FaultArm - Assembly Fault Injection Vulnerability Detector

• FaultArm - Assembly Fault Injection Vulnerability Detector
  • Project Introduction
    • Usage
  • Generating sample files
    • Requirements
    • Compiling
  • Patterns
  • Structure
    • main.py
    • Parser.py
    • Analysis.py
      • Analyzer Class
      • Utility

Reference

When reporting results that use the dataset or code in this repository, please cite the paper below:

Prateek Kharangate, Guillermo Rached, Harris Musungu, Nan Niu, Boyang Wang, ``FaultArm: Detecting Fault Injection Vulnerabilities in Arm Assembly," IEEE National Aerospace and Electronics Conference (NAECON 2024), July 15-18, 2024.

The dataset and code are for research purpose only

Project Introduction

FaultArm is a tool created to automatically detect fault injection vulnerabilities within ARM and x86 assembly. The current method of analysis requires an assembly file; however, the aim of this tool is to support the analysis of compiled binaries.

Usage

python3 main.py [target_assembly_file]

Generating sample files

Requirements

In order to generate sample files, a C compiler is needed. In the case of this project, we use gcc-arm-none-eabi-10.3-2021.10:

arm-none-eabi-gcc (15:9-2019-q4-0ubuntu1) 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

For more information about compilers, please see /docs/developer_notes/architecture_and_compilers.md.

Compiling

Once a compiler is present, compile the file in the following manner:

arm-none-eabi-gcc -S filename.c -o assembly_filename.s

Which should then generate an assembly (.s) file to use with our tool.

To create a high-level example of the vulnerability pattern. please see /docs/developer_notes/add_patterns.md.

Patterns

For information regarding the currently supported patterns, please look at /docs/pattern_documentation.

We currently support the following patterns:

• Branch
• ConstantCoding
• LoopCheck

Structure

FaultHunter_ASM (currently) is separated between two modules: Parser.py and Analyzer.py.

main.py

The entrypoint to the program, main.py, serves as a central location to utilize both modules. All we do in this file is import the modules and utilize them.

Parser.py

Main parsing module. Intended to parse assembly code. It combs through the source code and creates objects depending on what it encounters. Once the source code is transformed into a list of objects, it can be more easily worked with to discover patterns. It uses Python’s type hints to be more transparent.

Locations are spots in the code that can be referenced and jumped to. Example: .LC0 and main.

IntegerLiterals are integers. In 32-bit syntax, these are prefaced with a “#”

StringLiterals are strings. These are prefaced by a location and .ascii.

Registers are ARM registers.

Instructions are assembly instructions. They are composed of the string representation and a list of the arguments, which are further parsed into IntegerLiterals, StringLiterals and Registers.

There are certain features that need to be added such as parsing memory locations, which are found inside straight brackets (“[“ and “]”). Since these are offset to register values or memory locations, this will take some work.

Analysis.py

Performs static analysis on a program's instructions to detect fault injection vulnerabilities.

Analyzer Class

The Analyzer class performs static analysis on a program's instructions using the different pattern classes. It has the following attributes:

• filename: The name of the file being analyzed.
• parsed_data: The parsed data object containing the program instructions.
• totla_lines: The amount of lines in the assembly file.
• out_directory: A path to output analysis results.
• X_detector: An instance of the respective X pattern class used for pattern analysis.

The Analyzer class provides the following methods:

• create_directory: Creates a directory with the current timestamp.
• static_analysis(): Performs static analysis on the program instructions.
• just_print_analysis_results(): Prints the analysis results.
• save_and_print_analysis_results: Saves and prints the analysis results.
• print_total_vulnerable_lines: Prints the total number of vulnerable lines found.
• get_total_vulnerable_lines: Returns the number of vulnerable lines for all patterns in the current file.

Utility

To use the Branch Vulnerability Analyzer, follow these steps:

1. Instantiate a Parser object and pass the provided assembly file.
2. Pass the output from Parser to the Analyzer constructor.
3. Call the static_analysis() method of the Analyzer object to perform static analysis on the program.
4. Call one of the print_analysis_results() method of the Analyzer object to print the analysis results.

If any vulnerabilities are detected, the program will display:

• Line number
• Instruction
• Pattern

Contacts

Prateek Kharangate, kharanpv@mail.uc.edu

Guillermo Rached, rachedge@mail.uc.edu

Boyang Wang, boyang.wang@uc.edu