Guang Wang,Ziyuan Zhu,Xu Cheng,Dan Meng

DOI: https://doi.org/10.1109/iccd56317.2022.00075

2022-01-01

Abstract:Instruction disassemblers can be used for software reverse engineering, malware analysis, and undocumented instructions detection. However, flaws in the disassemblers directly affect the accuracy of its related applications. For example, if the disassembler fails to decode or misdecodes the binary code of malware, the reverse engineers may misinterpret the functionality of the malware. Therefore, it is necessary to systematically test the disassemblers. Existing works leverage the depth-first search (DFS) algorithm to search the x86 instruction space. However, they cannot cover all x86 instruction opcodes and register operands. The root cause is that existing DFS algorithms cannot guarantee the search depth for some instruction space. We proposed an approach, named FedDFS, to improve the search depth of DFS algorithm. We analyzed the x86 instruction formats and summarized the essential search depth for each instruction format. We leveraged a feedback controlled DFS algorithm, which is controlled by comparing its search depth with essential search depth. If FedDFS detects that search depth is smaller than essential search depth, the feedback mechanism promptly increases the search depth until it reaches the proper search depth. We evaluated FedDFS on disassembler Capstone and processors from Intel and AMD. The experimental results proved that, after increasing the search depth, FedDFS does improve the coverage of x86 instruction opcodes and register operands. FedDFS tested trillions of instructions and found more instruction flaws in Capstone, which of them can only be found by FedDFS.

Chunqiang Li,Zhiwei Liu,Yunhai Shang,Lenian He,Xiaolang Yan

DOI: https://doi.org/10.3390/electronics12143014

IF: 2.9

2023-01-01

Electronics

Abstract:Binary translation, as an important bridge for application compatibility between different instruction set architectures (ISAs), has attracted much attention in the industry. However, due to hardware resource limitations of the target ISA, the translation efficiency and the practicability are poor. Recently, Apple has made it possible to run x86 programs on ARM through a translation technology called Rosetta based on software-hardware collaboration. In this paper, we proposed a hardware non-invasive mapping method for condition bits (HNIMCB) in binary translation, which innovatively implements the setting and referencing operations of the condition bits without changing the original instruction encoding and function of the target processor. This method is applicable for binary translation from source architectures with condition bit operations to target architectures without condition bit operations. It eliminates the difference of conditional bit resources between the source and target ISAs, reduces the computational instructions and memory access operations after translation from the source to the target ISA, and dramatically improves the translation efficiency. We conducted this experiment on a functional simulation level using the QEMU binary translator from ARM to RISC-V. A series of benchmark tests revealed that the total number of instructions decreased by 41%, while the number of memory access instructions decreased by 37% after the translation applying with the HNIMCB.

Guang Wang,Ziyuan Zhu,Xu Cheng,Dan Meng

DOI: https://doi.org/10.1109/tc.2023.3288762

2023-01-01

Abstract:The processors have long been treated as trusted black boxes for running software. However, processors may have undocumented instructions and instruction flaws, which increase the attack surface of the computing system. Hardware-related attack surfaces can bypass malware detection tools, resulting in undefined system behavior, instability, and insecurity. Unfortunately, the existing testing methods for undocumented instructions and instruction flaws have issues of insufficient test coverage and low test efficiency. We proposed an approach Skipscan to address these issues, which tests both the legal instructions and the reserved instructions. For the first time, to improve the test coverage, Skipscan leverages an optimized combination algorithm to generate instruction prefix combinations, which covers the entire types of legal prefix combinations. To improve the test efficiency, Skipscan skips a considerable number of redundant legal instructions by leveraging the minimal test set of immediate and displacement operands. We evaluated Skipscan on eight x86 processors from Intel and AMD. The number of legal instructions and reserved instructions tested by Skipscan are 121.4 and 259.55 times that of Sandsifter on average, respectively. The test efficiency of Skipscan is on average 4 times that of Sandsifter. The ratio of legal instructions is reduced from 78.2% to 20.1% on average. Furthermore, we found more undocumented instructions on x86 processors and instruction flaws in x86 disassemblers.

