Sleight of ARM: Demystifying Intel Houdini

Presented at DEF CON 29 (2021), Aug. 6, 2021, 1 p.m. (45 minutes)

In the recent years, we have seen some of the major players in the industry switch from x86-based processors to ARM processors. However, you might be surprised to know that Intel has long supported ARM to x86 transition with their binary translator, Houdini, which runs ARM binaries on x86. In this talk, we will discuss Intel's proprietary Houdini translator, which is primarily used by Android on x86 platforms, such as higher-end Chromebooks and desktop Android emulators. We will start with a high-level discussion of how Houdini works and is loaded into processes. We will then dive into the low-level internals of the Houdini engine and memory model, including several security weaknesses it introduces into processes using it. Lastly, we will discuss methods to escape the Houdini environment, execute arbitrary ARM and x86, and write Houdini-targeted malware that bypasses existing platform analysis. REFERENCES: * Ye, Roger. Android System Programming: Porting, Customizing, and Debugging Android HAL. Packt Publishing, 2017. * JNI Functions, Oracle, 12 Nov. 2002, https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/functions.html * Chromium OS Docs. Linux System Call Table, https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md * The Development Environment : Android Developers. Android Developers, https://developer.android.com/topic/arc/development-environment * Nachoparker. Own Your Bits, 14 June 2018, https://ownyourbits.com/2018/06/13/transparently-running-binaries-from-any-architecture-in-linux-with-qemu-and-binfmt_misc/ * Git at Google. Android container in Chrome OS, archived at https://web.archive.org/web/20200128052853/https://chromium.googlesource.com/chromiumos/platform2/+/master/arc/container-bundle/ * Oberheide, J. & Miller, C. 2012, June. Dissecting the Android Bouncer [Presentation] @ SummerCON, Brooklyn, New York

Presenters:

  • Brian Hong - Security Consultant, NCC Group
    Brian Hong is a security consultant at NCC Group, a global information assurance specialist providing organizations with expert security consulting services. He specializes in hardware penetration testing, reverse engineering, and has performed security research related to embedded systems, firmware analysis, web application penetration testing, and Android security and malware analysis. Brian has a B. Eng. in Electrical Engineering and Computer Science from The Cooper Union.

Links:

Similar Presentations: