iDEV: Exploring and Exploiting Semantic Deviations in ARM Instruction Processing
Sat 17 Jul 2021 01:30 - 01:50 at ISSTA 2 - Session 22 (time band 2) Bugs and Analysis 1 Chair(s): Saeid Tizpaz-Niari
ARM has become the most competitive processor architecture. Many platforms or tools are developed to execute or analyze ARM instructions, including various commercial CPUs, emulators, and binary analysis tools. However, they have deviations when processing the same ARM instructions, and little attention has been paid to systematically analyze such semantic deviations, not to mention the security implications of such deviations. In this paper, we conduct an empirical study on the ARM Instruction Semantic Deviation (ISDev) issue. First, we classify this issue into several categories and analyze the security implications behind them. Then, we further demonstrate several novel attacks which utilize the ISDev issue, including stealthy targeted attacks and targeted defense evasion. Such attacks could exploit the semantic deviations to generate malware that is specific to certain platforms or able to detect and bypass certain detection solutions. We have developed a framework iDEV to systematically explore the ISDev issue in existing ARM instructions processing tools and platforms via differential testing. We have evaluated iDEV on four hardware devices, the QEMU emulator, and five disassemblers which could process the ARMv7-A instruction set. The evaluation results show that, over six million instructions could cause dynamic executors (i.e., CPUs and QEMU) to present different runtime behaviors, and over eight million instructions could cause static disassemblers yielding different decoding results, and over one million instructions cause inconsistency between dynamic executors and static disassemblers. After analyzing the root causes of each type of deviation, we point out they are mostly due to ARM unpredictable instructions and program defects.
Fri 16 JulDisplayed time zone: Brussels, Copenhagen, Madrid, Paris change
08:00 - 09:00 | Session 16 (time band 3) Binary AnalysisTechnical Papers at ISSTA 2 Chair(s): Michael Pradel University of Stuttgart | ||
08:00 20mTalk | iDEV: Exploring and Exploiting Semantic Deviations in ARM Instruction Processing Technical Papers Shisong Qin Tsinghua University, Chao Zhang Tsinghua University, Kaixiang Chen Tsinghua University, Zheming Li Tsinghua University DOI | ||
08:20 20mTalk | RAProducer: Efficiently Diagnose and Reproduce Data Race Bugs for Binaries via Trace Analysis Technical Papers Ming Yuan Tsinghua University, Yeseop Lee Tsinghua University, Chao Zhang Tsinghua University, Yun Li Tsinghua University, Yan Cai Institute of Software at Chinese Academy of Sciences, Bodong Zhao Tsinghua University DOI | ||
08:40 20mTalk | A Lightweight Framework for Function Name Reassignment Based on Large-Scale Stripped BinariesACM SIGSOFT Distinguished Paper Technical Papers Han Gao University of Science and Technology of China, Shaoyin Cheng University of Science and Technology of China, Yinxing Xue University of Science and Technology of China, Weiming Zhang University of Science and Technology of China DOI |
Sat 17 JulDisplayed time zone: Brussels, Copenhagen, Madrid, Paris change
01:10 - 02:30 | Session 22 (time band 2) Bugs and Analysis 1 Technical Papers at ISSTA 2 Chair(s): Saeid Tizpaz-Niari University of Texas at El Paso | ||
01:10 20mTalk | Faster, Deeper, Easier: Crowdsourcing Diagnosis of Microservice Kernel Failure from User Space Technical Papers Yicheng Pan Peking University, Meng Ma Peking University, Xinrui Jiang Peking University, Ping Wang Peking University DOI Media Attached File Attached | ||
01:30 20mTalk | iDEV: Exploring and Exploiting Semantic Deviations in ARM Instruction Processing Technical Papers Shisong Qin Tsinghua University, Chao Zhang Tsinghua University, Kaixiang Chen Tsinghua University, Zheming Li Tsinghua University DOI | ||
01:50 20mTalk | RAProducer: Efficiently Diagnose and Reproduce Data Race Bugs for Binaries via Trace Analysis Technical Papers Ming Yuan Tsinghua University, Yeseop Lee Tsinghua University, Chao Zhang Tsinghua University, Yun Li Tsinghua University, Yan Cai Institute of Software at Chinese Academy of Sciences, Bodong Zhao Tsinghua University DOI | ||
02:10 20mTalk | Fixing Dependency Errors for Python Build Reproducibility Technical Papers Suchita Mukherjee University of California at Davis, Abigail Almanza University of California at Davis, Cindy Rubio-González University of California at Davis DOI |