product iamge

Blue Fox: Arm Assembly Internals and Reverse Engineering

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download
Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Provides readers with a solid foundation in Arm assembly internals and reverse-engineering fundamentals as the basis for analyzing and securing billions of Arm devices Finding and mitigating security vulnerabilities in Arm devices is the next critical internet security frontier―Arm processors are already in use by more than 90% of all mobile devices, billions of Internet of Things (IoT) devices, and a growing number of current laptops from companies including Microsoft, Lenovo, and Apple. Written by a leading expert on Arm security, Blue Fox: Arm Assembly Internals and Reverse Engineering introduces readers to modern Armv8-A instruction sets and the process of reverse-engineering Arm binaries for security research and defensive purposes. Divided into two sections, the book first provides an overview of the ELF file format and OS internals, followed by Arm architecture fundamentals, and a deep-dive into the A32 and A64 instruction sets. Section Two delves into the process of reverse-engineering itself: setting up an Arm environment, an introduction to static and dynamic analysis tools, and the process of extracting and emulating firmware for analysis. The last chapter provides the reader a glimpse into macOS malware analysis of binaries compiled for the Arm-based M1 SoC. Throughout the book, the reader is given an extensive understanding of Arm instructions and control-flow patterns essential for reverse engineering software compiled for the Arm architecture. Providing an in-depth introduction into reverse-engineering for engineers and security researchers alike, this book: • Offers an introduction to the Arm architecture, covering both AArch32 and AArch64 instruction set states, as well as ELF file format internals • Presents in-depth information on Arm assembly internals for reverse engineers analyzing malware and auditing software for security vulnerabilities, as well as for developers seeking detailed knowledge of the Arm assembly language • Covers the A32/T32 and A64 instruction sets supported by the Armv8-A architecture with a detailed overview of the most common instructions and control flow patterns • Introduces known reverse engineering tools used for static and dynamic binary analysis • Describes the process of disassembling and debugging Arm binaries on Linux, and using common disassembly and debugging tools Blue Fox: Arm Assembly Internals and Reverse Engineering is a vital resource for security researchers and reverse engineers who analyze software applications for Arm-based devices at the assembly level.

Author(s): Maria Markstedter
Edition: 1
Publisher: Wiley
Year: 2023

Language: English
Commentary: Publisher's PDF
Pages: 480
City: Hoboken, NJ
Tags: macOS; Debugging; Memory Management; Malware Analysis; Assembly Language; Static Analysis; Dynamic Analysis; QEMU; Process Management; Disassembling; Reverse Engineering; ARM Architecture; ELF; Operating Systems

