Sleight of ARM: Demystifying Intel Houdini
10-12, 13:00–13:50 (US/Pacific), The Point

In the recent years, we have seen some of the major players in the industry switch from x86-based processors to ARM processors. Most notable is Apple, who has supported the transition to ARM from x86 with a binary translator, Rosetta 2, which has recently gotten the attention of many researchers and reverse engineers. However, you might be surprised to know that Intel has their own binary translator, Houdini, which runs ARM binaries on x86.
In this talk, we will discuss Intel's proprietary Houdini translator, which is primarily used by Android on x86 platforms, such as higher-end Chromebooks and desktop Android emulators. We will start with a high-level discussion of how Houdini works and is loaded into processes. We will then dive into the low-level internals of the Houdini engine and memory model, including several security weaknesses it introduces into processes using it. Lastly, we will discuss methods to escape the Houdini environment, execute arbitrary ARM and x86, and write Houdini-targeted malware that bypasses existing platform analysis.

The Intel Houdini emulator is a black box that does not appear to have undergone any significant public research into its inner workings or security impact. Existing work has focused on implementing function hooks targeting ARM code running through Houdini, but has not gone much deeper than that. This research dives into the internals of Houdini, discusses the security issues it introduces, and introduces several novel abuses of the runtime it provides.

This research sheds a light onto the internal workings of a poorly understood binary emulator -- that among other issues, can enable malware to enter mobile app stores undetected -- and offers remediation strategies to app stores. The research also offers remediation and hardening advice to implementers of binary translators. In the near future, due to ISA diversification across x86, ARM, and RISC-V, there will likely be an increased need for binary translators to support porting software across both architectures and operating systems. Due to the compatibility and performance needs required, it is likely that "in-process" binary translators, such as Houdini and Rosetta 2, will be used over OS- or "hypervisor"-style sandbox emulators such as QEMU. Due to their "direct" mode of operation, they can introduce various kinds of risks that are highly specific to the implementation and host system. Our work extends modern security research into this newer style of emulator with a focus on ensuring that these newer binary translator emulators do not weaken the existing security model for native processes nor introduce additional vulnerabilities.

Presentation Slides toorcon-2021/question_uploads/presentation_gpeKPaG.pdf

Brian Hong is a security consultant at NCC Group, a global information assurance specialist providing organizations with expert security consulting services. He specializes in hardware penetration testing, reverse engineering, and has performed security research related to embedded systems, firmware analysis, web application penetration testing, and Android security and malware analysis. Brian has a B. Eng. in Electrical Engineering and Computer Science from The Cooper Union.