Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM

Muhui Jiang; Tianyi Xu; Yajin Zhou; Yufeng Hu; Ming Zhong; Lei Wu; Xiapu Luo; Kui Ren

doi:10.1145/3503222.3507736

Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM

Muhui Jiang, Tianyi Xu, Yajin Zhou, Yufeng Hu, Ming Zhong, Lei Wu, Xiapu Luo, Kui Ren

Research output: Chapter in book / Conference proceeding › Conference article published in proceeding or book › Academic research › peer-review

8 Citations (Scopus)

Abstract

Emulators are widely used to build dynamic analysis frameworks due to its fine-grained tracing capability, full system monitoring functionality, and scalability of running on different operating systems and architectures. However, whether emulators are consistent with real devices is unknown. To understand this problem, we aim to automatically locate inconsistent instructions, which behave differently between emulators and real devices. We target the ARM architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the ARM architecture specification language (ASL). We generate 2,774,649 representative instruction streams and conduct differential testing between four ARM real devices in different architecture versions (i.e., ARMv5, ARMv6, ARMv7, and ARMv8) and three state-of-The-Art emulators (i.e., QEMU, Unicorn, and Angr). We locate a huge number of inconsistent instruction streams (171,858 for QEMU, 223,264 for unicorn, and 120,169 for Angr). We find that undefined implementation in ARM manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 12 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Original language	English
Title of host publication	ASPLOS 2022 - Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
Editors	Babak Falsafi, Michael Ferdman, Shan Lu, Thomas F. Wenisch
Publisher	Association for Computing Machinery
Pages	846-858
Number of pages	13
ISBN (Electronic)	9781450392051
DOIs	https://doi.org/10.1145/3503222.3507736
Publication status	Published - 22 Feb 2022
Event	27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2022 - Virtual, Online, Switzerland Duration: 28 Feb 2022 → 4 Mar 2022

Publication series

Name	International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS

Conference

Conference	27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2022
Country/Territory	Switzerland
City	Virtual, Online
Period	28/02/22 → 4/03/22

Keywords

Differential Testing
Emulator
Inconsistent Instructions

ASJC Scopus subject areas

Software
Information Systems
Hardware and Architecture

More information

10.1145/3503222.3507736

Cite this

Jiang, M., Xu, T., Zhou, Y., Hu, Y., Zhong, M., Wu, L., Luo, X., & Ren, K. (2022). Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM. In B. Falsafi, M. Ferdman, S. Lu, & T. F. Wenisch (Eds.), ASPLOS 2022 - Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (pp. 846-858). (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS). Association for Computing Machinery. https://doi.org/10.1145/3503222.3507736

Jiang, Muhui ; Xu, Tianyi ; Zhou, Yajin et al. / Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM. ASPLOS 2022 - Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. editor / Babak Falsafi ; Michael Ferdman ; Shan Lu ; Thomas F. Wenisch. Association for Computing Machinery, 2022. pp. 846-858 (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS).

@inproceedings{d3adf224268545b4a48002bd25bea146,

title = "Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM",

abstract = "Emulators are widely used to build dynamic analysis frameworks due to its fine-grained tracing capability, full system monitoring functionality, and scalability of running on different operating systems and architectures. However, whether emulators are consistent with real devices is unknown. To understand this problem, we aim to automatically locate inconsistent instructions, which behave differently between emulators and real devices. We target the ARM architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the ARM architecture specification language (ASL). We generate 2,774,649 representative instruction streams and conduct differential testing between four ARM real devices in different architecture versions (i.e., ARMv5, ARMv6, ARMv7, and ARMv8) and three state-of-The-Art emulators (i.e., QEMU, Unicorn, and Angr). We locate a huge number of inconsistent instruction streams (171,858 for QEMU, 223,264 for unicorn, and 120,169 for Angr). We find that undefined implementation in ARM manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 12 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing. ",

keywords = "Differential Testing, Emulator, Inconsistent Instructions",

author = "Muhui Jiang and Tianyi Xu and Yajin Zhou and Yufeng Hu and Ming Zhong and Lei Wu and Xiapu Luo and Kui Ren",

note = "Funding Information: We would like to thank the anonymous reviewers for their comments that greatly helped improve the presentation of this paper. We also want to thank Dr. Manuel Rigger for shepherding our paper. This work was partially supported by the National Natural Science Foundation of China (NSFC) under Grant 61872438, Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang (2018R01005), the Fundamental Research Funds for the Central Universities (Zhejiang University NGICS Platform), HK RGC Project (No. PolyU 152239/18E). Publisher Copyright: {\textcopyright} 2022 ACM.; 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2022 ; Conference date: 28-02-2022 Through 04-03-2022",

year = "2022",

month = feb,

day = "22",

doi = "10.1145/3503222.3507736",

language = "English",

series = "International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS",

publisher = "Association for Computing Machinery",

pages = "846--858",

editor = "Babak Falsafi and Michael Ferdman and Shan Lu and Wenisch, {Thomas F.}",

booktitle = "ASPLOS 2022 - Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems",

