TRIAGING CRASHES WITH BACKWARD TAINT ANALYSIS FOR ARM ARCHITECTURE presented at BlackHatEU 2015

by Dongwoo Kim, Sangwho Kim,

Summary : We have developed a set of tools for analyzing crashes that occur on Linux OS and ARM architecture to determine exploitability with taint analysis for practical use. For the analysis, Dynamic Binary Instrumentation (DBI) is required to extract context information of each instruction at runtime. Unfortunately, most existing DBI tools have been developed for x86 architecture. Therefore, we have developed a dedicated tool called ARM-Tracer based on ptrace system call. ARM-Tracer can dynamically trace a specific thread in the multi-threaded environment and generate a trace log until the target gets crashed. Then, the trace log is analyzed by another tool that we have developed to perform the backward taint analysis on Desktop for efficiency. The tool is named ARM-Analyzer, a stand-alone GUI application developed in C# language, which lets us know whether the crash is affected by the input data. For this, we analyzed ARM instructions to identify taint objects of each instruction.
During this talk, we will demonstrate our tools by applying them to an Android application for the crash analysis. We will also release our tools at Black Hat.