svc-hook: hooking system calls on ARM64 by binary rewriting

Abstract

The paper introduces "svc-hook," a novel framework designed for intercepting and hooking system calls specifically on the ARM64 architecture. This highly effective instrumentation is achieved through the use of aggressive binary rewriting techniques, modifying the executable code directly to divert execution flow. This approach provides a powerful, architecture-specific mechanism for dynamic analysis, security monitoring, and general function instrumentation without requiring changes to the operating system kernel.

Report

Key Highlights

• Novel Tool: Introduces "svc-hook," a new dynamic instrumentation tool focused on system call interception.
• Target Architecture: The technique is specifically engineered for the ARM64 (AArch64) environment.
• Core Methodology: System call hooking is accomplished by directly modifying the application's binary code at runtime or load time (binary rewriting).
• Impact: Offers a low-level, potentially stealthy, method for monitoring program execution and operating system interactions without relying on traditional kernel modules or debugger interfaces.

Technical Details

• Architecture Focus: ARM64 instruction set and system call convention.
• Mechanism: The solution likely targets the Supervisor Call (SVC) instruction, which is typically used by user-space applications on ARM to request kernel services. Binary rewriting involves replacing the original instruction sequence with a jump (or similar control flow modification) to custom handler code.
• Technique: Binary rewriting requires precise analysis of the instruction stream to ensure safe and reversible modification, accounting for position-independent code (PIC) and instruction size constraints unique to AArch64.
• Deployment: Given the context of middleware, this tool likely functions as an intrusive user-space library or a hypervisor-assisted solution for instrumentation.

Implications

• ARM64 Security: This work significantly advances the state-of-the-art in dynamic instrumentation and low-level introspection for the critical ARM64 ecosystem, aiding in security analysis, malware research, and vulnerability discovery.
• Cross-Architecture Learning: Although svc-hook targets ARM64, the fundamental principles of using specialized binary rewriting to intercept architectural primitives (like syscall instructions) are directly transferable. This provides a blueprint for developing similar deep instrumentation techniques for other nascent architectures.
• Relevance to RISC-V: As RISC-V gains traction in domains requiring deep visibility (e.g., IoT, specialized computing), the methods used in svc-hook for managing control flow and binary modification will inform the development of necessary dynamic analysis and security tools tailored to the RISC-V environment's system call convention (typically using the ECALL instruction).