Finding and mitigating security vulnerabilities in Arm devices is the next critical internet security frontier - Arm processors are already in use by more than 90% of all mobile devices, billions of Internet of Things (IoT) devices, and a growing number of current laptops from companies including Microsoft, Lenovo, and Apple. Written by a leading expert on Arm security, Blue Fox: Arm Assembly Internals and Reverse Engineering introduces readers to modern Armv8-A instruction sets and the process of reverse-engineering Arm binaries for security research and defensive purposes.
Divided into two sections, the book first provides an overview of the ELF file format and OS internals, followed by Arm architecture fundamentals, and a deep-dive into the A32 and A64 instruction sets. Section Two delves into the process of reverse-engineering itself: setting up an Arm environment, an introduction to static and dynamic analysis tools, and the process of extracting and emulating firmware for analysis. The last chapter provides the reader a glimpse into macOS malware analysis of binaries compiled for the Arm-based M1 SoC. Throughout the book, the reader is given an extensive understanding of Arm instructions and control-flow patterns essential for reverse engineering software compiled for the Arm architecture. Providing an in-depth introduction into reverse-engineering for engineers and security researchers alike, this book: - Offers an introduction to the Arm architecture, covering both AArch32 and AArch64 instruction set states, as well as ELF file format internals - Presents in-depth information on Arm assembly internals for reverse engineers analyzing malware and auditing software for security vulnerabilities, as well as for developers seeking detailed knowledge of the Arm assembly language - Covers the A32/T32 and A64 instruction sets supported by the Armv8-A architecture with a detailed overview of the most common instructions and control flow patterns - Introduces known reverse engineering tools used for static and dynamic binary analysis - Describes the process of disassembling and debugging Arm binaries on Linux, and using common disassembly and debugging tools
Blue Fox: Arm Assembly Internals and Reverse Engineering is a vital resource for security researchers and reverse engineers who analyze software applications for Arm-based devices at the assembly level.
Table of Contents
Introduction xxi
Part I Arm Assembly Internals 1
Chapter 1 Introduction to Reverse Engineering 3
Introduction to Assembly 3
Bits and Bytes 3
Character Encoding 5
Machine Code and Assembly 6
Assembling 9
Cross- Assemblers 13
High- Level Languages 15
Disassembling 16
Decompilation 17
Chapter 2 ELF File Format Internals 21
Program Structure 21
High- Level vs. Low- Level Languages 22
The Compilation Process 24
Cross- Compiling for Other Architectures 25
Assembling and Linking 27
The ELF File Overview 30
The ELF File Header 31
The ELF File Header Information Fields 32
The Target Platform Fields 33
The Entry Point Field 34
The Table Location Fields 34
ELF Program Headers 34
The PHDR Program Header 36
The INTERP Program Header 36
The LOAD Program Headers 36
The DYNAMIC Program Header 37
The NOTE Program Header 37
The TLS Program Header 38
The GNU_EH_FRAME Program Header 38
The GNU_STACK Program Header 39
The GNU_RELRO Program Header 41
ELF Section Headers 43
The ELF Meta- Sections 45
The String Table Section 46
The Symbol Table Section 46
The Main ELF Sections 46
The .text Section 47
The .data Section 47
The .bss Section 47
The .rodata Section 47
The .tdata and .tbss Sections 48
Symbols 48
Global vs. Local Symbols 50
Weak Symbols 50
Symbol Versions 51
Mapping Symbols 51
The Dynamic Section and Dynamic Loading 52
Dependency Loading (NEEDED) 53
Program Relocations 54
Static Relocations 55
Dynamic Relocations 56
The Global Offset Table (GOT) 57
The Procedure Linkage Table (PLT) 57
The ELF Program Initialization and Termination Sections 58
Initialization and Termination Order 60
Thread- Local Storage 60
The Local- Exec TLS Access Model 65
The Initial- Exec TLS Access Model 65
The General- Dynamic TLS Access Model 66
The Local- Dynamic TLS Access Model 67
Chapter 3 OS Fundamentals 69
OS Architecture Overview 69
User Mode vs. Kernel Mode 70
Processes 70
System Calls 72
Objects and Handles 77
Threads 79
Process Memory Management 80
Memory Pages 82
Memory Protections 82
Anonymous and Memory- Mapped Memory 84
Memory- Mapped Files and Modules 84
Address Space Layout Randomization 87
Stack Implementations 90
Shared Memory 91
Chapter 4 The Arm Architecture 93
Architectures and Profiles 93
The Armv8- A Architecture 95
Exception Levels 96
Armv8- A TrustZone Extension 97
Exception Level Changes 99
Armv8- A Execution States 101
The AArch64 Execution State 102
The A64 Instruction Set 103
AArch64 Registers 104
The Program Counter 106
The Stack Pointer 107
The Zero Register 107
The Link Register 108
The Frame Pointer 109
The Platform Register (x18) 109
The Intraprocedural Call Registers 110
