Presented at
Black Hat Europe 2020 Virtual,
Dec. 9, 2020, 10:20 a.m.
(30 minutes).
Recently, the adoption of ARM processors for laptop computers is becoming popular due to its high energy efficiency. Windows 10 on ARM is a new OS for such ARM-based computers. Several laptop computers with this OS have already been shipped; notably, the recent launch of Microsoft Surface Pro X will be a driving force to facilitate the widespread use of Windows 10 on ARM.<br><br>You might think that there are new threats to such a new OS. Yes! We found such a threat.<br><br>In this talk, we present a new code injection technique to abuse a novel feature of Windows 10 on ARM: X86 emulation.<br>Remarkably, Windows 10 on ARM can run X86 apps via the X86 emulation feature that translates binary from X86-to-ARM just in time. To reduce the performance overhead of JIT binary translation, the OS has the mechanism to cache already-translated results as X86-to-ARM (XTA) cache files.<br><br>Our new code injection technique is performed by modifying this XTA cache file. Since this technique is difficult to detect and trace, appropriate countermeasures are necessary. Moreover, this technique can be used as an API hooking invisible to an X86 process. Therefore, this technique has already been a threat to Windows 10 on ARM.<br><br>We believe that future OSs have a JIT translation mechanism at the processor transition. For example, Apple has recently announced Rosetta 2, which is a similar mechanism for introducing their own ARM-based chip. For these OSs, the caching of already-translated results as files is a reasonable way to decrease performance overhead.<br><br>Our new code injection technique might also apply to such OSs.This presentation becomes a beneficial advisory for the developers of such future OSs, not limited to Windows 10 on ARM. PoC code of our new code injection technique and analysis results of the X86 emulation will be public on GitHub after this talk.
Presenters:
-
Ko Nakagawa
- Research Engineer, FFRI Security, Inc.
Ko Nakagawa is a research engineer at FFRI Security, Inc. working on the security of connected cars and malware analysis. His research interests are reverse engineering and hardware security. Now, he research mainly focuses on national security. In his free time, he joins the development of OSS, such as LIEF.
-
Hiromitsu Oshiba
- Research Engineer, FFRI Security, Inc.
Hiromitsu Oshiba is a research director at FFRI Security, Inc. He worked on improving their NGAV product for several years. Now his research mainly focuses on national security. And he loves cats.
Links:
Similar Presentations: