Skip to main content
Springer Nature Link
Log in

ARMv8 Shellcodes from ‘A’ to ‘Z’

  • Conference paper
  • First Online:
Information Security Practice and Experience (ISPEC 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10060))

Abstract

We describe a methodology to automatically turn arbitrary ARMv8 programs into alphanumeric executable polymorphic shellcodes. Shellcodes generated in this way can evade detection and bypass filters, broadening the attack surface of ARM-powered devices such as smartphones.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
eBook
USD 39.99
Price excludes VAT (USA)
Softcover Book
USD 54.99
Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    See http://upx.sf.net.

  2. 2.

    Each byte is 8 bits long.

  3. 3.

    Which is 01011000001100000011000000110000 in binary. Incidentally, this instruction is alphanumeric and corresponds to the ASCII string 000X. Note the little endianness of the string.

  4. 4.

    We used the options -D --architecture aarch64 --target binary.

  5. 5.

    Alternatively, we could assume we were working on a Linux OS and perform the appropriate syscall, but again this instruction is not alphanumeric.

  6. 6.

    Also know as the ‘effective power’ SMS exploit.

  7. 7.

    Apple iOS enforces write xor exec.

References

  1. ARM Limited, 110 Fulbourn Road, Cambridge, England: ARM Architecture Reference Manual. ARMv8, for ARMv8-A architecture profile (2013)

    Google Scholar 

  2. Basu, A., Mathuria, A., Chowdary, N.: Automatic generation of compact alphanumeric shellcodes for x86. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 399–410. Springer, Heidelberg (2014). doi:10.1007/978-3-319-13841-1_22

    Google Scholar 

  3. Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2005, pp. 41–41. USENIX Association, Berkeley (2005). http://dl.acm.org/citation.cfm?id=1247360.1247401

  4. Bontchev, V.: Future trends in virus writing. Int. Rev. Law Comput. Technol. 11(1), 129–146 (1997)

    Article  Google Scholar 

  5. Cristofani, D.: A universal Turing machine. http://www.hevanet.com/cristofd/brainfuck/utm.b

  6. Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). doi:10.1007/978-3-642-18178-8_30

    Chapter  Google Scholar 

  7. Eller, R.: Bypassing MSB data filters for buffer overflow exploits on Intel platforms (2000). https://web.archive.org/web/20070221035114/community.core-sdi.com/~juliano/bypass-msb.txt

  8. Faase, F.: BF is Turing-complete. http://www.iwriteiam.nl/Ha_bf_Turing.html

  9. Kernighan, B.W., Ritchie, D.M.: The M4 macro processor. Bell Laboratories (1977)

    Google Scholar 

  10. Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, pp. 524–533 (2009)

    Google Scholar 

  11. Metasploit Project: The Metasploit Framework. http://www.metasploit.com/

  12. Obscou: Building IA32 Unicode-proof shellcodes. Phrack (61) (2003). http://phrack.org/issues/61/11.html

  13. One, A.: Smashing the stack for fun and profit. Phrack (49) (1996). http://phrack.org/issues/49/14.html

  14. Qualcomm: Dragonboard 410c. https://developer.qualcomm.com/hardware/dragonboard-410c

  15. Raiter, B.: http://www.muppetlabs.com/~breadbox/bf/

  16. RIX: Writing IA32 alphanumeric shellcodes. Phrack (57) (2001). http://phrack.org/issues/57/15.html

  17. Detristan, T., Ulenspiegel, T., Malcom, Y., Von Underduk, M.S.: Polymorphic shellcode engine using spectrum analysis. Phrack (61) (2003). http://phrack.org/issues/61/9.html

  18. Tan, G., Croft, J.: An empirical security study of the native code in the JDK. In: Usenix Security Symposium, pp. 365–378 (2008)

    Google Scholar 

  19. Xing, L., Bai, X., Li, T., Wang, X., Chen, K., Liao, X., Hu, S.M., Han, X.: Unauthorized cross-app. resource access on Mac OS X and iOS. arXiv preprint arXiv:1505.06836 (2015)

  20. Younan, Y., Philippaerts, P.: Alphanumeric RISC ARM shellcode. Phrack 66 (2009), available at http://phrack.org/issues/66/12.html

  21. Younan, Y., Philippaerts, P., Piessens, F., Joosen, W., Lachmund, S., Walter, T.: Filter-resistant code injection on ARM. J. Comput. Virol. 7(3), 173–188 (2011)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. École normale supérieure, Computer Science Department, PSL Research University, 75230, Paris Cedex 05, France

    Hadrien Barral, Houda Ferradi, Rémi Géraud, Georges-Axel Jaloyan & David Naccache

Authors
  1. Hadrien Barral
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Houda Ferradi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rémi Géraud
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Georges-Axel Jaloyan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. David Naccache
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Naccache .

Editor information

Editors and Affiliations

  1. Huawei International, Singapore, Singapore

    Feng Bao

  2. University of Surrey, Guilford, Surrey, United Kingdom

    Liqun Chen

  3. Singapore Management University, Singapore, Singapore

    Robert H. Deng

  4. Guangzhou University, Guangzhou, Guangdong, China

    Guojun Wang

Appendices

A Source Code of Program 1

The following Haskell program generates all the possible combinations of 4 alphanumeric characters, and saves the result in a file.

figure x

B Alphanumeric Instructions

This appendix describes \(\mathcal A_1\), the set of all AArch64 opcodes that can give alphanumeric instructions for some operands.

  • Data processing instructions:

    figure y

  • Load and store instructions:

    figure z

  • Branch instructions:

    figure aa

  • Other (SIMD, floating point, crypto...):

    figure ab

C Alphanumeric AND

The and operation described in Sect. 4.2 can be automatically generated using the following code. To abstract register numbers and generate repetitive lines, the source code provided is pre-processed by m4 [9]. This allowed us to easily change a register number without changing every occurrence if we found that a specific register could not be used.

figure ac

D Encoder’s Source Code

We give here the encoder’s full source code. This program is written in PHP.

figure ad

E Decoder’s Source Code

We give here the decoder’s full source code. This code is pre-processed by m4 [9] which performs macro expansion. The payload program to decode has to be be placed at the pool offset.

figure ae

F Hello World Shellcode

The following program prints “hello, world” when executed. It can be tested with QEMU using the options qemu-system-aarch64 -machine virt -cpu cortex-a57 -nographic -kernel shellcode.bin -m 2048 --append "cons ole=ttyAMA0". It was generated by the program described in Sect. 5. The notation  means that X is repeated Y times.

figure ag

G Polymorphic Engine

The following shows two modifications that make the code partly polymorphic. The first one is a modification of the encoder, that will randomize both the payload and the remaining blank space.

figure ah

The second one is an example of adding polymorphism for zeroing a register using a Haskell engine.

figure ai

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Barral, H., Ferradi, H., Géraud, R., Jaloyan, GA., Naccache, D. (2016). ARMv8 Shellcodes from ‘A’ to ‘Z’. In: Bao, F., Chen, L., Deng, R., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2016. Lecture Notes in Computer Science(), vol 10060. Springer, Cham. https://doi.org/10.1007/978-3-319-49151-6_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-49151-6_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49150-9

  • Online ISBN: 978-3-319-49151-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation