Shellcodes for ARM: Your Pills Don’t Work on Me, x86 presented at HackInTheBox 2014

by Svetlana Gaivoronski, Ivan Petrov,

Summary : Despite that it is almost 2014, the problem of shellcode detection, discovered in 1999, is still a challenge for researchers in industry and academia. The significance of remotely exploitable vulnerabilities does not seem to fade away. The number of remotely exploitable vulnerabilities continues to grow despite the significant efforts in improving code quality via code analysis tools, code review, and plethora of testing methods.
The other trend of recent years is the rise of variety of ARM-based devices such as mobile phones, tablets, etc. As of now the total number of ARM-based devices exceeds the number of PCs in times. This trend sometimes is terrifying as people trust almost all aspects of their lives to such digital devices. People care much more about convenience than security of the data. For example, mobile phones now knows our financial information, health records, keeps a lot of other private data. That’s why ARM-based systems became a cherry pie for attackers.
There are a variety of shellcode detection methods that work more or less with x86-based shellcode. There are even hybrid solutions that combine capabilities of existing approaches. Unfortunately, almost all of them focus on a fixed set of shellcode features, specific for x86 architecture. This work aims to cover this gap amd makes the following contributions:
- We provide an analysis of existing shellcode detection methods with regards to their applicability to shellcodes developed for ARM architecture. As a result, we show that most of existing algorithms are not applicable for shellcodes written for ARM. Moreover, the methods that work for ARM shellcodes produce too many false positives to be applicable for real-life network channels and 0-day detection.
- We analyzed available ARM-based shellcodes from public exploit databases, and identified a set of ARM shellcode features that distinguishes them from x86 shellcodes and benign binaries.
- We implemented our detectors of ARM shellcode features as an extension for Demorpheus shellcode detection open-source library. The algorithm used for generation of detectors’ topology guarantees the solution to be optimal in terms of computational complexity and false positive rate.