Jack-in-the-Cache: A New Code injection Technique through Modifying X86-to-ARM Translation Cache

A new code injection technique called Jack-in-the-Cache is presented, which exploits the X86 emulation feature of Windows 10 on ARM by modifying X86-to-ARM translation cache files. The technique is difficult to detect and can be used for API hooking. Countermeasures are necessary to prevent this threat.

• Windows 10 on ARM can run X86 apps via the X86 emulation feature that translates binary from X86-to-ARM just in time
• The OS has a mechanism to cache already-translated results as X86-to-ARM (XTA) cache files to reduce the performance overhead of JIT binary translation
• Jack-in-the-Cache is performed by modifying the XTA cache file and can be used for API hooking
• The technique is difficult to detect and appropriate countermeasures are necessary to prevent this threat

The presentation explains how the Jack-in-the-Cache technique can be used for API hooking, which is a useful technique for inspection and changing behaviors. However, it is easy to detect because it always gives some choices. The technique rewrites instructions at the beginning of the function, but this can be avoided by using the invisible execution feature of X86 emulation. This allows for a good hook point using bridge DLLs between X86 and M64 processors on Windows 10.

Recently, the adoption of ARM processors for laptop computers is becoming popular due to its high energy efficiency. Windows 10 on ARM is a new OS for such ARM-based computers. Several laptop computers with this OS have already been shipped; notably, the recent launch of Microsoft Surface Pro X will be a driving force to facilitate the widespread use of Windows 10 on ARM.You might think that there are new threats to such a new OS. Yes! We found such a threat.In this talk, we present a new code injection technique to abuse a novel feature of Windows 10 on ARM: X86 emulation.Remarkably, Windows 10 on ARM can run X86 apps via the X86 emulation feature that translates binary from X86-to-ARM just in time. To reduce the performance overhead of JIT binary translation, the OS has the mechanism to cache already-translated results as X86-to-ARM (XTA) cache files.Our new code injection technique is performed by modifying this XTA cache file. Since this technique is difficult to detect and trace, appropriate countermeasures are necessary. Moreover, this technique can be used as an API hooking invisible to an X86 process. Therefore, this technique has already been a threat to Windows 10 on ARM.We believe that future OSs have a JIT translation mechanism at the processor transition. For example, Apple has recently announced Rosetta 2, which is a similar mechanism for introducing their own ARM-based chip. For these OSs, the caching of already-translated results as files is a reasonable way to decrease performance overhead.Our new code injection technique might also apply to such OSs.This presentation becomes a beneficial advisory for the developers of such future OSs, not limited to Windows 10 on ARM. PoC code of our new code injection technique and analysis results of the X86 emulation will be public on GitHub after this talk.