RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications

ARM is the leading processor architecture in the emerging mobile and embedded market. Unfortunately, there has been a myriad of security issues on both mobile and embedded systems. While many countermeasures of such security issues have been proposed in recent years, a majority of applications still cannot be patched or protected due to run-time and space overhead constraints and the unavailability of source code. More importantly, the rapidly evolving mobile and embedded market makes any platform-specific solution ineffective. In this paper, we propose RevARM, a binary rewriting technique capable of instrumenting ARM-based binaries without limitation on the target platform. Unlike many previous binary instrumentation tools that are designed to instrument binaries based on x86, RevARM must resolve a number of new, ARM-specific binary rewriting challenges. Moreover, RevARM is able to handle stripped binaries, requires no symbolic/semantic information, and supports Mach-O binaries, overcoming the limitations of existing approaches. Finally, we demonstrate the capabilities of RevARM in solving real-world security challenges. Our evaluation results across a variety of platforms, including popular mobile and embedded systems, show that RevARM is highly effective in instrumenting ARM binaries with an average of 3.2% run-time and 1.3% space overhead.

[1]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[2]  Alec Wolman,et al.  Instrumentation and optimization of Win32/intel executables using Etch , 1997 .

[3]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[4]  Per Larsen,et al.  Diversifying the Software Stack Using Randomized NOP Insertion , 2013, Moving Target Defense.

[5]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[6]  Xiangyu Zhang,et al.  BISTRO: Binary Component Extraction and Embedding for Software Security Applications , 2013, ESORICS.

[7]  Ahmad-Reza Sadeghi,et al.  XiOS: Extended Application Sandboxing on iOS , 2015, AsiaCCS.

[8]  Xiangyu Zhang,et al.  iRiS: Vetting Private API Abuse in iOS Applications , 2015, CCS.

[9]  Dominik Stoffel,et al.  Speculative disassembly of binary code , 2016, 2016 International Conference on Compliers, Architectures, and Sythesis of Embedded Systems (CASES).

[10]  Mingwei Zhang,et al.  A platform for secure static binary instrumentation , 2014, VEE '14.

[11]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[12]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[13]  Gregory R. Andrews,et al.  PLTO: A Link-Time Optimizer for the Intel IA-32 Architecture , 2007 .

[14]  Michael Laurenzano,et al.  PEBIL: Efficient static binary instrumentation for Linux , 2010, 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS).

[15]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[16]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[17]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[18]  Seung-Soon Im,et al.  Tool interface standard (TIS) executable and linking format (ELF) specification , 1995 .

[19]  Koen De Bosschere,et al.  Link-time binary rewriting techniques for program compaction , 2005, TOPL.

[20]  Xi Chen,et al.  An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries , 2016, USENIX Security Symposium.

[21]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[22]  Christopher Krügel,et al.  Ramblr: Making Reassembly Great Again , 2017, NDSS.

[23]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[24]  Derek Bruening,et al.  Efficient, transparent, and comprehensive runtime code manipulation , 2004 .

[25]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[26]  Yongdae Kim,et al.  Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors , 2015, USENIX Security Symposium.

[27]  Dinghao Wu,et al.  Reassembleable Disassembling , 2015, USENIX Security Symposium.

[28]  Rajeev Barua,et al.  A compiler-level intermediate representation based binary analysis and rewriting system , 2013, EuroSys '13.

[29]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[30]  Amitabh Srivastava,et al.  Vulcan Binary transformation in a distributed environment , 2001 .

[31]  Per Larsen,et al.  SoK: Automated Software Diversity , 2014, 2014 IEEE Symposium on Security and Privacy.

[32]  Angelos D. Keromytis,et al.  Retrofitting Security in COTS Software with Binary Rewriting , 2011, SEC.

[33]  Herbert Bos,et al.  MARX: Uncovering Class Hierarchies in C++ Programs , 2017, NDSS.

[34]  Dinghao Wu,et al.  UROBOROS: Instrumenting Stripped Binaries with Static Reassembling , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[35]  Bennet S. Yee,et al.  Adapting Software Fault Isolation to Contemporary CPU Architectures , 2010, USENIX Security Symposium.

[36]  Kevin W. Hamlen,et al.  Securing untrusted code via compiler-agnostic binary rewriting , 2012, ACSAC '12.

[37]  Jeffrey K. Hollingsworth,et al.  An API for Runtime Code Patching , 2000, Int. J. High Perform. Comput. Appl..