Chunqiang Li,Zhiwei Liu,Yunhai Shang,Lenian He,Xiaolang Yan

DOI: https://doi.org/10.1142/s0218126624502426

2024-01-01

Journal of Circuits Systems and Computers

Abstract:In the domain of process virtual machine (PVM) binary translation, the difference in address space layout between the guest program and the translated program requires the recalculation of jump instruction targets, resulting in suboptimal execution efficiency. This paper presents a novel method called SPC-Indexed Indirect Branch Hardware Cache Redirecting (SPCIC) technique. SPCIC utilizes specialized branch instruction to represent indirect branches from guest programs while frequently-used target addresses are cached in a customized hardware mapping table. When translating an indirect branch, SPCIC queries the jump target cache first to achieve a fast redirection unless the destination address is not cached. Besides, SPCIC merely falls back to the software-based remapping approach when the query fails, improving the translation efficiency to the greatest extent. SPCIC is implemented on the QEMU platform to accelerate the translation of ARM payloads into RISC-V. Experiments are carried on SPEC2006 to demonstrate the effectiveness of SPCIC for reducing the runtime overhead of indirect branch translation. The experimental results indicate up to 11% average improvement and 35% maximum improvement are obtained on the selected benchmark.

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Guang Wang,Ziyuan Zhu,Shuan Li,Xu Cheng,Dan Meng

DOI: https://doi.org/10.1109/iccd53106.2021.00040

2021-01-01

Abstract:The instruction decoders are tools for software analysis, sandboxing, malware detection, and undocumented instructions detection. The decoders must be accurate and consistent with the instruction set architecture manuals. The existing testing methods for instruction decoders are based on random and instruction structure mutation. Moreover, the methods are mainly aimed at the legal instruction space. However, there is little research on whether the instructions in the reserved instruction space can be accurately identified as invalid instructions. We propose an instruction operand inferring algorithm, based on the depth-first search algorithm, to skip considerable redundant legal instruction space. The algorithm keeps the types of instructions in the legal instruction space unchanged and guarantees the traversal of the reserved instruction space. In addition, we propose a differential testing method that discovers decoding discrepancies between instruction decoders. We applied the method to XED and Capstone and found four million inconsistent instructions between them. Compared with the existing instruction generation method based on the depth-first search algorithm, the efficiency of our method is improved by about four times.

Yuze Wang,Peng Liu,Weidong Wang,Xiaohang Wang,Yingtao Jiang

DOI: https://doi.org/10.1109/tc.2021.3097174

IF: 3.183

2021-01-01

IEEE Transactions on Computers

Abstract:One major security vulnerability of a microprocessor can be attributed to its underlying instruction set architecture (ISA). Generally, it is required that no secret instructions be included in the ISA or implemented in the processor micro-architecture. Such a requirement is particularly important for the reduced instruction set computing (RISC) processors that are widely used nowadays, and applying the proposed consistency testing approach is poised to ensure this requirement is met. Capable of revealing any possible dark instructions (i.e., executable instructions but without clear definitions of their behavior) in RISC processors, a consistency test comes in three phases. During the generation phase, based on the instruction set encoding rules, all the undefined instructions are generated. Even with a smaller test space, this step guarantees the test coverage needed to reveal all the dark instructions that may exist. In the next phase, all the undefined instructions obtained from the previous phase are executed on the processor under test, following a set of persistence strategies; any instruction exhibiting unusual execution result will be deemed suspicious and recorded so. During the last analysis phase, each of those recorded suspicious instructions will be checked and analyzed to decide whether it truly constitutes a dark instruction. We have applied the proposed testing model and strategy to several RISC processors and found that all of them have a few dark instructions previously unknown. The potential vulnerabilities of these processors introduced by their respective dark instructions have thus been evaluated and exposed.

engineering, electrical & electronic,computer science, hardware & architecture

Yuze Wang,Peng Liu,Weidong Wang,Xiaohang Wang,Yingtao Jiang

DOI: https://doi.org/10.1109/tc.2021.3097174

IF: 3.183

2021-01-01

IEEE Transactions on Computers

Abstract:One major security vulnerability of a microprocessor can be attributed to its underlying instruction set architecture (ISA). Generally, it is required that no secret instructions be included in the ISA or implemented in the processor micro-architecture. Such a requirement is particularly important for the reduced instruction set computing (RISC) processors that are widely used nowadays, and applying the proposed consistency testing approach is poised to ensure this requirement is met. Capable of revealing any possible dark instructions (i.e., executable instructions but without clear definitions of their behavior) in RISC processors, a consistency test comes in three phases. During the generation phase, based on the instruction set encoding rules, all the undefined instructions are generated. Even with a smaller test space, this step guarantees the test coverage needed to reveal all the dark instructions that may exist. In the next phase, all the undefined instructions obtained from the previous phase are executed on the processor under test, following a set of persistence strategies; any instruction exhibiting unusual execution result will be deemed suspicious and recorded so. During the last analysis phase, each of those recorded suspicious instructions will be checked and analyzed to decide whether it truly constitutes a dark instruction. We have applied the proposed testing model and strategy to several RISC processors and found that all of them have a few dark instructions previously unknown. The potential vulnerabilities of these processors introduced by their respective dark instructions have thus been evaluated and exposed.

Guang Wang,Ziyuan Zhu,Xu Cheng,Dan Meng

DOI: https://doi.org/10.1109/iccd56317.2022.00075

2022-01-01

Abstract:Instruction disassemblers can be used for software reverse engineering, malware analysis, and undocumented instructions detection. However, flaws in the disassemblers directly affect the accuracy of its related applications. For example, if the disassembler fails to decode or misdecodes the binary code of malware, the reverse engineers may misinterpret the functionality of the malware. Therefore, it is necessary to systematically test the disassemblers. Existing works leverage the depth-first search (DFS) algorithm to search the x86 instruction space. However, they cannot cover all x86 instruction opcodes and register operands. The root cause is that existing DFS algorithms cannot guarantee the search depth for some instruction space. We proposed an approach, named FedDFS, to improve the search depth of DFS algorithm. We analyzed the x86 instruction formats and summarized the essential search depth for each instruction format. We leveraged a feedback controlled DFS algorithm, which is controlled by comparing its search depth with essential search depth. If FedDFS detects that search depth is smaller than essential search depth, the feedback mechanism promptly increases the search depth until it reaches the proper search depth. We evaluated FedDFS on disassembler Capstone and processors from Intel and AMD. The experimental results proved that, after increasing the search depth, FedDFS does improve the coverage of x86 instruction opcodes and register operands. FedDFS tested trillions of instructions and found more instruction flaws in Capstone, which of them can only be found by FedDFS.

Anirban Chakraborty,Nimish Mishra,Debdeep Mukhopadhyay

2024-06-15

Abstract:Transient execution attacks have been one of the widely explored microarchitectural side channels since the discovery of Spectre and Meltdown. However, much of the research has been driven by manual discovery of new transient paths through well-known speculative events. Although a few attempts exist in literature on automating transient leakage discovery, such tools focus on finding variants of known transient attacks and explore a small subset of instruction set. Further, they take a random fuzzing approach that does not scale as the complexity of search space increases. In this work, we identify that the search space of bad speculation is disjointedly fragmented into equivalence classes, and then use this observation to develop a framework named Shesha, inspired by Particle Swarm Optimization, which exhibits faster convergence rates than state-of-the-art fuzzing techniques for automatic discovery of transient execution attacks. We then use Shesha to explore the vast search space of extensions to the x86 Instruction Set Architecture (ISAs), thereby focusing on previously unexplored avenues of bad speculation. As such, we report five previously unreported transient execution paths in Instruction Set Extensions (ISEs) on new generation of Intel processors. We then perform extensive reverse engineering of each of the transient execution paths and provide root-cause analysis. Using the discovered transient execution paths, we develop attack building blocks to exhibit exploitable transient windows. Finally, we demonstrate data leakage from Fused Multiply-Add instructions through SIMD buffer and extract victim data from various cryptographic implementations.

Cryptography and Security

Yesheng Zhi,Yuanyuan Zhang,Juanru Li,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-59288-6_47

2016-01-01

Abstract:Security testing of software on embedded devices is often impeded for lacking advanced program analysis tools. The main obstacle is that state-of-the-art tools do not support the instruction set of common architectures of embedded device (e.g., MIPS). It requires either developing new program analysis tool aiming to architecture or introducing many manual efforts to help security testing. However, re-implementing a program analysis tool needs considerable amount of time and is generally a repetitive task. To address this issue efficiently, our observation is that most programs on embedded devices are compiled from source code of high level languages, and it is feasible to compile the same source code to different platforms. Therefore, it is also expected to directly translate the compiled executable to support another platform. This paper presents a binary translation based security testing approach for software on embedded devices. Our approach first translates a MIPS executable to an x86 executable leveraging the LLVM-IR, then reuses existing x86 program analysis tools to help employ in-depth security testing. This approach is not only efficient for it reuses existing tools and utilizes the x86 platform with higher performance to conduct security analysis and testing, but also more flexible for it can test code fragment with different levels of granularity (e.g., a function or an entire program). Our evaluation on frequently used data transformation algorithms and utilities illustrates the accuracy and efficiency of the proposed approach.

Zhijiao Zhang,Yashuai Lü,Yu Chen,Yongqiang Lu,Yuanchun Shi

DOI: https://doi.org/10.1007/978-3-319-18467-8_29

2015-01-01

Abstract:Recently, code-reuse attack (CRA) is becoming the most prevalent attack vector which reuses fragments of existing code to make up malicious code. Recent studies show that CRAs especially jump-oriented programming (JOP) attacks are hard and costly to detect and protect from, especially on CISC processors. One reason for this is that the instructions of CISC architecture are of variable-length, and lots of unintended but legal instructions can be exploited by starting from in the middle of a legal instruction. This feature of CISC architectures makes the finding of so called gadgets for CRAs is much easier than that of RISC architectures. Most of previous studies for mitigating CRA on CISC processors rely on software-only means to tackle the unintended instruction problem, which makes their approaches either very costly or can only be applied under restricted conditions. In this paper, we propose two hardware supported techniques. The first, which is the main contribution of this paper, is to eliminate the execution of an unintended instruction. This technique only requires a few modifications to the processor and operating system. Furthermore, the proposed mechanism has little performance impact on the examined SPEC CPU 2006 benchmarks (-0.093% similar to 2.993%). Second, we propose using hardware control-flow locking as a complementary technique to our protection mechanism. By using the two techniques together, an attacker will have little chance to carry out CRAs on a CISC processor.

Shisong Qin,Chao Zhang,Kaixiang Chen,Zheming Li

DOI: https://doi.org/10.1145/3460319.3464842

2021-01-01

Abstract:ARM has become the most competitive processor architecture. Many platforms or tools are developed to execute or analyze ARM instructions, including various commercial CPUs, emulators, and binary analysis tools. However, they have deviations when processing the same ARM instructions, and little attention has been paid to systematically analyze such semantic deviations, not to mention the security implications of such deviations. In this paper, we conduct an empirical study on the ARM Instruction Semantic Deviation (ISDev) issue. First, we classify this issue into several categories and analyze the security implications behind them. Then, we further demonstrate several novel attacks which utilize the ISDev issue, including stealthy targeted attacks and targeted defense evasion. Such attacks could exploit the semantic deviations to generate malware that is specific to certain platforms or able to detect and bypass certain detection solutions. We have developed a framework iDEV to systematically explore the ISDev issue in existing ARM instructions processing tools and platforms via differential testing. We have evaluated iDEV on four hardware devices, the QEMU emulator, and five disassemblers which could process the ARMv7-A instruction set. The evaluation results show that, over six million instructions could cause dynamic executors (i.e., CPUs and QEMU) to present different runtime behaviors, and over eight million instructions could cause static disassemblers yielding different decoding results, and over one million instructions cause inconsistency between dynamic executors and static disassemblers. After analyzing the root causes of each type of deviation, we point out they are mostly due to ARM unpredictable instructions and program defects.

Haibo Chen,Xi Wu,Liwei Yuan,Binyu Zang,Pen-chung Yew,Frederic T. Chong

DOI: https://doi.org/10.1109/isca.2008.18

2008-01-01

Abstract:Dynamic information flow tracking (also known as taint tracking) is an appealing approach to combat various security attacks. However, the performance of applications can severely degrade without hardware support for tracking taints. This paper observes that information flow tracking can be efficiently emulated using deferred exception tracking in microprocessors supporting speculative execution. Based on this observation, we propose SHIFT, a low-overhead, software-based dynamic information flow tracking system to detect a wide range of attacks. The key idea is to treat tainted state (describing untrusted data) as speculative state (describing deferred exceptions). SHIFT leverages existing architectural support for speculative execution to track tainted state in registers and needs to instrument only load and store instructions to track tainted state in memory using a bitmap, which results in significant performance advantages. Moreover, by decoupling mechanisms for taint tracking from security policies, SHIFT can detect a wide range of exploits, including high-level semantic attacks. We have implemented SHIFT using the Itanium processor, which has support for deferred exceptions, and by modifying GCC to instrument loads and stores. A security assessment shows that SHIFT can detect both low-level memory corruption exploits as well as high-level semantic attacks with no false positives. Performance measurements show that SHIFT incurs about 1% overhead for server applications. The performance slowdown for SPEC-INT2000 is 2.81X and 2.27X for tracking at byte-level and wordlevel respectively. Minor architectural improvements to the Itanium processor (adding three simple instructions) can reduce the performance slowdown down to 2.32X and 1.8X for byte-level and word-level tracking, respectively.

Yu-Ping Liu,Ding-Yong Hong,Jan-Jan Wu,Sheng-Yu Fu,Wei-Chung Hsu

DOI: https://doi.org/10.1145/3301488

IF: 1.444

2019-03-08

ACM Transactions on Architecture and Code Optimization

Abstract:Single instruction multiple data (SIMD) has been adopted for decades because of its superior performance and power efficiency. The SIMD capability (i.e., width, number of registers, and advanced instructions) has diverged rapidly on different SIMD instruction-set architectures (ISAs). Therefore, migrating existing applications to another host ISA that has fewer but longer SIMD registers and more advanced instructions raises the issues of asymmetric SIMD capability. To date, this issue has been overlooked and the host SIMD capability is underutilized, resulting in suboptimal performance. In this article, we present a novel binary translation technique called spill-aware superword level parallelism (saSLP), which combines short ARMv8 instructions and registers in the guest binaries to exploit the x86 AVX2 host’s parallelism, register capacity, and gather instructions. Our experiment results show that saSLP improves the performance by 1.6× (2.3×) across a number of benchmarks and reduces spilling by 97% (99%) for ARMv8 to x86 AVX2 (AVX-512) translation. Furthermore, with AVX2 (AVX-512) gather instructions, saSLP speeds up several data-irregular applications that cannot be vectorized on ARMv8 NEON by up to 3.9× (4.2×).

computer science, theory & methods, hardware & architecture

Congcong Chen,Jinhua Cui,Jiliang Zhang

2024-10-22

Abstract:Modern processor advancements have introduced security risks, particularly in the form of microarchitectural timing attacks. High-profile attacks such as Meltdown and Spectre have revealed critical flaws, compromising the entire system's security. Recent black-box automated methods have demonstrated their advantages in identifying these vulnerabilities on various commercial processors. However, they often focus on specific attack types or incorporate numerous ineffective test cases, which severely limits the detection scope and efficiency. In this paper, we present BETA, a novel black-box framework that harnesses fuzzing to efficiently uncover multifaceted timing vulnerabilities in processors. Our framework employs a two-pronged approach, enhancing both mutation space and exploration efficiency: 1) we introduce an innovative fuzzer that precisely constrains mutation direction for diverse instruction combinations, including opcode, data, address, and execution level; 2) we develop a coverage feedback mechanism based on our instruction classification to discard potentially trivial or redundant test cases. This mechanism significantly expands coverage across a broader spectrum of instruction types. We evaluate the performance and effectiveness of BETA on four processors from Intel and AMD, each featuring distinct microarchitectures. BETA has successfully detected all x86 processor vulnerabilities previously identified by recent black-box methods, as well as 8 previously undiscovered timing vulnerabilities. BETA outperforms the existing state-of-the-art black-box methods, achieving at least 3x faster detection speed.

Cryptography and Security,Hardware Architecture

Yu Jin,Pengfei Qiu,Chunlu Wang,Yihao Yang,Dongsheng Wang,Xiaoyong Li,Qian Wang,Gang Qu

DOI: https://doi.org/10.1109/AsianHOST59942.2023.10409342

2023-01-01

Abstract:In early 2018, the Meltdown attack was reported, which steals secret data by loading and then encoding them into the cache covert channel during the invisible transient executions. After that, a set of Meltdown-type attacks are proposed; those attacks largely threaten the security of modern processors. In this study, we review Intel's x86-64 Instruction Set Architecture (ISA) and find two vulnerable instructions (CMPSB and SCASB) that can be exploited to achieve the Meltdown-type attacks with few instructions. Especially, the CMPSB instruction itself is enough to implement the core part of the Meltdowntype attacks. We design a special cache-based and Performance Monitor Unit (PMU)-based covert channel to recover the secret data for the two instructions. In our experiments, we demonstrate the availability of the two instructions by implementing the Meltdown and ZombieLoad attacks with them. Compared to the original Meltdown-type attacks, the proposed attack can be considered as an attack that does not rely on the transient executions from the perspective of the macro instruction level because no more macro instruction is executed after triggering the exception. Therefore, we name our attacks Overtake. Our experiments indicate that the average data leakage speed of Overtake attack could reach 770.1 KB/s with an error rate of 0.4 %.