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Shisong Qin,Chao Zhang,Kaixiang Chen,Zheming Li

DOI: https://doi.org/10.1145/3460319.3464842

2021-01-01

Abstract:ARM has become the most competitive processor architecture. Many platforms or tools are developed to execute or analyze ARM instructions, including various commercial CPUs, emulators, and binary analysis tools. However, they have deviations when processing the same ARM instructions, and little attention has been paid to systematically analyze such semantic deviations, not to mention the security implications of such deviations. In this paper, we conduct an empirical study on the ARM Instruction Semantic Deviation (ISDev) issue. First, we classify this issue into several categories and analyze the security implications behind them. Then, we further demonstrate several novel attacks which utilize the ISDev issue, including stealthy targeted attacks and targeted defense evasion. Such attacks could exploit the semantic deviations to generate malware that is specific to certain platforms or able to detect and bypass certain detection solutions. We have developed a framework iDEV to systematically explore the ISDev issue in existing ARM instructions processing tools and platforms via differential testing. We have evaluated iDEV on four hardware devices, the QEMU emulator, and five disassemblers which could process the ARMv7-A instruction set. The evaluation results show that, over six million instructions could cause dynamic executors (i.e., CPUs and QEMU) to present different runtime behaviors, and over eight million instructions could cause static disassemblers yielding different decoding results, and over one million instructions cause inconsistency between dynamic executors and static disassemblers. After analyzing the root causes of each type of deviation, we point out they are mostly due to ARM unpredictable instructions and program defects.

Zhenfang Wei,Jianmin Pang,Yichi Zhang,Zheng Shan

DOI: https://doi.org/10.4028/www.scientific.net/AMM.198-199.663

2012-01-01

Applied Mechanics and Materials

Abstract:With the development of computer architecture, new architecture cannot use the executable files on the old architecture and other architectures. In order to translate the x86_64 binary executable files to other architectures, we decode the binary files by a decoder generated by the New Jersey Machine-Code Toolkit through writing a specification of the x86_64 instructions. This paper give a brief introduce about the Specification Language for Encoding and Decoding and the x86_64 instructions characteristics, then make a detailed description on the specifications of the x86_64 instructions, and the result of the test proved that the decoder is correct and has high speed. © (2012) Trans Tech Publications, Switzerland.

Muhui Jiang,Tianyi Xu,Yajin Zhou,Yufeng Hu,Ming Zhong,Lei Wu,Xiapu Luo,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2105.14273

2021-08-12

Abstract:Emulator is widely used to build dynamic analysis frameworks due to its fine-grained tracing capability, full system monitoring functionality, and scalability of running on different operating systemsand architectures. However, whether the emulator is consistent with real devices is unknown. To understand this problem, we aim to automatically locate inconsistent instructions, which behave differently between emulators and real devices. We target ARM architecture, which provides machine readable specification. Based on the specification, we propose a test case generator by designing and implementing the first symbolic execution engine for ARM architecture specification language (ASL). We generate 2,774,649 representative instruction streams and conduct differential testing with these instruction streams between four ARM real devices in different architecture versions (i.e., ARMv5, ARMv6, ARMv7-a, and ARMv8-a) and the state-of-the-art emulators (i.e., QEMU). We locate 155,642 inconsistent instruction streams, which cover 30% of all instruction encodings and 47.8% of the instructions. We find undefined implementation in ARM manual and implementation bugs of QEMU are the major causes of inconsistencies. Furthermore, we discover four QEMU bugs, which are confirmed and patched by thedevelopers, covering 13 instruction encodings including the most commonly used ones (e.g.,STR,BLX). With the inconsistent instructions, we build three security applications and demonstrate thecapability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Cryptography and Security

Yuze Wang,Peng Liu,Weidong Wang,Xiaohang Wang,Yingtao Jiang

DOI: https://doi.org/10.1109/tc.2021.3097174

IF: 3.183

2021-01-01

IEEE Transactions on Computers

Abstract:One major security vulnerability of a microprocessor can be attributed to its underlying instruction set architecture (ISA). Generally, it is required that no secret instructions be included in the ISA or implemented in the processor micro-architecture. Such a requirement is particularly important for the reduced instruction set computing (RISC) processors that are widely used nowadays, and applying the proposed consistency testing approach is poised to ensure this requirement is met. Capable of revealing any possible dark instructions (i.e., executable instructions but without clear definitions of their behavior) in RISC processors, a consistency test comes in three phases. During the generation phase, based on the instruction set encoding rules, all the undefined instructions are generated. Even with a smaller test space, this step guarantees the test coverage needed to reveal all the dark instructions that may exist. In the next phase, all the undefined instructions obtained from the previous phase are executed on the processor under test, following a set of persistence strategies; any instruction exhibiting unusual execution result will be deemed suspicious and recorded so. During the last analysis phase, each of those recorded suspicious instructions will be checked and analyzed to decide whether it truly constitutes a dark instruction. We have applied the proposed testing model and strategy to several RISC processors and found that all of them have a few dark instructions previously unknown. The potential vulnerabilities of these processors introduced by their respective dark instructions have thus been evaluated and exposed.

engineering, electrical & electronic,computer science, hardware & architecture

Yuze Wang,Peng Liu,Weidong Wang,Xiaohang Wang,Yingtao Jiang

DOI: https://doi.org/10.1109/tc.2021.3097174

IF: 3.183

2021-01-01

IEEE Transactions on Computers

Abstract:One major security vulnerability of a microprocessor can be attributed to its underlying instruction set architecture (ISA). Generally, it is required that no secret instructions be included in the ISA or implemented in the processor micro-architecture. Such a requirement is particularly important for the reduced instruction set computing (RISC) processors that are widely used nowadays, and applying the proposed consistency testing approach is poised to ensure this requirement is met. Capable of revealing any possible dark instructions (i.e., executable instructions but without clear definitions of their behavior) in RISC processors, a consistency test comes in three phases. During the generation phase, based on the instruction set encoding rules, all the undefined instructions are generated. Even with a smaller test space, this step guarantees the test coverage needed to reveal all the dark instructions that may exist. In the next phase, all the undefined instructions obtained from the previous phase are executed on the processor under test, following a set of persistence strategies; any instruction exhibiting unusual execution result will be deemed suspicious and recorded so. During the last analysis phase, each of those recorded suspicious instructions will be checked and analyzed to decide whether it truly constitutes a dark instruction. We have applied the proposed testing model and strategy to several RISC processors and found that all of them have a few dark instructions previously unknown. The potential vulnerabilities of these processors introduced by their respective dark instructions have thus been evaluated and exposed.

Deepak Krishnankutty,Zheng Li,Ryan Robucci,Nilanjan Banerjee,Chintan Patel

DOI: https://doi.org/10.1109/tc.2020.3018092

IF: 3.183

2020-11-01

IEEE Transactions on Computers

Abstract:Embedded systems are prone to leak information via side-channels associated with their physical internal activity, such as power consumption, timing, and faults. Leaked information can be analyzed to extract sensitive data and devices should be assessed for such vulnerabilities. Side-channel power-supply leakage from embedded devices can also provide information regarding instruction-level activity for control code executed on these devices. Methods proposed to disassemble instruction-level activity via side-channel leakage have not addressed issues related to pipelined multi-clock-cycle architectures, nor have proven robustness or reliability. The problem of detecting malicious code modifications while not obstructing the sequence of instructions being executed needs to be addressed. In this article, instruction sequences being executed on a general-purpose pipelined computing platform are identified and instructions that make up these sequences are classified based on hardware utilization. Individual instruction classification results using a fine-grained classifier is also presented. A dynamic programming algorithm was applied to detect the boundaries of instructions in a sequence with a 100 percent accuracy. A unique aspect of this technique is the use of multiple power supply pin measurements to increase precision and accuracy. To demonstrate the robustness of this technique, power leakage data from ten target FPGAs programmed with a prototype of the pipelined architecture was analyzed and classification accuracies averaging 99 percent were achieved with instructions labeled based on hardware utilization. Individual instruction classification accuracies above 90 percent were achieved using a fine-grained classifier. Classification accuracies were also verified when a target FPGA was subjected to different controlled temperatures. The classification accuracies on discrete (ASIC) pipelined-architecture microcontrollers was 97 percent.

engineering, electrical & electronic,computer science, hardware & architecture

Kang Zhao,Jinian Bian

DOI: https://doi.org/10.1109/cscwd.2011.5960055

2011-01-01

Abstract:To reduce the huge search space when customizing instruction-level accelerators for the application specific instruction-set processor (ASIP), this paper proposes an automated instruction-level hardware/software partition method based on the data flow graph exploration. This method integrates the instruction identification and selection using an iterative improvement strategy. The search space is reduced via considering the performance factors during the identification.

Benyi Xie,Yue Yan,Chenghao Yan,Sicheng Tao,Zhuangzhuang Zhang,Xinyu Li,Yanzhi Lan,Xiang Wu,Tianyi Liu,Tingting Zhang,Fuxin Zhang

DOI: https://doi.org/10.1145/3640813

IF: 1.444

2024-01-15

ACM Transactions on Architecture and Code Optimization

Abstract:Dynamic binary translators (DBTs) are widely used to migrate applications between different instruction set architectures (ISAs). Despite extensive research to improve DBT performance, noticeable overhead remains, preventing near-native performance, especially when translating from complex instruction set computer (CISC) to reduced instruction set computer (RISC). For computational workloads, the main overhead stems from translated code quality. Experimental data show state-of-the-art DBT products have dynamic code inflation of at least 1.46. This indicates on average over 1.46 host instructions are needed to emulate one guest instruction. Worse, inflation closely correlates with translated code quality. However, the detailed sources of instruction inflation remain unclear. To understand the sources of inflation, we present Deflater, an instruction inflation analysis framework comprising a mathematical model, a collection of black-box unit tests called BenchMIAOes, and a trace-based simulator called InflatSim. The mathematical model calculates overall inflation based on the inflation of individual instructions and translation block (TB) optimizations. BenchMIAOes extract model parameters from DBTs without accessing DBT source code. InflatSim implements the model and uses the extracted parameters from BenchMIAOes to simulate a given DBT’s behavior. Deflater is a valuable tool to guide DBT analysis and improvement. Using Deflater, we simulated inflation for three state-of-the-art CISC-to-RISC DBTs: ExaGear, Rosetta2, and LATX, with inflation errors of 5.63%, 5.15%, and 3.44% respectively for SPEC CPU 2017, gaining insights into these commercial DBTs. Deflater also efficiently models inflation for the open-source DBT QEMU and suggests optimizations that can substantially reduce inflation. Implementing the suggested optimizations confirms Deflater’s effective guidance, with 4.65% inflation error, and gains 5.47x performance improvement.

computer science, theory & methods, hardware & architecture

Zhengyang He,Hui Xu,Guanpeng Li

DOI: https://doi.org/10.1109/dsn58291.2024.00023

2024-01-01

Abstract:As transistors continue to shrink in size, the soft error rate in computer systems is rising, posing a critical threat of severe failures. error detection by duplicating instruction (Ellin) has been proposed as a prominent software-based technique for detecting soft errors. However, utilizing EDDI specifically at the assembly level has not been well explored in the literature. Towards this end, the paper introduces FERRUM, an innovative assembly level EDDI, which is a boosted version compared with the original assembly level EDDI by using SIMD and other compiler-level transformations. We evaluate FERRUM in both fault coverage and runtime performance compared with IR level EDDI and original assembly level EDDI. The results show that FERRUM not only ensures 100% protection coverage at the assembly level but also surpasses baseline techniques by more than 50% in runtime performance overhead.

Edward McDaid,Sarah McDaid

2023-05-22

Abstract:Overlapping instruction subsets derived from human originated code have previously been shown to dramatically shrink the inductive programming search space, often by many orders of magnitude. Here we extend the instruction subset approach to consider direct instruction-instruction applications (or instruction digrams) as an additional search heuristic for inductive programming. In this study we analyse the frequency distribution of instruction digrams in a large sample of open source code. This indicates that the instruction digram distribution is highly skewed with over 93% of possible instruction digrams not represnted in the code sample. We demonstrate that instruction digrams can be used to constrain instruction selection during search, further reducing size of the the search space, in some cases by several orders of magnitude. This significantly increases the size of programs that can be generated using search based inductive programming techniques. We discuss the results and provide some suggestions for further work.

Programming Languages,Artificial Intelligence

Yunkai Bai,Jungmin Park,Domenic Forte

2024-12-11

Abstract:Side-channel based instruction disassembly has been proposed as a low-cost and non-invasive approach for security applications such as IP infringement detection, code flow analysis, malware detection, and reconstructing unknown code from obsolete systems. However, existing approaches to side-channel based disassembly rely on setups to collect and process side-channel traces that make them impractical for real-time applications. In addition, they rely on fixed classifiers that cannot adapt to statistical deviations in side-channels caused by different operating environments. In this article, we advance the state of the art in side-channel based disassembly in multiple ways. First, we introduce a new miniature platform, RASCv3, that can simultaneously collect power and EM measurements from a target device and subsequently process them for instruction disassembly in real time. Second, we devise a new approach to combine and select features from power and EM traces using information theory that improves classification accuracy and avoids the curse of dimensionality. Third, we explore covariate shift adjustment techniques that further improve accuracy over time and in response to statistical changes. The proposed methodology is demonstrated on six benchmarks, and the recognition rates of offline and real-time instruction disassemblers are compared for single- and multi-modal cases with a variety of classifiers and over time. Since the proposed approach is only applied to an 8-bit Arduino UNO, we also discuss challenges of extending to more complex targets.

