[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3395363.3397377acmconferencesArticle/Chapter ViewAbstractPublication PagesisstaConference Proceedingsconference-collections
research-article

An empirical study on ARM disassembly tools

Published: 18 July 2020 Publication History

Abstract

With the increasing popularity of embedded devices, ARM is becoming the dominant architecture for them. In the meanwhile, there is a pressing need to perform security assessments for these devices. Due to different types of peripherals, it is challenging to dynamically run the firmware of these devices in an emulated environment. Therefore, the static analysis is still commonly used. Existing work usually leverages off-the-shelf tools to disassemble stripped ARM binaries and (implicitly) assume that reliable disassembling binaries and function recognition are solved problems. However, whether this assumption really holds is unknown.
In this paper, we conduct the first comprehensive study on ARM disassembly tools. Specifically, we build 1,896 ARM binaries (including 248 obfuscated ones) with different compilers, compiling options, and obfuscation methods. We then evaluate them using eight state-of-the-art ARM disassembly tools (including both commercial and noncommercial ones) on their capabilities to locate instructions and function boundaries. These two are fundamental ones, which are leveraged to build other primitives. Our work reveals some observations that have not been systematically summarized and/or confirmed. For instance, we find that the existence of both ARM and Thumb instruction sets, and the reuse of the BL instruction for both function calls and branches bring serious challenges to disassembly tools. Our evaluation sheds light on the limitations of state-of-the-art disassembly tools and points out potential directions for improvement. To engage the community, we release the data set, and the related scripts at https://github.com/valour01/arm_disasssembler_study.