Deepak Krishnankutty,Zheng Li,Ryan Robucci,Nilanjan Banerjee,Chintan Patel

DOI: https://doi.org/10.1109/tc.2020.3018092

IF: 3.183

2020-11-01

IEEE Transactions on Computers

Abstract:Embedded systems are prone to leak information via side-channels associated with their physical internal activity, such as power consumption, timing, and faults. Leaked information can be analyzed to extract sensitive data and devices should be assessed for such vulnerabilities. Side-channel power-supply leakage from embedded devices can also provide information regarding instruction-level activity for control code executed on these devices. Methods proposed to disassemble instruction-level activity via side-channel leakage have not addressed issues related to pipelined multi-clock-cycle architectures, nor have proven robustness or reliability. The problem of detecting malicious code modifications while not obstructing the sequence of instructions being executed needs to be addressed. In this article, instruction sequences being executed on a general-purpose pipelined computing platform are identified and instructions that make up these sequences are classified based on hardware utilization. Individual instruction classification results using a fine-grained classifier is also presented. A dynamic programming algorithm was applied to detect the boundaries of instructions in a sequence with a 100 percent accuracy. A unique aspect of this technique is the use of multiple power supply pin measurements to increase precision and accuracy. To demonstrate the robustness of this technique, power leakage data from ten target FPGAs programmed with a prototype of the pipelined architecture was analyzed and classification accuracies averaging 99 percent were achieved with instructions labeled based on hardware utilization. Individual instruction classification accuracies above 90 percent were achieved using a fine-grained classifier. Classification accuracies were also verified when a target FPGA was subjected to different controlled temperatures. The classification accuracies on discrete (ASIC) pipelined-architecture microcontrollers was 97 percent.

engineering, electrical & electronic,computer science, hardware & architecture

Haibo Chen,Xi Wu,Liwei Yuan,Binyu Zang,Pen-chung Yew,Frederic T. Chong

DOI: https://doi.org/10.1145/1394608.1382156

2008-01-01

ACM SIGARCH Computer Architecture News

Abstract:Dynamic information flow tracking (also known as taint tracking) is an appealing approach to combat various security attacks. However, the performance of applications can severely degrade without hardware support for tracking taints. This paper observes that information flow tracking can be efficiently emulated using deferred exception tracking in microprocessors supporting speculative execution. Based on this observation, we propose SHIFT, a low-overhead, software-based dynamic information flow tracking system to detect a wide range of attacks. The key idea is to treat tainted state (describing untrusted data) as speculative state (describing deferred exceptions). SHIFT leverages existing architectural support for speculative execution to track tainted state in registers and needs to instrument only load and store instructions to track tainted state in memory using a bitmap, which results in significant performance advantages. Moreover, by decoupling mechanisms for taint tracking from security policies, SHIFT can detect a wide range of exploits, including high-level semantic attacks. We have implemented SHIFT using the Itanium processor, which has support for deferred exceptions, and by modifying GCC to instrument loads and stores. A security assessment shows that SHIFT can detect both low-level memory corruption exploits as well as high-level semantic attacks with no false positives. Performance measurements show that SHIFT incurs about 1% overhead for server applications. The performance slowdown for SPEC-INT2000 is 2.81X and 2.27X for tracking at byte-level and wordlevel respectively. Minor architectural improvements to the Itanium processor (adding three simple instructions) can reduce the performance slowdown down to 2.32X and 1.8X for byte-level and word-level tracking, respectively.

Chang Liu,Dongsheng Wang,Yongqiang Lyu,Pengfei Qiu,Yu Jin,Zhuoyuan Lu,Yinqian Zhang,Gang Qu

DOI: https://doi.org/10.1109/hpca57654.2024.00014

2024-01-01

Abstract:This paper presents a comprehensive investigation into the security vulnerabilities associated with speculative memory access on AMD processors. Firstly, employing novel reverse engineering techniques, our study uncovers two key predictors, namely the Predictive Store Forwarding Predictor (PSFP) and the Speculative Store Bypass Predictor (SSBP), along with elucidating their internal structures and state machine designs. Secondly, our research empirically confirms that these predictors can be deliberately manipulated and altered during transient execution, resulting in secret leakage across security domains. Leveraging these discoveries, we propose innovative attacks targeting these predictors, including an out-of-place variant of Spectre-STL and an entirely new form of Spectre attack named Spectre-CTL. Finally, we establish experimentally that enabling Speculative Store Bypass Disable alleviates the vulnerabilities. However, this comes at the expense of significant performance degradation.

