Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.5.1233

A Disassembly Technique of ARM Position-Independent Code with Value-Set Analysis Having Symbol-Form Domain  

Ha, Dongsoo (Hanyang University)
Oh, Heekuck (Hanyang University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.5, 2018 , pp. 1233-1246 More about this Journal
Abstract
With the proliferation of smart mobiles, disassembly techniques for position-independent code (PIC) composed of ARM architecture instructions in computer security are becoming more important. However, existing techniques have been studied on x86 architecture and are focused on solving problems of non-PIC and generality. Therefore, the accuracy of the collected address information is low to apply to advanced security technologies such as binary measurement. In this paper, we propose a disassembly technique that reflects the characteristics of PIC composed of ARM instructions. For accuratly collecting traceable addresses, we designed value-set analysis having symbol-form domain. To solve the main problem of disassembly, we devised a heuristic using the characteristics of the code generated by the compiler. To verify the accuracy and effectiveness of our technique, we tested 669 shared libraries and executables in the Android 8.1 build, resulting in a total disassembly rate of 91.47%.
Keywords
Disassembly; Disassembler; Value-set analysis (VSA); Position-independent code (PIC); ARM architecture;
Citations & Related Records
연도 인용수 순위
  • Reference
1 M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, "Control-flow Integrity," in Proc. CCS, pp. 340-353, Nov. 2005.
2 J. Ansel, P. Marchenko, U. Erlingsson, E. Taylor, B. Chen, D. L. Schuff, D. Sehr, C. L. Biffle, and B. Yee, "Language-independent Sandboxing of Just-in-time Compilation and Self-modifying Code," in Proc. PLDI, pp. 355-366, Jun. 2011.
3 U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula, "XFI: Software Guards for System Address Spaces," in Proc. OSDI, pp. 75-88, Nov. 2006.
4 M. Zhang and R. Sekar, "Control Flow Integrity for COTS Binaries," in Proc. USENIX Security, pp. 337-352, Aug. 2013.
5 B. Niu and G. Tan, "Modular Control-flow Integrity," in Proc. PLDI, pp. 577-587, Jun. 2014.
6 R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham, "Efficient Software-based Fault Isolation," in Proc. SOSP, pp. 203-216, Jan. 1993.
7 A.-R. Adl-Tabatabai, G. Langdale, S. Lucco, and R. Wahbe, "Efficient and Language-independent Mobile Programs," in Proc. PLDI, pp. 127-136, May. 1996.
8 S. L. Graham, S. Lucco, and R. Wahbe, "AdaptableBinary Programs," in Proc. USENIX Security, pp. 315-325, Jan. 1995.
9 B. Ford and R. Cox, "Vx32: Lightweight User-level Sandboxing on the x86," in Proc. USENIX ATC, pp. 293-306, Jun. 2008.
10 T.-c. Chiueh and F.-H. Hsu, "RAD: A Compile-time Solution to Buffer Overflow Attacks," in Proc. ICDCS, pp. 409-428, Apr. 2001.
11 L. Szekeres, M. Payer, T. Wei, and D. Song, "Sok: Eternal War in Memory," in Proc. SP, pp. 48-62, May. 2013.
12 M. Prasadand T.-c. Chiueh, "A BinaryRewriting Defense Against Stack based Buffer Overflow Attacks," in Proc. USENIX ATC, pp. 211-224, Jun. 2003.
13 A. Baratloo, N. Singh, and T. Tsai, "Transparent Run-time Defense Against Stack Smashing Attacks," in Proc. pp. 251-262, Jun. 2000.
14 T. H. Dang, P. Maniatis, and D. Wagner, "The Performance Cost of Shadow Stacks and Stack Canaries," in Proc. ASIA CCS, pp. 555-566, Apr. 2015.
15 C. Linn and S. Debray, "Obfuscation of Executable Code to Improve Resistance to Static Disassembly," in Proc. CCS, pp. 290-299, Oct. 2003.
16 I. V. Popov, S. K. Debray, and G. R. Andrews, "Binary Obfuscation using Signals," in Proc. USENIX Security, pp. 275-290, Aug. 2007.
17 H. Chen, L. Yuan, X. Wu, B. Zang, B. Huang, and P. Yew, "Control Flow Obfuscation with Information Flow Tracking," in Proc. MICRO, pp. 391-400, Dec. 2009.
18 Z. Deng, X. Zhang, and D. Xu, "Bistro: Binary Component Extraction and Embedding for Software Security Applications," in Proc. ESORICS, pp. 200-218, Sep. 2013.
19 T. Kim, C. Kim, H. Choi, Y. Kwon, B. Saltaformaggio, X. Zhang, and D. Xu, "RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications," in Proc. ACSAC, pp. 412-424, Dec. 2017.
20 D. Andriesse, X. Chen, V. van der Veen, A.Slowinska, and H. Bos, "An In Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries," in Proc. USENIX Security, pp. 583-600, Aug. 2016.
21 R. Qiao and R. Sekar, "Function interface analysis: A principled approach for function recognition in COTS binaries," in Proc. DSN, pp. 201-212, Jun. 2017.
22 G. Balakrishnan and T. Reps, "Analyzing Memory Accesses in x86 Executables," in Proc. CC, pp. 5-23, Apr. 2004.
23 A. Pawlowski, M. Contag, V. van der Veen, C. Ouwehand, T. Holz, H. Bos, E. Athanasopoulos, and C. Giuffrida, "MARX: Uncovering class hierarchies in C++ programs," in Proc. NDSS, pp. 1-15, Feb. 2017.
24 P. Cousot and R. Cousot, "Abstract Interpretation Frameworks," Journal of Logic and Computation, vol. 2, no. 4, pp. 511-547, 1992.   DOI
25 P. Cousot and R. Cousot, "Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation," in Proc. PLILP, pp 269-295, Aug. 1992.
26 J. Brauer, R. R. Hansen, S. Kowalewski, K. G. Larsen, and M. C. Olesen, "Adaptable value-set analysis for low-level code," in Proc. SSV, pp. 32-43, Aug. 2011.
27 Z. Zhang and X. Koutsoukos, "Generic value-set analysis on low-level code," in Proc. AVICPS, pp. 1-8, Dec. 2014.
28 C. Kruegel and Y. Shoshitaishvili, "Using Static Binary Analysis to Find Vulnerabilities And Backdoors in Firmware," presented at BlackHat USA, Las Vegas, NV, USA, Aug. 2015.
29 Radare2, "https://rada.re", 1. Oct. 2018.
30 Cutter, "https://github.com/radareorg/cutter", 1. Oct. 2018.