possibility of buffer overflow in mixer parsing. https://github.com/PX4/Firmware/commit/db44129ec099a05debf9187da2fd09035c9a67d7.

[15]

2016. Hackers take over security camera; live stream girls' bedroom on Internet. https://www.hackread.com/hackers-live-stream-hacked-security-camera.

[16]

2016. Hex-Rays, IDA Pro disassembler. http://www.hex-rays.com/products/ida.

[17]

2016. How Hackers Violate Privacy and Security of the Smart Home. http://resources.infosecinstitute.com/how-hackers-violate-privacy-and-security-of-the-smart-home.

[18]

2016. MAVLink - Micro Air Vehicle Communication Protocol. http://qgroundcontrol.org/mavlink/start.

[19]

2016. Technical Analysis of Pegasus Spyware. https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf.

[20]

2017. 3DR Pixhawk | 3DR - Drone & UAV Technology. (2017). http://3dr.com/support/articles/207358096/3dr_pixhawk.

[21]

2017. Amazon Echo - Smart Speaker. https://www.amazon.com/Amazon-Echo-Bluetooth-Speaker-with-WiFi-Alexa/dp/B00X4WHP5E.

[22]

2017. BAT - Binary Analysis Tool. http://www.binaryanalysis.org/en/home.

[23]

2017. Binwalk - Firmware Analysis Tool. http://binwalk.org.

[24]

2017. Capstone. http://www.capstone-engine.org.

[25]

2017. Clutch - Fast iOS executable dumper. https://github.com/KJCracks/Clutch.

[26]

2017. CoreMark - Industry-Standard Benchmarks for Embedded Systems. http://www.eembc.org/coremark.

[27]

2017. IRIS+ | 3DR - Drone & UAV Technology. http://3dr.com/support/articles/207358106/iris.

[28]

2017. McAfee Labs 2017 Threats Predictions, Nov. 2016. https://www.mcafee.com/kr/resources/reports/rp-threats-predictions-2017.pdf.

[29]

2017. NuttX Real-Time Operating System. http://nuttx.org.

[30]

2017. PerformanceTest Mobile. http://www.passmark.com/products/pt_mobile.htm.

[31]

2017. radare. https://www.radare.org.

[32]

2017. Roomba - Robot Vacuum Cleaner. http://www.irobot.com/For-the-Home/Vacuuming/Roomba.aspx.

[33]

2017. Symantec Internet Security Threat Report 2017, Volume 22. https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf.

[34]

Kapil Anand, Matthew Smithson, Khaled Elwazeer, Aparna Kotha, Jim Gruen, Nathan Giles, and Rajeev Barua. 2013. A compiler-level intermediate representation based binary analysis and rewriting system. In Proceedings of the 8th ACM European Conference on Computer Systems (EuroSys '13).

Digital Library

[35]

Dennis Andriesse, Xi Chen, Victor van der Veen, Asia Slowinska, and Herbert Bos. 2016. An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries. In Proceedings of the 25th USENIX Security Symposium (USENIX Security '16).

[36]

Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the USENIX Annual Technical Conference, FREENIX Track (ATC '05).

Digital Library

[37]

Derek L Bruening. 2004. Efficient, transparent, and comprehensive runtime code manipulation. Ph.D. Dissertation. MIT.

Digital Library

[38]

Mihai Bucicoiu, Lucas Davi, Razvan Deaconescu, and Ahmad-Reza Sadeghi. 2015. XiOS: Extended application sandboxing on iOS. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS '15).

Digital Library

[39]

Bryan Buck and Jeffrey K Hollingsworth. 2000. An API for runtime code patching. International Journal of High Performance Computing Applications (2000).

Digital Library

[40]

Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thomas Fischer, Thorsten Holz, Ralf Hund, Stefan Nürnberger, and Ahmad-Reza Sadeghi. 2012. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security (NDSS '12).

[41]

Bjorn De Sutter, Bruno De Bus, and Koen De Bosschere. 2005. Link-time binary rewriting techniques for program compaction. ACM Transactions on Programming Languages and Systems (2005).

Digital Library

[42]

Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. 2015. iris: Vetting private api abuse in ios applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15).

Digital Library

[43]

Zhui Deng, Xiangyu Zhang, and Dongyan Xu. 2013. BISTRO: Binary Component Extraction and Embedding for Software Security Applications. In Proceedings of the 18th European Symposium on Research in Computer Security (ESORICS '13).

[44]

Andrew Edwards, Hoi Vo, and Amitabh Srivastava. 2001. Vulcan binary transformation in a distributed environment. (2001).

[45]

Galen Hunt and Doug Brubacher. 1999. Detours: Binary Interception of Win32 Functions. In Proceedings of the 3rd USENIX Windows NT Symposium.

