ASC-Hook: fast and transparent system call hook for Arm

TL;DR

ASC-Hook is a highly efficient and comprehensive system call interception framework for ARM, significantly reducing overhead and ensuring thorough monitoring through innovative binary rewriting techniques.

Contribution

The paper introduces ASC-Hook, a novel binary rewriting framework that overcomes ARM-specific challenges to enable fast, complete, and transparent system call interception.

Findings

Reduces interception overhead to at least 1/29 of existing tools.

Achieves an average performance loss of 3.7% in system call-intensive applications.

Provides a comprehensive interception strategy tailored for ARM architecture.

Abstract

Intercepting system calls is crucial for tools that aim to modify or monitor application behavior. However, existing system call interception tools on the ARM platform still suffer from limitations in terms of performance and completeness. This paper presents an efficient and comprehensive binary rewriting framework, ASC-Hook, specifically designed for intercepting system calls on the ARM platform. ASC-Hook addresses two key challenges on the ARM architecture: the misalignment of the target address caused by directly replacing the SVC instruction with br x8, and the return to the original control flow after system call interception. This is achieved through a hybrid replacement strategy and our specially designed trampoline mechanism. By implementing multiple completeness strategies specifically for system calls, we ensured comprehensive and thorough interception. Experimental results show that ASC-Hook reduces overhead to at least 1/29 of that of existing system call interception tools. We conducted extensive performance evaluations of ASC-Hook, and the average performance loss for system call-intensive applications is 3.7\% .