Examiner-Pro: Testing Arm Emulators Across Different Privileges
Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain...
Gespeichert in:
| Veröffentlicht in: | IEEE transactions on software engineering 2024-11, Vol.50 (11), p.2786-2806 |
|---|---|
| Hauptverfasser: | , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 2806 |
|---|---|
| container_issue | 11 |
| container_start_page | 2786 |
| container_title | IEEE transactions on software engineering |
| container_volume | 50 |
| creator | Jiang, Muhui Zheng, Xiaoye Chang, Rui Zhou, Yajin Luo, Xiapu |
| description | Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege. We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, Examiner Pro . With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of Examiner Pro , we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX ). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing. |
| doi_str_mv | 10.1109/TSE.2024.3406900 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_ieee_primary_10555543</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10555543</ieee_id><sourcerecordid>3127709980</sourcerecordid><originalsourceid>FETCH-LOGICAL-c245t-2d07c93ceb6ec9b0c6b07416f7645d48d00c09ffcc03171794633427c671063</originalsourceid><addsrcrecordid>eNpNkE1PwkAQhjdGExG9e_DQxHNx9rvrxRCsHwmJJHDflGWWLKEt7haj_94iHJzLXJ535s1DyC2FEaVgHhbzcsSAiREXoAzAGRlQw03OJYNzMgAwRS5lYS7JVUobAJBaywF5Kr-rOjQY81lsH7MFpi4062wc66ys99uqa2PKxi62KWXPwXuM2HTZLIavsMU1pmty4attwpvTHpL5S7mYvOXTj9f3yXiaOyZkl7MVaGe4w6VCZ5bg1BK0oMprJeRKFCsAB8Z754BTTbURinPBtFOaguJDcn-8uovt577vaDftPjb9Q8sp0xqMKaCn4Ej91Y3o7S6Guoo_loI9SLK9JHuQZE-S-sjdMRIQ8R8u-xGc_wJITWEt</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3127709980</pqid></control><display><type>article</type><title>Examiner-Pro: Testing Arm Emulators Across Different Privileges</title><source>IEEE Electronic Library (IEL)</source><creator>Jiang, Muhui ; Zheng, Xiaoye ; Chang, Rui ; Zhou, Yajin ; Luo, Xiapu</creator><creatorcontrib>Jiang, Muhui ; Zheng, Xiaoye ; Chang, Rui ; Zhou, Yajin ; Luo, Xiapu</creatorcontrib><description>Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege. We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, Examiner Pro . With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of Examiner Pro , we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX ). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.</description><identifier>ISSN: 0098-5589</identifier><identifier>EISSN: 1939-3520</identifier><identifier>DOI: 10.1109/TSE.2024.3406900</identifier><identifier>CODEN: IESEDJ</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Computer architecture ; Computer bugs ; differential testing ; Emulator ; Emulators ; Encoding ; Engines ; Generators ; inconsistent instructions ; Specification and description languages ; Specifications ; Streams ; Testing</subject><ispartof>IEEE transactions on software engineering, 2024-11, Vol.50 (11), p.2786-2806</ispartof><rights>Copyright IEEE Computer Society 2024</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-c245t-2d07c93ceb6ec9b0c6b07416f7645d48d00c09ffcc03171794633427c671063</cites><orcidid>0000-0003-2196-6894 ; 0000-0001-7610-4736 ; 0009-0001-9048-1930 ; 0000-0002-0178-0171 ; 0000-0002-9082-3208</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10555543$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,776,780,792,27901,27902,54733</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10555543$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Jiang, Muhui</creatorcontrib><creatorcontrib>Zheng, Xiaoye</creatorcontrib><creatorcontrib>Chang, Rui</creatorcontrib><creatorcontrib>Zhou, Yajin</creatorcontrib><creatorcontrib>Luo, Xiapu</creatorcontrib><title>Examiner-Pro: Testing Arm Emulators Across Different Privileges</title><title>IEEE transactions on software engineering</title><addtitle>TSE</addtitle><description>Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege. We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, Examiner Pro . With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of Examiner Pro , we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX ). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.</description><subject>Computer architecture</subject><subject>Computer bugs</subject><subject>differential testing</subject><subject>Emulator</subject><subject>Emulators</subject><subject>Encoding</subject><subject>Engines</subject><subject>Generators</subject><subject>inconsistent instructions</subject><subject>Specification and description languages</subject><subject>Specifications</subject><subject>Streams</subject><subject>Testing</subject><issn>0098-5589</issn><issn>1939-3520</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpNkE1PwkAQhjdGExG9e_DQxHNx9rvrxRCsHwmJJHDflGWWLKEt7haj_94iHJzLXJ535s1DyC2FEaVgHhbzcsSAiREXoAzAGRlQw03OJYNzMgAwRS5lYS7JVUobAJBaywF5Kr-rOjQY81lsH7MFpi4062wc66ys99uqa2PKxi62KWXPwXuM2HTZLIavsMU1pmty4attwpvTHpL5S7mYvOXTj9f3yXiaOyZkl7MVaGe4w6VCZ5bg1BK0oMprJeRKFCsAB8Z754BTTbURinPBtFOaguJDcn-8uovt577vaDftPjb9Q8sp0xqMKaCn4Ej91Y3o7S6Guoo_loI9SLK9JHuQZE-S-sjdMRIQ8R8u-xGc_wJITWEt</recordid><startdate>20241101</startdate><enddate>20241101</enddate><creator>Jiang, Muhui</creator><creator>Zheng, Xiaoye</creator><creator>Chang, Rui</creator><creator>Zhou, Yajin</creator><creator>Luo, Xiapu</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><scope>K9.</scope><orcidid>https://orcid.org/0000-0003-2196-6894</orcidid><orcidid>https://orcid.org/0000-0001-7610-4736</orcidid><orcidid>https://orcid.org/0009-0001-9048-1930</orcidid><orcidid>https://orcid.org/0000-0002-0178-0171</orcidid><orcidid>https://orcid.org/0000-0002-9082-3208</orcidid></search><sort><creationdate>20241101</creationdate><title>Examiner-Pro: Testing Arm Emulators Across Different Privileges</title><author>Jiang, Muhui ; Zheng, Xiaoye ; Chang, Rui ; Zhou, Yajin ; Luo, Xiapu</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c245t-2d07c93ceb6ec9b0c6b07416f7645d48d00c09ffcc03171794633427c671063</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Computer architecture</topic><topic>Computer bugs</topic><topic>differential testing</topic><topic>Emulator</topic><topic>Emulators</topic><topic>Encoding</topic><topic>Engines</topic><topic>Generators</topic><topic>inconsistent instructions</topic><topic>Specification and description languages</topic><topic>Specifications</topic><topic>Streams</topic><topic>Testing</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Jiang, Muhui</creatorcontrib><creatorcontrib>Zheng, Xiaoye</creatorcontrib><creatorcontrib>Chang, Rui</creatorcontrib><creatorcontrib>Zhou, Yajin</creatorcontrib><creatorcontrib>Luo, Xiapu</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Health & Medical Complete (Alumni)</collection><jtitle>IEEE transactions on software engineering</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Jiang, Muhui</au><au>Zheng, Xiaoye</au><au>Chang, Rui</au><au>Zhou, Yajin</au><au>Luo, Xiapu</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Examiner-Pro: Testing Arm Emulators Across Different Privileges</atitle><jtitle>IEEE transactions on software engineering</jtitle><stitle>TSE</stitle><date>2024-11-01</date><risdate>2024</risdate><volume>50</volume><issue>11</issue><spage>2786</spage><epage>2806</epage><pages>2786-2806</pages><issn>0098-5589</issn><eissn>1939-3520</eissn><coden>IESEDJ</coden><abstract>Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege. We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, Examiner Pro . With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of Examiner Pro , we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX ). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TSE.2024.3406900</doi><tpages>21</tpages><orcidid>https://orcid.org/0000-0003-2196-6894</orcidid><orcidid>https://orcid.org/0000-0001-7610-4736</orcidid><orcidid>https://orcid.org/0009-0001-9048-1930</orcidid><orcidid>https://orcid.org/0000-0002-0178-0171</orcidid><orcidid>https://orcid.org/0000-0002-9082-3208</orcidid></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | ISSN: 0098-5589 |
| ispartof | IEEE transactions on software engineering, 2024-11, Vol.50 (11), p.2786-2806 |
| issn | 0098-5589 1939-3520 |
| language | eng |
| recordid | cdi_ieee_primary_10555543 |
| source | IEEE Electronic Library (IEL) |
| subjects | Computer architecture Computer bugs differential testing Emulator Emulators Encoding Engines Generators inconsistent instructions Specification and description languages Specifications Streams Testing |
| title | Examiner-Pro: Testing Arm Emulators Across Different Privileges |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-09T18%3A13%3A13IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Examiner-Pro:%20Testing%20Arm%20Emulators%20Across%20Different%20Privileges&rft.jtitle=IEEE%20transactions%20on%20software%20engineering&rft.au=Jiang,%20Muhui&rft.date=2024-11-01&rft.volume=50&rft.issue=11&rft.spage=2786&rft.epage=2806&rft.pages=2786-2806&rft.issn=0098-5589&rft.eissn=1939-3520&rft.coden=IESEDJ&rft_id=info:doi/10.1109/TSE.2024.3406900&rft_dat=%3Cproquest_RIE%3E3127709980%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3127709980&rft_id=info:pmid/&rft_ieee_id=10555543&rfr_iscdi=true |