ARM: add support for arm architecture

[gauthier-wiemann]

The suggested enhancement involves adding support for ARM architecture in the CAPA tool and improving its capabilities on ELF files.

Here are the steps involved:

1. Changes to capa/features/common.py and capa/main.py: Simple changes have been made to add ARM architecture to the list of supported architectures in CAPA.

2. Changes to capa/features/extractors/viv/: More complex changes have been made to this directory to enable disassembly of ARM binaries.
   Specifically, a new file, capa/features/extractors/viv/insn_arm.py, has been added.
   This file replicates the logic of capa/features/extractors/viv/insn.py, but adapts its functions to ARM mnemonics and patterns specific to ARM binaries.

3. Testing: Each feature has been tested using binaries written in assembler or compiled with GCC (version 9.4.0), and the final result of the modifications has been evaluated over Linux Arm Malware samples, mostly Mirai.

4. Improving capabilities on ELF files: The modifications also aim to improve CAPA's capabilities on ELF files. Specifically, the following changes have been made:

   • ELF Stripper: CAPA's current version fails to detect the underlying operating system in ELF files, leading to premature termination of the analysis. To address this, Linux is assumed to be the default operating system if the analysis couldn't determine the underlying OS. This change is made in capa/features/extractors/elf.py.
   • Statically linked ELF files: The extractor was unable to yield the API features in statically linked ELF files, resulting in poor detection capabilities. To solve this problem, upstream detection of statically linked ELF files is performed, and certain basic blocks are marked as library function using a hard-coded table to translate the syscall number into their function name. This change is made in capa/features/extractors/viv/syscall.py.

Note:

• While adding support for ARM architecture in CAPA, it was found that some ARM samples produce a lot of warnings in the provenance of the vivesct disassembler. However, these warnings do not seem to interfere with the final result of CAPA's analysis.

• As for x86/x84 binaries, it was observed that the statement of some features is dependent on specific patterns, which may be related to the type and version of the compiler used. This dependency could potentially limit CAPA's abilities when analyzing these binaries.

Checklist

• No CHANGELOG update needed

• No new tests needed

• No documentation update needed

Sorry for the new PR, we had to do it with another organization.

This PR is related to this issue #1774 and this PR #1796

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[williballenthin]

🥳 so happy to see this reopened!

[gauthier-wiemann]

We registered on Google CLA, what is the next step now ?

[mr-tz]

The CLA check succeeds now, thanks! We'll review this shortly.

[mr-tz]

Here's a first set of comments. My main concern is around mixing the architectures and how to handle this to keep the code maintainable (little code duplication) and readable.

Great work overall and I look forward to other reviews and your feedback.

[mr-tz]

Suggested change

	binja: add support for forwarded exports #1646 @xusheng6
	- binja: add support for forwarded exports #1646 @xusheng6

[mr-tz]

can this be simplified to just use the constant or the name?

[gauthier-wiemann]

So we import envi.archs.arm.disasm.REG_SP as REG_SP and just use REG_SP for example ?

[mr-tz]

yes, exactly

[williballenthin]

@mr-tz i'm not sure i agree, because then it won't be obvious to a reader if the SP/BP are related to arm vs x86 vs ...

[mr-tz]

I meant to use:

• envi.archs.i386.disasm.REG_EBP (or similar [untested])
• envi.archs.amd64.disasm.REG_RBP (or similar [untested])
• etc.

Instead of "ebp", "rbp", etc.

[mr-tz]

Suggested change

	not isinstance(dst, envi.archs.i386.disasm.i386SibOper)
	and not isinstance(dst, envi.archs.i386.disasm.i386RegMemOper)
	not isinstance(dst, (envi.archs.i386.disasm.i386SibOper, envi.archs.i386.disasm.i386RegMemOper))

[mr-tz]

I think this should still return bool. get_arch can return the string/handle the cases.

[gauthier-wiemann]

I will change that to use get_arch instead

[mr-tz]

suggest to use arch here instead

[gauthier-wiemann]

I agree. I will change it

[mr-tz]

if we want to do this for the other backends as well, we can move the mappings to a file one directory up

[gauthier-wiemann]

Do you want us to create this file now ?

[mr-tz]

if you don't mind, please... and thanks!

[mr-tz]

Suggested change

	def interface_extract_instruction_XXX(
	fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle
	) -> Iterator[Tuple[Feature, Address]]:
	"""
	parse features from the given instruction.
	args:
	fh: the function handle to process.
	bbh: the basic block handle to process.
	ih: the instruction handle to process.
	yields:
	(Feature, Address): the feature and the address at which its found.
	"""
	raise NotImplementedError

[mr-tz]

I like the separation, on the other hand seems like we have quite some duplicated code?
Do you have a feel for if only using insn.py would be more maintainable/less duplication?

[gauthier-wiemann]

We first began with a repository viv_arm/ and then merged it with viv/. insn.py was the most difficult one to merge. Many functions are very different but we import the common functions from insn.py. We can maybe merge other functions but I"m not sure if it is possible for all.

[williballenthin]

would it be reasonable to:

• move most of insn.py today to insn_x86.py, then
• add the new insn_arm.py, and then
• add new insn.py that dispatches to the appropriate insn_* file

?

once we have two supported arches, i would generally prefer that they are treated the same, not "x86 is primary and ARM is second class".

[williballenthin]

i think having some duplication is ok, especially when we don't expect every contributor to be an expert in both x86 and arm (i am certainly not!). if we keep the code together, then few people can maintain it. if we have duplicates, each set of experts can work on their own code. of course, we'll want to keep things in sync, but it shouldn't prevent us from doing a reasonably good job of fixing bugs and adding features.

[mr-tz]

what is this?

[mr-tz]

note, I did not review most of this file

[gauthier-wiemann]

Thank you for this first review. I tried to give a feedback for as many comments as possible but I need to consult my team for the other points. I will commit the changes when all the comments are answered.

[williballenthin]

Suggested change

	def getSyscallName(num: int, arch: bool) -> str:
	def get_syscall_name(num: int, arch: bool) -> str:

and maybe document this can raise KeyError when not found ?

[mr-tz]

Hey @gauthier-wiemann, I've created a new feature branch for ARM support: https://github.com/mandiant/capa/tree/arm-support
Can you/we change to merge your suggestions in there for us to pick up future work?

[gauthier-wiemann]

Hi, we have no problem with it.