EmuID: Detecting presence of emulation through microarchitectural characteristic on ARM

Abstract

Software emulation is at the core of efficient automated software analysis. It allows efficient use of computing resources by running multiple instances on a single machine. Also, software emulation naturally provides a strong sandboxing that contains the analyzed target software. Software emulation techniques and principles have been implemented in dynamic binary translators (DBI) and emulators used extensively in practice. Transparency of emulation is one of the essential aspects of emulation engines. That is, hiding the presence of emulation from the software that is being emulated is vital in many use cases of software emulation (e.g., malware analysis). Detecting the presence of emulation through various methods and preventing such exploits have been an important topic in the field. Emulation detection is commonly used in protecting commercial software against reverse engineering or abused by malware developers who intend to sabotage their malware analysis. Many works have proposed methods for emulation detection, while others introduced mitigations. In this paper, we present EmuID that exploits a peculiar microarchitectural caveat of the ARM architecture to detect emulation. Our method is accurate, implementation-agnostic, and robust. Our evaluations show that our method detects ARM execution in well-known emulation engines on ARM (i.e., ARM-on-ARM) as well as cross-architecture ARM emulation on the x86 architecture (i.e., ARM-on-x86. Also, mitigation of our approach would require non-trivial modifications to emulation engines, unlike the heuristics-based detection methods that can be readily mitigated once the mechanisms are known.