EXAMINER: automatically locating inconsistent instructions between real devices and CPU emulators for ARM
- 22 February 2022
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM) in Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
Abstract
Emulators are widely used to build dynamic analysis frameworks due to its fine-grained tracing capability, full system monitoring functionality, and scalability of running on different operating systems and architectures. However, whether emulators are consistent with real devices is unknown. To understand this problem, we aim to automatically locate inconsistent instructions, which behave differently between emulators and real devices. We target the ARM architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the ARM architecture specification language (ASL). We generate 2,774,649 representative instruction streams and conduct differential testing between four ARM real devices in different architecture versions (i.e., ARMv5, ARMv6, ARMv7, and ARMv8) and three state-of-the-art emulators (i.e., QEMU, Unicorn, and Angr). We locate a huge number of inconsistent instruction streams (171,858 for QEMU, 223,264 for unicorn, and 120,169 for Angr). We find that undefined implementation in ARM manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 12 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.Keywords
This publication has 26 references indexed in Scilit:
- Finding compiler bugs via live code mutationPublished by Association for Computing Machinery (ACM) ,2016
- Repackage-Proofing Android AppsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2016
- Towards Automated Dynamic Analysis for Linux-based Embedded FirmwarePublished by Internet Society ,2016
- MOSEPublished by Association for Computing Machinery (ACM) ,2015
- Many-core compiler fuzzingPublished by Association for Computing Machinery (ACM) ,2015
- Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platformPublished by Association for Computing Machinery (ACM) ,2014
- Compiler validation via equivalence modulo inputsPublished by Association for Computing Machinery (ACM) ,2014
- Anti-virtual machines and emulationsJournal of Computer Virology and Hacking Techniques, 2012
- Path-exploration liftingPublished by Association for Computing Machinery (ACM) ,2012
- Detecting System EmulatorsLecture Notes in Computer Science, 2007