}

Jiang, M, Xu, T, Zhou, Y, Hu, Y, Zhong, M, Wu, L, Luo, X & Ren, K 2022, Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM. in B Falsafi, M Ferdman, S Lu & TF Wenisch (eds), ASPLOS 2022 - Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS, Association for Computing Machinery, pp. 846-858, 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2022, Virtual, Online, Switzerland, 28/02/22. https://doi.org/10.1145/3503222.3507736

Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM. / Jiang, Muhui; Xu, Tianyi; Zhou, Yajin et al.
ASPLOS 2022 - Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. ed. / Babak Falsafi; Michael Ferdman; Shan Lu; Thomas F. Wenisch. Association for Computing Machinery, 2022. p. 846-858 (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS).

Research output: Chapter in book / Conference proceeding › Conference article published in proceeding or book › Academic research › peer-review

TY - GEN

T1 - Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM

AU - Jiang, Muhui

AU - Xu, Tianyi

AU - Zhou, Yajin

AU - Hu, Yufeng

AU - Zhong, Ming

AU - Wu, Lei

AU - Luo, Xiapu

AU - Ren, Kui

N1 - Funding Information: We would like to thank the anonymous reviewers for their comments that greatly helped improve the presentation of this paper. We also want to thank Dr. Manuel Rigger for shepherding our paper. This work was partially supported by the National Natural Science Foundation of China (NSFC) under Grant 61872438, Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang (2018R01005), the Fundamental Research Funds for the Central Universities (Zhejiang University NGICS Platform), HK RGC Project (No. PolyU 152239/18E). Publisher Copyright: © 2022 ACM.

PY - 2022/2/22

Y1 - 2022/2/22

N2 - Emulators are widely used to build dynamic analysis frameworks due to its fine-grained tracing capability, full system monitoring functionality, and scalability of running on different operating systems and architectures. However, whether emulators are consistent with real devices is unknown. To understand this problem, we aim to automatically locate inconsistent instructions, which behave differently between emulators and real devices. We target the ARM architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the ARM architecture specification language (ASL). We generate 2,774,649 representative instruction streams and conduct differential testing between four ARM real devices in different architecture versions (i.e., ARMv5, ARMv6, ARMv7, and ARMv8) and three state-of-The-Art emulators (i.e., QEMU, Unicorn, and Angr). We locate a huge number of inconsistent instruction streams (171,858 for QEMU, 223,264 for unicorn, and 120,169 for Angr). We find that undefined implementation in ARM manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 12 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

AB - Emulators are widely used to build dynamic analysis frameworks due to its fine-grained tracing capability, full system monitoring functionality, and scalability of running on different operating systems and architectures. However, whether emulators are consistent with real devices is unknown. To understand this problem, we aim to automatically locate inconsistent instructions, which behave differently between emulators and real devices. We target the ARM architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the ARM architecture specification language (ASL). We generate 2,774,649 representative instruction streams and conduct differential testing between four ARM real devices in different architecture versions (i.e., ARMv5, ARMv6, ARMv7, and ARMv8) and three state-of-The-Art emulators (i.e., QEMU, Unicorn, and Angr). We locate a huge number of inconsistent instruction streams (171,858 for QEMU, 223,264 for unicorn, and 120,169 for Angr). We find that undefined implementation in ARM manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 12 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

KW - Differential Testing

KW - Emulator

KW - Inconsistent Instructions

UR - http://www.scopus.com/inward/record.url?scp=85126393364&partnerID=8YFLogxK

U2 - 10.1145/3503222.3507736

DO - 10.1145/3503222.3507736

M3 - Conference article published in proceeding or book

AN - SCOPUS:85126393364

T3 - International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS

SP - 846

EP - 858

BT - ASPLOS 2022 - Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

A2 - Falsafi, Babak

A2 - Ferdman, Michael

A2 - Lu, Shan

A2 - Wenisch, Thomas F.

PB - Association for Computing Machinery

T2 - 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2022

Y2 - 28 February 2022 through 4 March 2022

ER -

Jiang M, Xu T, Zhou Y, Hu Y, Zhong M, Wu L et al. Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM. In Falsafi B, Ferdman M, Lu S, Wenisch TF, editors, ASPLOS 2022 - Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. Association for Computing Machinery. 2022. p. 846-858. (International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS). doi: 10.1145/3503222.3507736

Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

More information

Other files and links

Fingerprint

Cite this