Cryptography and Security

Yongping Luo,Yuchun Ma,Qiang Wu

DOI: https://doi.org/10.2991/csss-14.2014.42

2014-01-01

Abstract:In the work flow of embedded systems, processor design is the critical technology to directly affect the performance of whole system. In this process, instruction mapping is responsible for identifying the portions of target application program which match with custom instruction (CI) and implementing code generation for extension processor. However, traditional instruction mapping approaches would not consider the problem of mapping safety so that the mapping result is not reliable. In addition, as target applications get more complex, the drawback of large time cost makes embedded system less efficient. In this paper, we build safety check to ensure that the matched subgraphs can really be executed by hardware accelerator. And we propose an efficient matching method according the logic information of application program to reduce matching time and search space. For overlapping matched subgraphs, we also build up Maximal Weight Independent Set-based model to obtain better speed-up of extension processor and the experiment results show the superiority of our method.

Hongjun Dai,Chao Yan,Bin Gong,Zhun Yang,Tianzhou Chen

DOI: https://doi.org/10.1109/hpcc-css-icess.2015.234

2015-01-01

Abstract:Previous strategies for instruction level temporal redundancy in super-scalar out-of-order processors have up to 45% performance degradation in certain applications compared to normal execution. The reason is that the redundant workload slows down the normal execution. Solutions are proposed to avoid certain redundant execution by reusing the result of the previously executed instructions. But there are still limitations on the instruction level parallelism and the pipeline throughput. This paper proposes a novel technique to recover the performance gap between instruction level temporal redundancy and normal execution. We present micro-architectural extensions necessary for implementing the reliability prediction and integrating it with the issue logic of a dual instruction stream superscalar core, and conduct extensive evaluations to demonstrate how well it can solve the performance problem. Experiments show that in average it can gain back nearly 71.13% of the overall IPC loss caused by redundant execution.

Ping Chen,Hao Han,Yi Wang,Xiaobin Shen,Xinchun Yin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-11145-7_26

2009-01-01

Abstract:Recently, Integer bugs have been increasing sharply and become the notorious source of bugs for various serious attacks. In this paper, we propose a tool, IntFinder, which can automatically detect Integer bugs in a x86 binary program. We implement IntFinder based on a combination of static and dynamic analysis. First, IntFinder decompiles a x86 binary code, and creates the suspect instruction set. Second, IntFinder dynamically inspects the instructions in the suspect set and confirms which instructions are actual Integer bugs with the error-prone input. Compared with other approaches, IntFinder provides more accurate and sufficient type information and reduces the instructions which will be inspected by static analysis. Experimental results are quite encouraging: IntFinder has detected the integer bugs in several practical programs as well as one new bug in slocate-2.7, and it achieves a low false positives and negatives.

JIANG Hai-tao,XU Yun,LIAO Yin,JIN Guo-jie,CHEN Guo-liang

DOI: https://doi.org/10.3969/j.issn.1000-1220.2013.07.008

2013-01-01

Abstract:With the diversification of hardware platforms,software compatibility issues have become increasingly prominent.Binary translation system is the key technology to resolve this problem.Majority of the virtual machine execution time consumed in the process of finding and executing back-end instructions,so effective instruction indexing strategies can reduce the instruction addressing overhead and improve the overall efficiency of the system.Based on the statistical analysis of the back-end instruction locality,designed a level based virtual machine instruction indexing strategy w hich can fully exploit the capacity of modern computer hardw are.Based on the special locality of the virtual machine back-end instruction,this strategy uses targeted replacement algorithms to cache the back-end instructions,significantly reduces the overhead of the instruction addressing.With the help of LIIS,the back-end instruction addressing time of QEMU have been reduced by 70%,and the efficiency of full QEMU system have been improved by 15%.

Shiyao Zhou,Muhui Jiang,Weimin Chen,Hao Zhou,Haoyu Wang,Xiapu Luo

DOI: https://doi.org/10.1109/ase56229.2023.00188

2024-01-01

Abstract:WebAssembly (Wasm) runtime provides a virtual machine that can execute the WebAssembly modules and is widely used in different areas (e.g., browsers, edge computing, blockchain). Thus, the precision and reliability of the WebAssembly runtime are important and deserve our attention. To ensure the correctness and detect potential bugs in WebAssembly runtimes, we propose WADIFF, a differential testing framework, which consists of a sufficient test case generator and a deterministic differential testing engine. To evaluate the effectiveness of WADIFF, we apply it to seven popular WebAssembly runtimes and found 417 inconsistent instructions due to bugs and different implementations in the runtimes. Furthermore, we identify 21 bugs from 7 WebAssembly runtimes, and 8 of them are confirmed by their developers.