SIMD and Floating- Point Registers 110
System Registers 111
PSTATE 112
The AArch32 Execution State 114
A32 and T32 Instruction Sets 114
The A32 Instruction Set 114
The T32 Instruction Set 115
Switching Between Instruction Sets 115
AArch32 Registers 118
The Program Counter 119
The Stack Pointer 120
The Frame Pointer 120
The Link Register 121
The Intraprocedural Call Register (IP, r12) 121
The Current Program Status Register 121
The Application Program Status Register 122
The Execution State Registers 124
The Instruction Set State Register 124
The IT Block State Register (ITSTATE) 125
Endianness state 126
Mode and Exception Mask Bits 126
Chapter 5 Data Processing Instructions 129
Shift and Rotate Operations 131
Logical Shift Left 132
Logical Shift Right 133
Arithmetic Shift Right 133
Rotate Right 134
Rotate Right with Extend 134
Instruction Forms 135
Shift by a Constant Immediate Form 136
Shift by Register Form 138
Bitfield Manipulation Operations 140
Bitfield Move 141
Sign- and Zero- Extend Operations 145
Bitfield Extract and Insert 150
Logical Operations 153
Bitwise AND 153
The TST Instruction 154
Bitwise Bit Clear 155
Bitwise OR 155
Bitwise OR NOT 156
Bitwise Exclusive OR 158
The TEQ instruction 158
Exclusive OR NOT 159
Arithmetic Operations 159
Addition and Subtraction 159
Reverse Subtract 161
Compare 162
CMP Instruction Operation Behavior 163
Multiplication Operations 165
Multiplications on A64 166
Multiplications on A32/T32 167
Least Significant Word Multiplications 169
Most Significant Word Multiplications 171
Halfword Multiplications 173
Vector (Dual) Multiplications 176
Long (64- Bit) Multiplications 179
Division Operations 186
Move Operations 187
Move Constant Immediate 188
Move Immediate and MOVT on A32/T32 188
Move Immediate, MOVZ, and MOVK on A64 189
Move Register 190
Move with NOT 192
Chapter 6 Memory Access Instructions 195
Instructions Overview 195
Addressing Modes and Offset Forms 197
Offset Addressing 200
Constant Immediate Offset 201
Register Offsets 207
Pre- Indexed Mode 209
Pre- Indexed Mode Example 210
Post- Indexed Addressing 212
Post- Indexed Addressing Example 213
Literal (PC- Relative) Addressing 214
Loading Constants 215
Loading an Address into a Register 218
Load and Store Instructions 222
Load and Store Word or Doubleword 222
Load and Store Halfword or Byte 224
Example Using Load and Store 226
Load and Store Multiple (A32) 228
Example for STM and LDM 235
A More Complicated Example Using STM and LDM 237
Load and Store Pair (A64) 238
Chapter 7 Conditional Execution 243
Conditional Execution Overview 243
Conditional Codes 244
The NZCV Condition Flags 245
Signed vs. Unsigned Integer Overflows 246
Condition Codes 248
Conditional Instructions 249
The If- Then (IT) Instruction in Thumb 250
Flag- Setting Instructions 252
The Instruction “S” Suffix 253
The S Suffix on Add and Subtract Instructions 253
The S Suffix on Logical Shift Instructions 256
The S Suffix on Multiply Instructions 257
The S Suffix on Other Instructions 257
Test and Comparison Instructions 257
Compare (CMP) 258
Compare Negative (CMN) 260
Test Bits (TST) 261
Test Equality (TEQ) 264
Conditional Select Instructions 265
Conditional Comparison Instructions 268
Boolean AND Conditionals Using CCMP 269
Boolean OR Conditionals Using CCMP 272
Chapter 8 Control Flow 275
Branch Instructions 275
Conditional Branches and Loops 277
Test and Compare Branches 281
Table Branches (T32) 282
Branch and Exchange 284
Subroutine Branches 288
Functions and Subroutines 290
The Procedure Call Standard 291
Volatile vs. Nonvolatile Registers 293
Arguments and Return Values 293
Passing Larger Values 295
Leaf and Nonleaf Functions 298
Leaf Functions 298
Nonleaf Functions 299
Prologue and Epilogue 299
Part II Reverse Engineering 305
Chapter 9 Arm Environments 307
Arm Boards 308
Emulation with QEMU 310
QEMU User- Mode Emulation 310
QEMU Full- System Emulation 314
Firmware Emulation 315
Chapter 10 Static Analysis 321
Static Analysis Tools 322
Command- Line Tools 322
Disassemblers and Decompilers 322
Binary Ninja Cloud 323
Call- By- Reference Example 328
Control Flow Analysis 334
Main Function 336
Subroutine 336
Converting to char 341
if Statement 343
Quotient Division 345
for Loop 347
Analyzing an Algorithm 349
Chapter 11 Dynamic Analysis 363
Command- Line Debugging 364
GDB Commands 365
GDB Multiuser 366
GDB Extension: GEF 368
Installation 369
Interface 370
Useful GEF Commands 370
Examine Memory 374
Watch Memory Regions 376
Vulnerability Analyzers 377
checksec 379
Radare2 381
Debugging 382
Remote Debugging 385
Radare2 386
IDA Pro 388
Debugging a Memory Corruption 390
Debugging a Process with GDB 398
Chapter 12 Reversing arm64 macOS Malware 405
Background 406
macOS arm64 Binaries 407
macOS Hello World (arm64) 410
Hunting for Malicious arm64 Binaries 413
Analyzing arm64 Malware 419
Anti- Analysis Techniques 420
Anti- Debugging Logic (via ptrace) 421
Anti- Debugging Logic (via sysctl) 425
Anti- VM Logic (via SIP Status and the Detection of VM Artifacts) 429
Conclusion 435
Index 437