Wei Song,Jiameng Ying,Sihao Shen,Boya Li,Hao Ma,Peng Liu

DOI: https://doi.org/10.48550/arXiv.2111.14072

2021-11-28

Abstract:Memory safety remains a critical and widely violated property in reality. Numerous defense techniques have been proposed and developed but most of them are not applied or enabled by default in production-ready environment due to their substantial running cost. The situation might change in the near future because the hardware supported defenses against these attacks are finally beginning to be adopted by commercial processors, operating systems and compilers. We then face a question as there is currently no suitable test suite to measure the memory safety extensions supported on different processors. In fact, the issue is not constrained only for memory safety but all aspect of processor security. All of the existing test suites related to processor security lack some of the key properties, such as comprehensiveness, distinguishability and portability. As an initial step, we propose an expandable test framework for measuring the processor security and open source a memory safety test suite utilizing this framework. The framework is deliberately designed to be flexible so it can be gradually extended to all types of hardware supported security extensions in processors. The initial test suite for memory safety currently contains 160 test cases covering spatial and temporal safety of memory, memory access control, pointer integrity and control-flow integrity. Each type of vulnerabilities and their related defenses have been individually evaluated by one or more test cases. The test suite has been ported to three different instruction set architectures (ISAs) and experimented on six different platforms. We have also utilized the test suite to explore the security benefits of applying different sets of compiler flags available on the latest GNU GCC and LLVM compilers.

Cryptography and Security,Hardware Architecture

Ting Chen,Wanyu Huang,Muhui Jiang,Xiapu Luo,Lei Xue,Ying Wang,Xiaosong Zhang

DOI: https://doi.org/10.1109/COMPSAC.2018.00044

2018-01-01

Abstract:CPU cache misses and branch mispredictions waste CPU cycles and affect program performance. Such software inefficiencies could be neither eliminated by existing compilers nor avoided by developers. In this paper, we propose a novel approach, named PERDICE, to automatically discover such performance bugs by leveraging concolic execution. PERDICE adopts a new path exploration algorithm to discover such software inefficiencies. In particular, we measure performance losses in the granularity of program locations (e.g., instructions, source code lines) instead of paths to avoid getting stuck into the code without software inefficiencies. Moreover, when scoring test inputs, our new approach prefers the test inputs incurring increments in performance losses. This strategy allows PERDICE to avoid getting stuck into the software inefficiencies that have been found. We have implemented PERDICE for both PC (X86 instructions) and Android smartphones (ARM instructions). The experimental results with real-world desktop software and Android native code show that PERDICE outperforms the other four popular algorithms and PROFs (a multi-path performance profiler) in terms of the speed to discover software inefficiencies and the severity (i.e, amount of wasted CPU cycles) of inefficiencies.

Muhui Jiang,Tianyi Xu,Yajin Zhou,Yufeng Hu,Ming Zhong,Lei Wu,Xiapu Luo,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2105.14273

2021-08-12

Abstract:Emulator is widely used to build dynamic analysis frameworks due to its fine-grained tracing capability, full system monitoring functionality, and scalability of running on different operating systemsand architectures. However, whether the emulator is consistent with real devices is unknown. To understand this problem, we aim to automatically locate inconsistent instructions, which behave differently between emulators and real devices. We target ARM architecture, which provides machine readable specification. Based on the specification, we propose a test case generator by designing and implementing the first symbolic execution engine for ARM architecture specification language (ASL). We generate 2,774,649 representative instruction streams and conduct differential testing with these instruction streams between four ARM real devices in different architecture versions (i.e., ARMv5, ARMv6, ARMv7-a, and ARMv8-a) and the state-of-the-art emulators (i.e., QEMU). We locate 155,642 inconsistent instruction streams, which cover 30% of all instruction encodings and 47.8% of the instructions. We find undefined implementation in ARM manual and implementation bugs of QEMU are the major causes of inconsistencies. Furthermore, we discover four QEMU bugs, which are confirmed and patched by thedevelopers, covering 13 instruction encodings including the most commonly used ones (e.g.,STR,BLX). With the inconsistent instructions, we build three security applications and demonstrate thecapability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Cryptography and Security