skip to main content
research-article

On Static Binary Translation of ARM/Thumb Mixed ISA Binaries

Authors Info & Claims
Published:28 March 2017Publication History
Skip Abstract Section

Abstract

Code discovery has been a main challenge for static binary translation, especially when the source instruction set architecture has variable-length instructions, such as the x86 architectures. Due to embedded data such as PC (program counter)-relative data, jump tables, or paddings in the code section, a binary translator may be misled to translate data as instructions. For variable-length instructions, once a piece of data is mis-translated as instructions, decoding subsequent bytes could also go wrong. We are concerned with static binary translation for the very popular Advanced RISC Machine (ARM) architectures. Although ARM is considered a reduced instruction set computer architecture, it does allow the mix of 32-bit (ARM) instructions and 16-bit (Thumb) instructions in the same executables. In addition to different instruction lengths, the ARM and Thumb instructions are located at 4-byte or 2-byte aligned addresses, respectively. Furthermore, because ARM and Thumb instructions share the same encoding space, a 4-byte word could sometimes be decoded as one ARM instruction or two Thumb instructions. The correct decoding of this 4-byte word is actually determined at runtime by the least-significant bit of the program counter.

For unstripped binaries, the mapping symbols can be used to identify ARM code regions and Thumb code regions. However, for stripped binaries, such mapping symbols are unavailable. We propose a novel solution to statically translate stripped ARM/Thumb mixed executables. Our solution is implemented in a static binary translator. The binary translator further generates multiple versions of translated code for the code regions whose types cannot be determined with our solution. One of the code versions is selected during runtime. The binary translator also includes a series of analyses that enable the removal of most useless code versions. Based on the experimental results on stripped ARM/Thumb mixed binaries in the SPEC2006 and Embedded Microprocessor Benchmark Consortium (EEMBC) benchmark suites, our static binary translator achieves impressive performance when migrating them to run on x86 machines and the space overhead is no more than 10%.

