Frustrating Emulation with Delay Slots in MIPS and MIPS16
In the same way that ARM has Thumb as its 16-bit compressed instruction set, MIPS has MIPS16 for compressed instructions. Both MIPS and MIPS16 support delay slots, and these delay slots are far more complicated than the “just execute the instruction after the branch” rule that you learned in undergrad Computer Organization. In this talk, we’ll explain how delay slots work in the real world, and how to measure and test their behavior for quirks. We will also show how to abuse these quirks to rewrite executables in a way that frustrates reverse engineering and emulation.
Why is our material different/innovative/significant?
The usefulness for sandbox detection has been well-documented and researched on traditional x86/64 systems, and to some extent on ARM systems. These techniques have been used for defeating malware analysis sandboxes, interfering with debugging, identifying specific systems, and for other purposes. However, the good techniques are highly processor dependent and similar techniques have not been found for embedded processors. Our talk presents novel techniques, and how we found them, for the MIPS16 instruction family. This can be used to frustrate reverse engineering and emulation of malware for home routers and other embedded targets.