REPICA: Rewriting Position Independent Code of ARM

Abstract

Read online

Binary rewriting techniques are widely used in program vulnerability fixing, obfuscation, security-oriented transforming, and otherpurposes, such as binary profiling and optimization. Over the past decade, most binary instrumentation techniques have been studied on $\times 86$ architecture, specifically focusing onthe challenges of instrumenting non-PIC. In contrast, ARM architecture has received little attention, and statically instrumenting PIC has not been studied in depth. In ARM, owing to its fixed-length instructions, addresses are frequently computed via multiple stages, making it difficult to handle all relative addresses, especially the relative address of base-plus-offset and base-plus-index addressing. In this paper, we present REPICA, a static binary instrumentation technique which can rewrite ARM binaries compiled in a position-independent fashion. REPICA can instrument at anywhere without symbolic information. With the aim of identifying andprocessing relative-addresses accurately, we designed a value-set analysis specialized for PIC of which the domain is in symbolic format. We also identified a new challenge for situations all relative addresses cannot be corrected in an optimized way and solvedthis problem efficiently by the stepwise correction of each relative address. We implemented a prototype of REPICA and experimented with approximately 1200 COTS binaries and SPECint2006 benchmarks. The experiment showed that all binaries rewritten by REPICA maintain relative addresses correctly with negligible execution and space overhead. Finally, we exhibit the effectiveness of REPICA by using it to implement a shadow stack.

Keywords

• Binary instrumentation
• binary rewriting
• PIC
• position independent code
• reassembly