Digital Library

[46]

Todd Jackson, Andrei Homescu, Stephen Crane, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013. Diversifying the software stack using randomized NOP insertion. In Moving Target Defense II. Springer.

[47]

M Ammar Ben Khadra, Dominik Stoffel, and Wolfgang Kunz. 2016. Speculative disassembly of binary code. In Proceedings of the 2016 IEEE International Conference on Compilers, Architecture and Synthesis for Embedded Systems (CASES '16).

Digital Library

[48]

Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated Software Diversity. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P '14).

Digital Library

[49]

Michael A Laurenzano, Mustafa M Tikir, Laura Carrington, and Allan Snavely. 2010. Pebil: Efficient static binary instrumentation for linux. In Proceedings of the IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS '10).

[50]

Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation (PLDI '05).

Digital Library

[51]

Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '07).

Digital Library

[52]

Pádraig O'Sullivan, Kapil Anand, Aparna Kotha, Matthew Smithson, Rajeev Barua, and Angelos D Keromytis. 2011. Retrofitting security in cots software with binary rewriting. In Proceedings of the IFIP International Information Security Conference (SEC '11).

[53]

Andre Pawlowski, Moritz Contag, Victor van der Veen, Chris Ouwehand, Thorsten Holz, Herbert Bos, Elias Athanasopoulos, and Cristiano Giuffrida. 2017. MARX: Uncovering class hierarchies in C++ programs. In Proceedings of the 24th Annual Symposium on Network and Distributed System Security (NDSS '17).

[54]

Ted Romer, Geoff Voelker, Dennis Lee, Alec Wolman, Wayne Wong, Hank Levy, Brian Bershad, and Brad Chen. 1997. Instrumentation and optimization of Win32/Intel executables using Etch. In Proceedings of the USENIX Windows NT Workshop.

Digital Library

[55]

Benjamin Schwarz, Saumya Debray, Gregory Andrews, and Matthew Legendre. 2001. Plto: A link-time optimizer for the Intel IA-32 architecture. In Proceedings of the Workshop on Binary Translation (WBT '01).

[56]

David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee, and Brad Chen. 2010. Adapting Software Fault Isolation to Contemporary CPU Architectures. In Proceedings of the 19th USENIX Security Symposium (USENIX Security '10).

Digital Library

[57]

Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice-Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In Proceedings of the 22nd Annual Symposium on Network and Distributed System Security (NDSS '15).

[58]

Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, and Yongdae Kim. 2015. Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors. In Proceedings of the 24th USENIX Security Symposium (USENIX Security '15).

Digital Library

[59]

Robert Wahbe, Steven Lucco, Thomas E Anderson, and Susan L Graham. 1994. Efficient software-based fault isolation. In Proceedings of the fourteenth ACM symposium on Operating systems principles (SOSP '93).

Digital Library

[60]

Ruoyu Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, and Giovanni Vigna. 2017. Ramblr: Making Reassembly Great Again. In Proceedings of the 24th Annual Symposium on Network and Distributed System Security (NDSS '17).

[61]

Shuai Wang, Pei Wang, and Dinghao Wu. 2015. Reassembleable disassembling. In Proceedings of the 24th USENIX Security Symposium (USENIX Security '15).

Digital Library

[62]

Shuai Wang, Pei Wang, and Dinghao Wu. 2016. UROBOROS: Instrumenting Stripped Binaries with Static Reassembling. In Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER '16).

[63]

Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. 2013. Jekyll on ios: When benign apps become evil. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security '13).

Digital Library

[64]

Richard Wartell, Vishwath Mohan, Kevin W Hamlen, and Zhiqiang Lin. 2012. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12).

Digital Library

[65]

Richard Wartell, Vishwath Mohan, Kevin W Hamlen, and Zhiqiang Lin. 2012. Securing untrusted code via compiler-agnostic binary rewriting. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC '12).

Digital Library

[66]

Mark Weiser. 1981. Program slicing. In Proceedings of the 5th International Conference on Software engineering (ICSE '81).

Digital Library

[67]

Bennet Yee, David Sehr, Gregory Dardyk, J Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. 2009. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th IEEE Symposium on Security and Privacy (IEEE S&P '09).

Digital Library

[68]

Mingwei Zhang, Rui Qiao, Niranjan Hasabnis, and R Sekar. 2014. A platform for secure static binary instrumentation. In Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual Execution Environments (VEE '14).

Digital Library

[69]

Mingwei Zhang and R Sekar. 2013. Control flow integrity for COTS binaries. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security '13).

Digital Library

Cited By

Qu SZhang XZhang CGu DDe V(2024)Trapped by Your WORDs: (Ab)using Processor Exception for Generic Binary Instrumentation on Bare-metal Embedded DevicesProceedings of the 61st ACM/IEEE Design Automation Conference10.1145/3649329.3655687(1-6)Online publication date: 23-Jun-2024
https://dl.acm.org/doi/10.1145/3649329.3655687
Li XWei QWu ZGuo WHe L(2024)Harden-IoT: hardening the EoL devices by intercepting the attack vector for future B5G/6G IoTWireless Networks10.1007/s11276-023-03517-z30:8(6797-6808)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1007/s11276-023-03517-z
Plach BBörsig MMüller MGröll RDukek MBaumgart I(2024)Binary-Level Code Injection for Automated Tool Support on the ESP32 PlatformSecure IT Systems10.1007/978-3-031-79007-2_7(121-138)Online publication date: 6-Nov-2024
https://dl.acm.org/doi/10.1007/978-3-031-79007-2_7
Show More Cited By

Recommendations

An evaluation of speculative instruction execution on simultaneous multithreaded processors

Modern superscalar processors rely heavily on speculative execution for performance. For example, our measurements show that on a 6-issue superscalar, 93% of committed instructions for SPECINT95 are speculative. Without speculation, processor resources ...
On d-dimensional Buratti-Del Fra type dual hyperovals in PG(3d,2)

Let d>=3. In PG(d(d+3)/2,2), there are four known non-isomorphic d-dimensional dual hyperovals by now. These are Huybrechts' dual hyperoval (Huybrechts (2002) [6]), Buratti-Del Fra's dual hyperoval (Buratti and Del Fra (2003) [1], Del Fra and Yoshiara (...
One-regular graphs of square-free order of prime valency

A graph is one-regular if its automorphism group acts regularly on the set of arcs of the graph. Marusic and Pisanski [D. Marusic and T. Pisanski, Symmetries of hexagonal graphs on the torus, Croat. Chemica Acta 73 (2000) 969-981] classified one-regular ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

December 2017

618 pages

ISBN:9781450353458

DOI:10.1145/3134600

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 December 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC 2017

ACSAC 2017: 2017 Annual Computer Security Applications Conference

December 4 - 8, 2017

FL, Orlando, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
528
Total Downloads

Downloads (Last 12 months)57
Downloads (Last 6 weeks)6

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Qu SZhang XZhang CGu DDe V(2024)Trapped by Your WORDs: (Ab)using Processor Exception for Generic Binary Instrumentation on Bare-metal Embedded DevicesProceedings of the 61st ACM/IEEE Design Automation Conference10.1145/3649329.3655687(1-6)Online publication date: 23-Jun-2024
https://dl.acm.org/doi/10.1145/3649329.3655687
Li XWei QWu ZGuo WHe L(2024)Harden-IoT: hardening the EoL devices by intercepting the attack vector for future B5G/6G IoTWireless Networks10.1007/s11276-023-03517-z30:8(6797-6808)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1007/s11276-023-03517-z
Plach BBörsig MMüller MGröll RDukek MBaumgart I(2024)Binary-Level Code Injection for Automated Tool Support on the ESP32 PlatformSecure IT Systems10.1007/978-3-031-79007-2_7(121-138)Online publication date: 6-Nov-2024
https://dl.acm.org/doi/10.1007/978-3-031-79007-2_7
Di Bartolomeo LMoghaddas HPayer MCalandrino JTroncoso C(2023)ARMoreProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620590(6311-6328)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620590
Wang JWang YLi AXiao YZhang RLou WHou YZhang NCalandrino JTroncoso C(2023)ARIProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620392(2761-2778)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620392
Gustafson EGrosen PRedini NJha SContinella AWang RFu KRampazzi SKruegel CVigna G(2023)Shimware: Toward Practical Security Retrofitting for Monolithic Firmware ImagesProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607217(32-45)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607217
Salehi MDegani LRoveri MHughes DCrispo B(2023)Discovery and Identification of Memory Corruption Vulnerabilities on Bare-Metal Embedded DevicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314937120:2(1124-1138)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3149371
Li XZhao LWei QWu ZShi WWang Y(2023)SHFuzz: Service Handler-aware Fuzzing for Detecting Multi-Type Vulnerabilities in Embedded DevicesComputers & Security10.1016/j.cose.2023.103618(103618)Online publication date: Nov-2023
https://doi.org/10.1016/j.cose.2023.103618
Cao SHe NGuo YWang H(2023)BREWasm: A General Static Binary Rewriting Framework for WebAssemblyStatic Analysis10.1007/978-3-031-44245-2_8(139-163)Online publication date: 24-Oct-2023
https://doi.org/10.1007/978-3-031-44245-2_8
Zhou YXie LPan H(2022)Research on a PSO-H-SVM-Based Intrusion Detection Method for Industrial Robotic ArmsApplied Sciences10.3390/app1206276512:6(2765)Online publication date: 8-Mar-2022
https://doi.org/10.3390/app12062765
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten