5
votes

I have read that 'Normal' ARM instructions are fixed length - 32 bits. And that no ARM instruction can jump into the middle of another instruction - something that is easy to do with x86 instructions.

(For x86, Google's NaCl tries to 'fix' this by aligning instructions on 32 byte boundaries.)

Does this make ARM programs more secure or more resistant to certain attacks?

If so, does this extend to Thumb and Java instructions?

2
If the attacker is in a position that he can cause the program counter to become misaligned from the instructions, he's probably already exploiting a security vulnerability elsewhere, so the security of the system has already been compromised.Philip Potter
Is that possible with ARM code?philcolbourn

2 Answers

4
votes

The place where it can be safer is when scanning opcode to sandbox process. If you want to prohibit or intercept some instruction, doing so is easier on a fixed length instruction set. On x86 architecture, the instruction set depends of the context, and instruction have variable length, so an instruction that seems harmless can in fact embed another instruction, if you parse it from the correct offset. You can effectively "jump in the middle of an instruction" and still have a valid instruction.

ARM is easier to parse, and thumb mode does not change this. So ARM instruction set is not particularly safer per se, but is far easier to parse, and correct parsing is necessary for the NaCl like sandboxing

This is the short and probably inexact answer. For a more definitive answer, look at this blog post on the excellent matasano blog

1
votes

You're thinking about that attack of clobbering the stack return address or similar so it branches into a payload right? Word alignment isn't a big help or hindrance there I imagine - you just need to align the payload 4 bytes. Oh, and x64 requires 16-byte instruction alignment.

Is this what you meant?