References

  1. Kristy Andrews and Duane Sand. 1992. Migrating a CISC computer family onto RISC via object code translation. In Proceedings of the 5th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-V). ACM, New York, NY, 213--222. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Jose Baiocchi, Bruce R. Childers, Jack W. Davidson, Jason D. Hiser, and Jonathan Misurda. 2007. Fragment cache management for dynamic binary translators in embedded systems with scratchpad. In Proceedings of the 2007 International Conference on Compilers, Architecture, and Synthesis for Embedded Systems (CASES’07). ACM, New York, NY, 75--84. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. José A. Baiocchi, Bruce R. Childers, Jack W. Davidson, and Jason D. Hiser. 2008. Reducing pressure in bounded DBT code caches. In Proceedings of the 2008 International Conference on Compilers, Architectures and Synthesis for Embedded Systems (CASES’08). ACM, New York, NY, 109--118. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Vasanth Bala, Evelyn Duesterwald, and Sanjeev Banerjia. 2000. Dynamo: A transparent dynamic optimization system. SIGPLAN Not. 35, 5 (May 2000), 1--12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Leonid Baraz, Tevi Devor, Orna Etzion, Shalom Goldenberg, Alex Skaletsky, Yun Wang, and Yigel Zemach. 2003. IA-32 execution layer: A two-phase dynamic translator designed to support IA-32 applications on Itanium-based systems. In Proceedings of the 36th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 36). IEEE Computer Society, Washington, DC, 191. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the Annual Conference on USENIX Annual Technical Conference (ATEC’05). USENIX Association, Berkeley, CA, 41--41. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Derek Bruening, Timothy Garnett, and Saman Amarasinghe. 2003. An infrastructure for adaptive dynamic optimization. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization (CGO’03). IEEE Computer Society, Washington, DC, 265--275. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Jiunn-Yeu Chen, Bor-Yeh Shen, Quan-Huei Ou, Wuu Yang, and Wei-Chung Hsu. 2013. Effective code discovery for ARM/thumb mixed ISA binaries in a static binary translator. In Proceedings of the 2013 International Conference on Compilers, Architectures and Synthesis for Embedded Systems (CASES’13). IEEE Press, Piscataway, NJ, Article 19, 10 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Jiunn-Yeu Chen, Wuu Yang, Tzu-Han Hung, Hong-Men Su, and Wei-Chung Hsu. 2008. A static binary translator for efficient migration of ARM based applications. In Proceedings of the 6th Workshop on Optimizations for DSP and Embedded Systems.Google ScholarGoogle Scholar
  10. A. Chernoff, M. Herdeg, R. Hookway, C. Reeve, N. Rubin, T. Tye, S. B. Yadavalli, and J. Yates. 1998. FX!32—A profile-directed binary translator. IEEE Micro 18, 2 (1998), 56--64. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Cristina Cifuentes and Mike Van Emmerik. 2000. UQBT: Adaptable binary translation at low cost. Computer 33, 3 (Mar. 2000), 60--66. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Bob Cmelik and David Keppel. 1994. Shade: A fast instruction-set simulator for execution profiling. In Proceedings of the 1994 ACM SIGMETRICS Conference on Measurement and Modeling of Computer Systems (SIGMETRICS’94). ACM, New York, NY, 128--137. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. K. Hazelwood and A. Klauser. 2006. A dynamic binary instrumentation engine for the ARM architecture. In Proceedings of the 2006 International Conference on Compilers, Architecture and Synthesis for Embedded Systems. ACM, 261--270. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. R. Nigel Horspool and Nenad Marovac. 1980. An approach to the problem of detranslation of computer programs. Comput. J. 23, 3 (1980), 223--229. Google ScholarGoogle ScholarCross RefCross Ref
  15. A. Krishnaswamy and R. Gupta. 2002. Profile guided selection of ARM and thumb instructions. ACM SIGPLAN Not. 37, 7 (2002), 56--64. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Christopher Kruegel, William K. Robertson, Fredrik Valeur, and Giovanni Vigna. 2004. Static disassembly of obfuscated binaries. In Proceedings of the USENIX Security Symposium. 255--270. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Ryan W. Moore, José A. Baiocchi, Bruce R. Childers, Jack W. Davidson, and Jason D. Hiser. 2009. Addressing the challenges of DBT for the ARM architecture. In Proceedings of the 2009 ACM SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES’09). ACM, New York, NY, 147--156. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. B. Schwarz, S. Debray, and G. Andrews. 2002. Disassembly of executable code revisited. In Proceedings of the 9th Working Conference on Reverse Engineering, 2002. IEEE, 45--54. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. K. Scott, N. Kumar, S. Velusamy, B. Childers, J. W. Davidson, and M. L. Soffa. 2003. Retargetable and reconfigurable software dynamic translation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization (CGO’03). IEEE Computer Society, Washington, DC, 36--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Bor-Yeh Shen, Jiunn-Yeu Chen, Wei-Chung Hsu, and Wuu Yang. 2012. LLBT: An LLVM-based static binary translator. In Proceedings of the 2012 International Conference on Compilers, Architectures and Synthesis for Embedded Systems (CASES’12). ACM, New York, NY, 51--60. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Richard L. Sites, Anton Chernoff, Matthew B. Kirk, Maurice P. Marks, and Scott G. Robinson. 1993. Binary translation. Commun. ACM 36, 2 (Feb. 1993), 69--81. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. J. E. Smith and R. Nair. 2005. Virtual Machines: Versatile Platforms for Systems and Processes. Morgan Kaufmann. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Cindy Zheng and Carol Thompson. 2000. PA-RISC to IA-64: Transparent execution, no recompilation. Computer 33, 3 (Mar. 2000), 47--52. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. On Static Binary Translation of ARM/Thumb Mixed ISA Binaries

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!