Shisong Qin
ABSTRACT
ARM has become the most competitive processor architecture. Many platforms or tools are developed to execute or analyze ARM instructions, including various commercial CPUs, emulators, and binary analysis tools. However, they have deviations when processing the same ARM instructions, and little attention has been paid to systematically analyze such semantic deviations, not to mention the security implications of such deviations. In this paper, we conduct an empirical study on the ARM Instruction Semantic Deviation (ISDev) issue. First, we classify this issue into several categories and analyze the security implications behind them. Then, we further demonstrate several novel attacks which utilize the ISDev issue, including stealthy targeted attacks and targeted defense evasion. Such attacks could exploit the semantic deviations to generate malware that is specific to certain platforms or able to detect and bypass certain detection solutions. We have developed a framework iDEV to systematically explore the ISDev issue in existing ARM instructions processing tools and platforms via differential testing. We have evaluated iDEV on four hardware devices, the QEMU emulator, and five disassemblers which could process the ARMv7-A instruction set. The evaluation results show that, over six million instructions could cause dynamic executors (i.e., CPUs and QEMU) to present different runtime behaviors, and over eight million instructions could cause static disassemblers yielding different decoding results, and over one million instructions cause inconsistency between dynamic executors and static disassemblers. After analyzing the root causes of each type of deviation, we point out they are mostly due to ARM unpredictable instructions and program defects.
- 2021. Dyninst. https://github.com/dyninst/dyninstGoogle Scholar
- 2021. LLVM. https://llvm.org/Google Scholar
- 2021. QEMU. https://www.qemu.org/Google Scholar
- 2021. Valgrind. http://valgrind.org/Google Scholar
- Nguyen Anh Quynh. 2020. Capstone. https://github.com/aquynh/capstoneGoogle Scholar
- Chad Brubaker, Suman Jana, Baishakhi Ray, Sarfraz Khurshid, and Vitaly Shmatikov. 2014. Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations. In 2014 IEEE Symposium on Security and Privacy. 114–129. https://doi.org/10.1109/SP.2014.15Google Scholar
- Martin Brunner, Hans Hofinger, Christoph Krauß, Christopher Roblee, P Schoo, and S Todt. 2010. Infiltrating critical infrastructures with next-generation attacks. Fraunhofer Institute for Secure Information Technology (SIT), Munich.Google Scholar
- Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD. 991– 1008. isbn:978-1-939133-04-5 https://www.usenix.org/conference/usenixsecurity18/presentation/bulckGoogle ScholarDigital Library
- Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, Jo Van Bulck, and Yuval Yarom. 2019. Fallout: Leaking Data on Meltdown-Resistant CPUs. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). Association for Computing Machinery, New York, NY, USA. 769–784. isbn:9781450367479 https://doi.org/10.1145/3319535.3363219 Google ScholarDigital Library
- Yuting Chen, Ting Su, and Zhendong Su. 2019. Deep Differential Testing of JVM Implementations. In Proceedings of the 41st International Conference on Software Engineering (ICSE ’19). IEEE Press, 1257–1268. https://doi.org/10.1109/ICSE.2019.00127 Google ScholarDigital Library
- Yuting Chen, Ting Su, Chengnian Sun, Zhendong Su, and Jianjun Zhao. 2016. Coverage-Directed Differential Testing of JVM Implementations. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’16). Association for Computing Machinery, New York, NY, USA. 85–99. isbn:9781450342612 https://doi.org/10.1145/2908080.2908095 Google ScholarDigital Library
- Zheng Leong Chua, Yanhao Wang, Teodora Baluta, Prateek Saxena, Zhenkai Liang, and Purui Su. 2019. One Engine To Serve’em All: Inferring Taint Rules Without Architectural Semantics.. In NDSS. https://doi.org/10.14722/ndss.2019.23339 Google ScholarCross Ref
- Tim Coe. 1995. Inside the pentium-fdiv bug. DR DOBBS JOURNAL, 20, 4 (1995), 129.Google Scholar
- Robert R Collins. 1997. The intel pentium f00f bug description and workarounds. Doctor Dobb’s Journal.Google Scholar
- ARM Corporation. 2018. ARM Architecture Reference Manual ARMv7-A and ARMv7-R edition. ARM Corporation.Google Scholar
- ARM Corporation. 2018. ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile. ARM Corporation.Google Scholar
- Intel Corporation. [n.d.]. Pin - A Dynamic Binary Instrumentation Tool. https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-toolGoogle Scholar
- Steven H. H. Ding, Benjamin C. M. Fung, and Philippe Charland. 2019. Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization. In 2019 IEEE Symposium on Security and Privacy (SP). 472–489. https://doi.org/10.1109/SP.2019.00003 Google ScholarCross Ref
- Christopher Domas. 2017. Breaking the x86 ISA. Black Hat.Google Scholar
- Christopher Domas. 2018. Hardware Backdoors in x86 CPUs. Black Hat.Google Scholar
- Brendan Gregg. 2018. KPTI/KAISER meltdown initial performance regressions.Google Scholar
- Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, and Stefan Mangard. 2017. Kaslr is dead: long live kaslr. In International Symposium on Engineering Secure Software and Systems. 161–176. https://doi.org/10.1007/978-3-319-62105-0_11 Google ScholarCross Ref
- Zhichao Hua, Dong Du, Yubin Xia, Haibo Chen, and Binyu Zang. 2018. EPTI: Efficient Defence against Meltdown Attack for Unpatched VMs. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). USENIX Association, Boston, MA. 255–266. isbn:ISBN 978-1-939133-01-4 https://www.usenix.org/conference/atc18/presentation/huaGoogle Scholar
- Nathan Jay and Barton P. Miller. 2018. Structured random differential testing of instruction decoders. In 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). 84–94. https://doi.org/10.1109/SANER.2018.8330199 Google ScholarCross Ref
- Soomin Kim, Markus Faerevaag, Minkyu Jung, Seungll Jung, DongYeop Oh, JongHyup Lee, and Sang Kil Cha. 2017. Testing intermediate representations for binary analysis. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). 353–364. https://doi.org/10.1109/ASE.2017.8115648 Google ScholarCross Ref
- Christian Klinger, Maria Christakis, and Valentin Wüstholz. 2019. Differentially Testing Soundness and Precision of Program Analyzers. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2019). Association for Computing Machinery, New York, NY, USA. 239–250. isbn:9781450362245 https://doi.org/10.1145/3293882.3330553 Google ScholarDigital Library
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 2019 IEEE Symposium on Security and Privacy (SP). 1–19. https://doi.org/10.1109/SP.2019.00002 Google ScholarCross Ref
- Vu Le, Mehrdad Afshari, and Zhendong Su. 2014. Compiler Validation via Equivalence modulo Inputs. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’14). Association for Computing Machinery, New York, NY, USA. 216–226. isbn:9781450327848 https://doi.org/10.1145/2594291.2594334 Google ScholarDigital Library
- Xixing Li, Zehui Wu, Qiang Wei, and Haolan Wu. 2019. UISFuzz: An Efficient Fuzzing Method for CPU Undocumented Instruction Searching. IEEE Access, 7 (2019), 149224–149236. https://doi.org/10.1109/ACCESS.2019.2946444 Google ScholarCross Ref
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD. 973–990. isbn:978-1-939133-04-5 https://www.usenix.org/conference/usenixsecurity18/presentation/lippGoogle ScholarDigital Library
- Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-Level Cache Side-Channel Attacks are Practical. In 2015 IEEE Symposium on Security and Privacy. 605–622. https://doi.org/10.1109/SP.2015.43 Google ScholarDigital Library
- Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. Testing CPU Emulators. In Proceedings of the Eighteenth International Symposium on Software Testing and Analysis (ISSTA ’09). Association for Computing Machinery, New York, NY, USA. 261–272. isbn:9781605583389 https://doi.org/10.1145/1572272.1572303 Google ScholarDigital Library
- William M. McKeeman. 1998. Differential Testing for Software. Digit. Tech. J., 10, 1 (1998), 100–107. http://www.hpl.hp.com/hpjournal/dtj/vol10num1/vol10num1art9.pdfGoogle Scholar
- Shirin Nilizadeh, Yannic Noller, and Corina S. Păsăreanu. 2019. DifFuzz: Differential Fuzzing for Side-Channel Analysis. In Proceedings of the 41st International Conference on Software Engineering (ICSE ’19). IEEE Press, 176–187. https://doi.org/10.1109/ICSE.2019.00034 Google ScholarDigital Library
- NSA. 2021. Ghidra. https://github.com/NationalSecurityAgency/ghidraGoogle Scholar
- Trail of Bits. 2021. McSema. https://github.com/lifting-bits/mcsemaGoogle Scholar
- Trail of Bits. 2021. mishegos. https://github.com/trailofbits/mishegosGoogle Scholar
- Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2010. N-Version Disassembly: Differential Testing of X86 Disassemblers. In Proceedings of the 19th International Symposium on Software Testing and Analysis (ISSTA ’10). Association for Computing Machinery, New York, NY, USA. 265–274. isbn:9781605588230 https://doi.org/10.1145/1831708.1831741 Google ScholarDigital Library
- Theofilos Petsios, Adrian Tang, Salvatore Stolfo, Angelos D. Keromytis, and Suman Jana. 2017. NEZHA: Efficient Domain-Independent Differential Testing. In 2017 IEEE Symposium on Security and Privacy (SP). 615–632. https://doi.org/10.1109/SP.2017.27 Google ScholarCross Ref
- Hex Rays. 2021. IDA Pro. https://www.hex-rays.com/products/ida/Google Scholar
- Onur Sahin, Ayse K Coskun, and Manuel Egele. 2018. Proteus: Detecting Android Emulators from Instruction-Level Profiles. In International Symposium on Research in Attacks, Intrusions, and Defenses. 3–24. https://doi.org/10.1007/978-3-030-00470-5_1 Google ScholarCross Ref
- CEA IT Security. 2021. Miasm. https://github.com/cea-sec/miasmGoogle Scholar
- Suphannee Sivakorn, George Argyros, Kexin Pei, Angelos D. Keromytis, and Suman Jana. 2017. HVLearn: Automated Black-Box Analysis of Hostname Verification in SSL/TLS Implementations. In 2017 IEEE Symposium on Security and Privacy (SP). 521–538. https://doi.org/10.1109/SP.2017.46 Google ScholarCross Ref
- Chengnian Sun, Vu Le, and Zhendong Su. 2016. Finding and Analyzing Compiler Warning Defects. In Proceedings of the 38th International Conference on Software Engineering (ICSE ’16). Association for Computing Machinery, New York, NY, USA. 203–213. isbn:9781450339001 https://doi.org/10.1145/2884781.2884879 Google ScholarDigital Library
- GNU Binary Utilities. 2021. Objdump. https://www.gnu.org/software/binutils/Google Scholar
- Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2019. RIDL: Rogue In-Flight Data Load. In 2019 IEEE Symposium on Security and Privacy (SP). 88–105. https://doi.org/10.1109/SP.2019.00087 Google ScholarCross Ref
- Andreas Walz and Axel Sikora. 2020. Exploiting Dissent: Towards Fuzzing-Based Differential Black-Box Testing of TLS Implementations. IEEE Transactions on Dependable and Secure Computing, 17, 2 (2020), 278–291. https://doi.org/10.1109/TDSC.2017.2763947 Google ScholarDigital Library
- Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Raoul Strackx, Thomas F. Wenisch, and Yuval Yarom. 2018. Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution. Technical report.Google Scholar
- Xuejun Yang, Yang Chen, Eric Eide, and John Regehr. 2011. Finding and Understanding Bugs in C Compilers. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’11). Association for Computing Machinery, New York, NY, USA. 283–294. isbn:9781450306638 https://doi.org/10.1145/1993498.1993532 Google ScholarDigital Library
- Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA. 719–732. isbn:978-1-931971-15-7 https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yaromGoogle ScholarDigital Library
Index Terms
- iDEV: exploring and exploiting semantic deviations in ARM instruction processing
Recommendations
Exploiting Java instruction/thread level parallelism with horizontal multithreading
Java bytecodes can be executed with the following three methods: a Java interpretor running on a particular machine interprets bytecodes; a Just-In-Time (JIT) compiler translates bytecodes to the native primitives of the particular machine and the ...
Comments