On Static Binary Translation of ARM/Thumb Mixed ISA Binaries

Code discovery has been a main challenge for static binary translation, especially when the source instruction set architecture has variable-length instructions, such as the x86 architectures. Due to embedded data such as PC (program counter)-relative data, jump tables, or paddings in the code section, a binary translator may be misled to translate data as instructions. For variable-length instructions, once a piece of data is mis-translated as instructions, decoding subsequent bytes could also go wrong. We are concerned with static binary translation for the very popular Advanced RISC Machine (ARM) architectures. Although ARM is considered a reduced instruction set computer architecture, it does allow the mix of 32-bit (ARM) instructions and 16-bit (Thumb) instructions in the same executables. In addition to different instruction lengths, the ARM and Thumb instructions are located at 4-byte or 2-byte aligned addresses, respectively. Furthermore, because ARM and Thumb instructions share the same encoding space, a 4-byte word could sometimes be decoded as one ARM instruction or two Thumb instructions. The correct decoding of this 4-byte word is actually determined at runtime by the least-significant bit of the program counter. For unstripped binaries, the mapping symbols can be used to identify ARM code regions and Thumb code regions. However, for stripped binaries, such mapping symbols are unavailable. We propose a novel solution to statically translate stripped ARM/Thumb mixed executables. Our solution is implemented in a static binary translator. The binary translator further generates multiple versions of translated code for the code regions whose types cannot be determined with our solution. One of the code versions is selected during runtime. The binary translator also includes a series of analyses that enable the removal of most useless code versions. Based on the experimental results on stripped ARM/Thumb mixed binaries in the SPEC2006 and Embedded Microprocessor Benchmark Consortium (EEMBC) benchmark suites, our static binary translator achieves impressive performance when migrating them to run on x86 machines and the space overhead is no more than 10%.

[1]  James E. Smith,et al.  Virtual machines - versatile platforms for systems and processes , 2005 .

[2]  Jack W. Davidson,et al.  Addressing the challenges of DBT for the ARM architecture , 2009, LCTES '09.

[3]  Wuu Yang,et al.  LLBT: an LLVM-based static binary translator , 2012, CASES '12.

[4]  Kim M. Hazelwood,et al.  A dynamic binary instrumentation engine for the ARM architecture , 2006, CASES '06.

[5]  Vasanth Bala,et al.  Dynamo: a transparent dynamic optimization system , 2000, SIGP.

[6]  John Yates,et al.  FX!32 a profile-directed binary translator , 1998, IEEE Micro.

[7]  Wuu Yang,et al.  A Static Binary Translator for Efficient Migration of ARM based Applications , 2008 .

[8]  Kristy Andrews,et al.  Migrating a CISC computer family onto RISC via object code translation , 1992, ASPLOS V.

[9]  Yun Wang,et al.  IA-32 Execution Layer: a two-phase dynamic translator designed to support IA-32 applications on Itanium-based systems , 2003, MICRO.

[10]  HsuWei-Chung,et al.  On Static Binary Translation of ARM/Thumb Mixed ISA Binaries , 2017 .

[11]  O. Khan,et al.  ACM Transactions on Embedded Computing Systems continued on back cover , 2018 .

[12]  Gregory R. Andrews,et al.  Disassembly of executable code revisited , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[13]  Cindy Zheng,et al.  PA-RISC to IA-64: Transparent Execution, No Recompilation , 2000, Computer.

[14]  Yun Wang,et al.  IA-32 execution layer: a two-phase dynamic translator designed to support IA-32 applications on Itanium/spl reg/-based systems , 2003, Proceedings. 36th Annual IEEE/ACM International Symposium on Microarchitecture, 2003. MICRO-36..

[15]  Mike Van,et al.  UQBT: Adaptable Binary Translation at Low Cost , 2000 .

[16]  Jack W. Davidson,et al.  Fragment cache management for dynamic binary translators in embedded systems with scratchpad , 2007, CASES '07.

[17]  Rajiv Gupta,et al.  Profile guided selection of ARM and thumb instructions , 2002, LCTES/SCOPES '02.

[18]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[19]  Jack W. Davidson,et al.  Reducing pressure in bounded DBT code caches , 2008, CASES '08.

[20]  Richard L. Sites,et al.  Binary translation , 1993, CACM.

[21]  R. Nigel Horspool,et al.  An Approach to the Problem of Detranslation of Computer Programs , 1980, Comput. J..

[22]  Mary Lou Soffa,et al.  Retargetable and reconfigurable software dynamic translation , 2003, International Symposium on Code Generation and Optimization, 2003. CGO 2003..

[23]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[24]  David Keppel,et al.  Shade: a fast instruction-set simulator for execution profiling , 1994, SIGMETRICS.

[25]  Wuu Yang,et al.  Effective code discovery for ARM/Thumb mixed ISA binaries in a static binary translator , 2013, 2013 International Conference on Compilers, Architecture and Synthesis for Embedded Systems (CASES).

[26]  Derek Bruening,et al.  An infrastructure for adaptive dynamic optimization , 2003, International Symposium on Code Generation and Optimization, 2003. CGO 2003..