References

[1]
Android Open Source Project. https://source.android.com/.
[2]
ARM Mapping Symbols. http://infocenter.arm.com/help/index.jsp?topic=/com. arm.doc.dui0474f/CHDGFCDI.html.
[3]
Arm Mbed OS. https://www.mbed.com/en/.
[4]
B, BL, BX, BLX, and BXJ. http://infocenter.arm.com/help/index.jsp?topic=/com. arm.doc.dui0489c/Cihfddaf.html.
[5]
Binary Ninja : A New Kind Of Reversing Platform. https://binary.ninja/.
[6]
Buildroot : Making Embedded Linux Easy. https://buildroot.org.
[7]
Capstone: The Ultimate Disassembly. http://www.capstone-engine.org/.
[8]
Clang : Documentation. https://clang.llvm.org/docs/CommandGuide/clang.html.
[9]
Debian Popularity Contest. https://popcon.debian.org/by_inst.
[10]
GCC: Options That Control Optimization. https://gcc.gnu.org/onlinedocs/gcc/ Optimize-Options.html.
[11]
Ghidra : A Software Reverse Engineering(SRE) Suite of Tools Developed by NSA. https://ghidra-sre.org/.
[12]
Hopper Disassembler. https://www.hopperapp.com/.
[13]
IDA Pro. https://www.hex-rays.com/products/ida/.
[14]
Issues submitted to BAP. https://github.com/BinaryAnalysisPlatform/bap/issues/ 951.
[15]
Issues submitted to Binary Ninja. https://github.com/Vector35/binaryninja-api/ issues/1359.
[16]
Issues submitted to Ghidra. https://github.com/NationalSecurityAgency/ghidra/ issues/657.
[17]
Issues submitted to Radare2. https://github.com/radareorg/radare2/issues/14223.
[18]
Objdump-Display Information from Object Files. https://linux.die.net/man/1/ objdump.
[19]
OpenWRT. https://openwrt.org/.
[20]
Paradyn Project. Dyninst: Putting the Performance in High Performance Computing. https://www.dyninst.org/.
[21]
Psutil. https://psutil.readthedocs.io.
[22]
Radare2. https://rada.re/r/.
[23]
The FreeRTOS Kernel. https://www.freertos.org/.
[24]
Tigist Abera, N Asokan, Lucas Davi, Jan-Erik Ekberg, Thomas Nyman, Andrew Paverd, Ahmad-Reza Sadeghi, and Gene Tsudik. 2016. C-FLAT: control-flow attestation for embedded systems software. In Proceedings of the 23th ACM Conference on Computer and Communications Security.
[25]
Dennis Andriesse, Xi Chen, Victor van der Veen, Asia Slowinska, and Herbert Bos. 2016. An In-depth Analysis of Disassembly on Full-scale x86/x64 Binaries. In Proceedings of the 25th USENIX Security Symposium.
[26]
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In Proceedings of the 26th USENIX Security Symposium.
[27]
Tifany Bao, Johnathon Burket, Maverick Woo, Rafael Turner, and David Brumley. 2014. Byteweight: Learning to Recognize Functions in Binary Code. In Proceedings of the 23th USENIX Conference on Security Symposium.
[28]
Erick Bauman, Zhiqiang Lin, Kevin W Hamlen, Ahmad M Mustafa, Gbadebo Ayoade, Khaled Al-Naami, Latifur Khan, Kevin W Hamlen, Bhavani M Thuraisingham, Frederico Araujo, et al. 2018. Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics. In Proceedings of the 25th Network and Distributed Systems Security Symposium.
[29]
M Ammar Ben Khadra, Dominik Stofel, and Wolfgang Kunz. 2016. Speculative Disassembly of Binary Code. In Proceedings of the International Conference on Compilers, Architectures and Synthesis for Embedded Systems.
[30]
David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. 2011. BAP: A Binary Analysis Platform. In Proceedings of the 23rd International Conference on Computer Aided Verification.
[31]
Cristina Cifuentes and Mike Van Emmerik. 2001. Recovery of jump table case statements from binary code. Science of Computer Programming 40, 2-3 ( 2001 ), 171-188.
[32]
Andrei Costin, Jonas Zaddach, Aurelien Francillon, and Davide Balzarotti. 2014. A Large-Scale Analysis of the Security of Embedded Firmwares. In Proceedings of the 23rd USENIX Security Symposium.
[33]
Andrei Costin, Apostolis Zarras, and AurÃľlien Francillon. 2016. Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces. In Proceedings of the 11th ACM Asia Conference on Computer and Communications Security.
[34]
Daming D. Chen, Manuel Egele, Maverick Woo, and David Brumley. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In Proceedings of the 23rd Symposium on Network and Distributed System Security.
[35]
Yaniv David, Nimrod Partush, and Eran Yahav. 2018. FirmUp: Precise Static Detection of Common Vulnerabilities in Firmware. In Proceedings of the 23rd International Conference on Architectural Support for Programming Languages and Operating Systems.
[36]
Andriesse Dennis, Asia Slowinska, and Bos Herbert. 2017. Compiler-Agnostic Function Detection in Binaries. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy.
[37]
Michael J. Eager. Introduction to the DWARF Debugging Format. http://www. dwarfstd.org/doc/DebuggingusingDWARF-2012.pdf.
[38]
Sebastian Eschweiler, Khaled Yakdan, and Elmar Gerhards-Padilla. 2016. discovRE: Eficient Cross-Architecture Identification of Bugs in Binary Code. In Proceedings of the 23rd Network and Distributed System Security Symposium.
[39]
Bo Feng, Alejandro Mera, and Long Lu. 2020. P2IM: Scalable and Hardwareindependent Firmware Testing via Automatic Peripheral Interface Modeling. In Proceedings of the 29th USENIX Security Symposium.
[40]
Qian Feng, Rundong Zhou, Chengcheng Xu, Yao Cheng, Brian Testa, and Heng Yin. 2016. Scalable Graph-based Bug Search for Firmware Images. In Proceedings of the 23th ACM Conference on Computer and Communications Security.
[41]
Grant Hernandez, Farhaan Fowze, Tuba Yavuz, Kevin RB Butler, et al. 2017. FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution. In Proceedings of the 24th ACM Conference on Computer and Communications Security.
[42]
Emily R Jacobson, Nathan Rosenblum, and Barton P Miller. 2011. Labeling Library Functions in Stripped Binaries. In Proceedings of the 10th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools.
[43]
Pascal Junod, Julien Rinaldini, Johan Wehrli, and Julie Michielin. 2015. ObfuscatorLLVM-Software Protection for the Masses. In Proceedings of the 1st International Workshop on Software Protection.
[44]
Nikos Karampatziakis. 2010. Static Analysis of Binary Executables Using Structural SVMs. In Proceedings of the 23rd Advances in Neural Information Processing Systems.
[45]
Christopher Kruegel, William Robertson, Fredrik Valeur, and Giovanni Vigna. 2004. Static Disassembly of Obfuscated Binaries. In Proceedings of the 13th Conference on USENIX Security Symposium.
[46]
Christopher Kruegel, William Robertson, Fredrik Valeur, and Giovanni Vigna. 2004. Static disassembly of obfuscated binaries. In Proceedings of the 12th USENIX Security Symposium.
[47]
Chandramohan Mahinthan, Xue Yinxing, Xu Zhengzi, Liu Yang, Cho Chia Yuan, and Tan Hee Beng Kuan. 2016. Bingo: Cross-architecture cross-os binary search. In Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering.
[48]
Kenneth Miller, Yonghwi Kwon, Yi Sun, Zhuo Zhang, Xiangyu Zhang, and Zhiqiang Lin. 2019. Probabilistic disassembly. In Proceedings of the 41st International Conference on Software Engineering.
[49]
Mathias Payer, Antonio Barresi, and Thomas R Gross. 2015. Fine-grained Controllfow Integrity Through Binary Hardening. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.
[50]
Jannik Pewny, Behrad Garmany, Robert Gawlik, Christian Rossow, and Thorsten Holz. 2015. Cross-architecture bug search in binary executables. In Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE.
[51]
Manish Prasad and Tzi-cker Chiueh. 2003. A Binary Rewriting Defense Against Stack based Bufer Overflow Attacks. In Proceedings of the USENIX Annual Technical Conference.
[52]
Rui Qiao and R Sekar. 2017. Function interface analysis: A principled approach for function recognition in COTS binaries. In Proceedings of the 47th International Conference on Dependable Systems and Networks.
[53]
Nathan E Rosenblum, Xiaojin Zhu, Barton P Miller, and Karen Hunt. 2008. Learning to Analyze Binary Computer Code. In Proceedings of the 23rd AAAI Conference on Artificial Intelligence.
[54]
Benjamin Schwarz, Saumya Debray, and Gregory Andrews. 2002. Disassembly of Executable Code Revisited. In Proceedings of the 9th Working Conference on Reverse Engineering.
[55]
Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi. 2015. Recognizing Functions in Binaries with Neural Networks. In Proceedings of the 24th USENIX Conference on Security Symposium.
[56]
Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice: Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In Proceedings of the 22th Annual Symposium on Network and Distributed System Security.
[57]
Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, et al. 2016. Sok:(State of) the Art of War: Ofensive Techniques in Binary Analysis. In Proceedings of the 37th IEEE Symposium on Security and Privacy.
[58]
Saleh Soltan, Prateek Mittal, and H. Vincent Poor. 2018. BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid. In Proceedings of the 27th USENIX Security Symposium.
[59]
Kim Taegyu, Chung Hwan Kim, Choi Hongjun, Yonghwi Kwon, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu less. 2017. RevARM: A PlatformAgnostic ARM Binary Rewriter for Security Applications. In Proceedings of the 37th Annual Computer Security Applications Conference.
[60]
Veen Victor, Goktas Enes, Contag Moritz, Pawlowski Andre, Chen Xi, Rawat Sanjay, Bos Herbert, Holz Thorsten, Athanasopoulos Elias, and Giufrida Cristiano. 2016. A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level. In Proceedings of the 37th IEEE Symposium on Security and Privacy.
[61]
Ruoyu Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, and Giovanni Vigna. 2017. Ramblr: Making reassembly great again. In Proceedings of the 24th Annual Symposium on Network and Distributed System Security.
[62]
Xiaojun Xu, Chang Liu, Qian Feng, Heng Yin, Le Song, and Dawn Song. 2017. Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection. In Proceedings of the 24th ACM Conference on Computer and Communications Security.
[63]
Xue Yinxing, Xu Zhengzi, Chandramohan Mahinthan, and Liu Yang. 2018. Accurate and scalable cross-architecture cross-os binary code search with emulation. IEEE Transactions on Software Engineering 45, 11 ( 2018 ), 1125-1149.
[64]
Jonas Zaddach, Luca Bruno, Aurelien Francillon, and Davide Balzarotti. 2014. AVATAR: A framework to support dynamic security analysis of embedded systems' firmwares. In Proceedings of the 21st Symposium on Network and Distributed System Security.
[65]
Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical Control Flow Integrity and Randomization for Binary Executables. In Proceedings of the 34th IEEE Symposium on Security and Privacy. IEEE.
[66]
Fangfang Zhang, Heqing Huang, Sencun Zhu, Dinghao Wu, and Peng Liu. 2014. ViewDroid: Towards obfuscation-resilient mobile application repackaging detection. In Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks. ACM, 25-36.
[67]
Mingwei Zhang and R Sekar. 2013. Control Flow Integrity for COTS Binaries. In Proceedings of the 22nd USENIX Security Symposium.
[68]
Mingwei Zhang and R Sekar. 2015. Control Flow and Code Integrity for COTS Binaries: An Efective Defense Against Real-world ROP Attacks. In Proceedings of the 31st Annual Computer Security Applications Conference.
[69]
Xu Zhengzi, Chen Bihuan, Chandramohan Mahinthan, Liu Yang, and Song Fu. 2017. Spain: security patch analysis for binaries towards understanding the pain and pills. In Proceedings of the 39th International Conference on Software Engineering.

Cited By

View all
  • (2024)TaiE: Function Identification for Monolithic FirmwareProceedings of the 32nd IEEE/ACM International Conference on Program Comprehension10.1145/3643916.3644407(403-414)Online publication date: 15-Apr-2024
  • (2024)PyAnalyzer: An Effective and Practical Approach for Dependency Extraction from Python CodeProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3640325(1-12)Online publication date: 20-May-2024
  • (2024)Toward Profiling IoT Processes for Remote Service Attestation2024 23rd International Symposium on Parallel and Distributed Computing (ISPDC)10.1109/ISPDC62236.2024.10705398(1-8)Online publication date: 8-Jul-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
ISSTA 2020: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis
July 2020
591 pages
ISBN:9781450380089
DOI:10.1145/3395363
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. ARM Architecture
  2. Disassembly Tools
  3. Empirical Study

Qualifiers

  • Research-article

Conference

ISSTA '20
Sponsor:

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)91
  • Downloads (Last 6 weeks)12
Reflects downloads up to 31 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)TaiE: Function Identification for Monolithic FirmwareProceedings of the 32nd IEEE/ACM International Conference on Program Comprehension10.1145/3643916.3644407(403-414)Online publication date: 15-Apr-2024
  • (2024)PyAnalyzer: An Effective and Practical Approach for Dependency Extraction from Python CodeProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3640325(1-12)Online publication date: 20-May-2024
  • (2024)Toward Profiling IoT Processes for Remote Service Attestation2024 23rd International Symposium on Parallel and Distributed Computing (ISPDC)10.1109/ISPDC62236.2024.10705398(1-8)Online publication date: 8-Jul-2024
  • (2024)Accurate Disassembly of ARMv8-A: Design and Implementation of a High-Fidelity Disassembler2024 International Conference on Artificial Intelligence and Digital Technology (ICAIDT)10.1109/ICAIDT62617.2024.00015(26-30)Online publication date: 7-Jun-2024
  • (2024)UniBin: Assembly Semantic-enhanced Binary Vulnerability Detection without DisassemblyInformation Sciences10.1016/j.ins.2024.121605(121605)Online publication date: Oct-2024
  • (2024)An automated framework for selectively tolerating SDC errors based on rigorous instruction-level vulnerability assessmentFuture Generation Computer Systems10.1016/j.future.2024.04.006157:C(392-407)Online publication date: 18-Jul-2024
  • (2023)A Comprehensive Study on ARM Disassembly ToolsIEEE Transactions on Software Engineering10.1109/TSE.2022.318781149:4(1683-1703)Online publication date: 1-Apr-2023
  • (2023)PointerScope: Understanding Pointer Patching for Code RandomizationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.320304320:4(3019-3036)Online publication date: 1-Jul-2023
  • (2023)D-ARM: Disassembling ARM Binaries by Lightweight Superset Instruction Interpretation and Graph Modeling2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179307(2391-2408)Online publication date: May-2023
  • (2023)An Empirical Study of Smart Contract Decompilers2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER56733.2023.00011(1-12)Online publication date: Mar-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media