Cover
Title Page
Copyright Page
Contents at a Glance
Contents
Introduction
Part I Arm Assembly Internals
Chapter 1 Introduction to Reverse Engineering
Introduction to Assembly
Bits and Bytes
Character Encoding
Machine Code and Assembly
Assembling
Cross-Assemblers
High-Level Languages
Disassembling
Decompilation
Chapter 2 ELF File Format Internals
Program Structure
High-Level vs. Low-Level Languages
The Compilation Process
Cross-Compiling for Other Architectures
Assembling and Linking
The ELF File Overview
The ELF File Header
The ELF File Header Information Fields
The Target Platform Fields
The Entry Point Field
The Table Location Fields
ELF Program Headers
The PHDR Program Header
The INTERP Program Header
The LOAD Program Headers
The DYNAMIC Program Header
The NOTE Program Header
The TLS Program Header
The GNU_EH_FRAME Program Header
The GNU_STACK Program Header
The GNU_RELRO Program Header
ELF Section Headers
The ELF Meta-Sections
The String Table Section
The Symbol Table Section
The Main ELF Sections
The .text Section
The .data Section
The .bss Section
The .rodata Section
The .tdata and .tbss Sections
Symbols
Global vs. Local Symbols
Weak Symbols
Symbol Versions
Mapping Symbols
The Dynamic Section and Dynamic Loading
Dependency Loading (NEEDED)
Program Relocations
Static Relocations
Dynamic Relocations
The Global Offset Table (GOT)
The Procedure Linkage Table (PLT)
The ELF Program Initialization and Termination Sections
Initialization and Termination Order
Thread-Local Storage
The Local-Exec TLS Access Model
The Initial-Exec TLS Access Model
The General-Dynamic TLS Access Model
The Local-Dynamic TLS Access Model
Chapter 3 OS Fundamentals
OS Architecture Overview
User Mode vs. Kernel Mode
Processes
System Calls
Objects and Handles
Threads
Process Memory Management
Memory Pages
Memory Protections
Anonymous and Memory-Mapped Memory
Memory-MappedFiles and Modules
Address Space Layout Randomization
Stack Implementations
Shared Memory
Chapter 4 The Arm Architecture
Architectures and Profiles
The Armv8-A Architecture
Exception Levels
Armv8-ATrustZone Extension
Exception Level Changes
Armv8-A Execution States
The AArch64 Execution State
The A64 Instruction Set
AArch64 Registers
The Program Counter
The Stack Pointer
The Zero Register
The Link Register
The Frame Pointer
The Platform Register (x18)
The Intraprocedural Call Registers
SIMD and Floating-PointRegisters
System Registers
PSTATE
The AArch32 Execution State
A32 and T32 Instruction Sets
The A32 Instruction Set
The T32 Instruction Set
Switching Between Instruction Sets
AArch32 Registers
The Program Counter
The Stack Pointer
The Frame Pointer
The Link Register
The Intraprocedural Call Register (IP, r12)
The Current Program Status Register
The Application Program Status Register
The Execution State Registers
The Instruction Set State Register
The IT Block State Register (ITSTATE)
Endianness state
Mode and Exception Mask Bits
Chapter 5 Data Processing Instructions
Shift and Rotate Operations
Logical Shift Left
Logical Shift Right
Arithmetic Shift Right
Rotate Right
Rotate Right with Extend
Instruction Forms
Shift by a Constant Immediate Form
Shift by Register Form
Bitfield Manipulation Operations
Bitfield Move
Sign-and Zero-Extend Operations
Bitfield Extract and Insert
Logical Operations
Bitwise AND
The TST Instruction
Bitwise Bit Clear
Bitwise OR
Bitwise OR NOT
Bitwise Exclusive OR
The TEQ instruction
Exclusive OR NOT
Arithmetic Operations
Addition and Subtraction
Reverse Subtract
Compare
CMP Instruction Operation Behavior
Multiplication Operations
Multiplications on A64
Multiplications on A32/T32
Least Significant Word Multiplications
Most Significant Word Multiplications
Halfword Multiplications
Vector (Dual) Multiplications
Long (64-Bit) Multiplications
Division Operations
Move Operations
Move Constant Immediate
Move Immediate and MOVT on A32/T32
Move Immediate, MOVZ, and MOVK on A64
Move Register
Move with NOT
Chapter 6 Memory Access Instructions
Instructions Overview
Addressing Modes and Offset Forms
Offset Addressing
Constant Immediate Offset
Register Offsets
Pre-Indexed Mode
Pre-Indexed Mode Example
Post-Indexed Addressing
Post-Indexed Addressing Example
Literal (PC-Relative) Addressing
Loading Constants
Loading an Address into a Register
Load and Store Instructions
Load and Store Word or Doubleword
Load and Store Halfword or Byte
Example Using Load and Store
Load and Store Multiple (A32)
Example for STM and LDM
A More Complicated Example Using STM and LDM
Load and Store Pair (A64)
Chapter 7 Conditional Execution
Conditional Execution Overview
Conditional Codes
The NZCV Condition Flags
Signed vs. Unsigned Integer Overflows
Condition Codes
Conditional Instructions
The If-Then (IT) Instruction in Thumb
Flag-Setting Instructions
The Instruction “S” Suffix
The S Suffix on Add and Subtract Instructions
The S Suffix on Logical Shift Instructions
The S Suffix on Multiply Instructions
The S Suffix on Other Instructions
Test and Comparison Instructions
Compare Negative (CMN)
Test Bits (TST)
Test Equality (TEQ)
Conditional Select Instructions
Conditional Comparison Instructions
Boolean AND Conditionals Using CCMP
Boolean OR Conditionals Using CCMP
Chapter 8 Control Flow
Branch Instructions
Conditional Branches and Loops
Test and Compare Branches
Table Branches (T32)
Branch and Exchange
Subroutine Branches
Functions and Subroutines
The Procedure Call Standard
Volatile vs. Nonvolatile Registers
Arguments and Return Values
Passing Larger Values
Leaf and Nonleaf Functions
Leaf Functions
Nonleaf Functions
Prologue and Epilogue
Part II Reverse Engineering
Chapter 9 Arm Environments
Arm Boards
Emulation with QEMU
QEMU User-Mode Emulation
QEMU Full-System Emulation
Firmware Emulation
Chapter 10 Static Analysis
Static Analysis Tools
Command-Line Tools
Disassemblers and Decompilers
Binary Ninja Cloud
Call-By-Reference Example
Control Flow Analysis
Main Function
Subroutine
Converting to char
if Statement
Quotient Division
for Loop
Analyzing an Algorithm
Chapter 11 Dynamic Analysis
Command-Line Debugging
GDB Commands
GDB Multiuser
GDB Extension: GEF
Installation
Interface
Useful GEF Commands
Examine Memory
Watch Memory Regions
Vulnerability Analyzers
checksec
Radare2
Remote Debugging
Radare2
IDA Pro
Debugging a Memory Corruption
Debugging a Process with GDB
Chapter 12 Reversing arm64 macOS Malware
Background
macOS arm64 Binaries
macOS Hello World (arm64)
Hunting for Malicious arm64 Binaries
Analyzing arm64 Malware
Anti-Analysis Techniques
Anti-Debugging Logic (via ptrace)
Anti-Debugging Logic (via sysctl)
Anti-VM Logic (via SIP Status and the Detection of VM Artifacts)
Conclusion
Index
EULA