Jing QIU,Xiaohong SU,Peijun MA

DOI: https://doi.org/10.3969/j.issn.2095-2163.2015.05.009

2015-01-01

Abstract:Inline library functions identification is one of the difficult issues in binary code analysis.The main challenge comes from the polymorphism and discontinuity of inlined functions due to compiler optimizations.The paper builds execu-tion flow graphs of functions, converting inline library functions identification to subgraph isomorphism testings.In the eval-uation, four string operation functions, which are often inlined by a compiler, are evaluated by using MSVC10 and ICC14 with five open source programs.Experimental results show that the proposed approach is effective in inline library functions identification.

Jing Qiu,Xiaohong Su,Peijun Ma

DOI: https://doi.org/10.1109/tse.2015.2470241

IF: 7.4

2015-01-01

IEEE Transactions on Software Engineering

Abstract:Discontinuity and polymorphism of a library function create two challenges for library function identification, which is a key technique in reverse engineering. A new hybrid representation of dependence graph and control flow graph called Execution Flow Graph (EFG) is introduced to describe the semantics of binary code. Library function identification turns to be a subgraph isomorphism testing problem since the EFG of a library function instance is isomorphic to the sub-EFG of this library function. Subgraph isomorphism detection is time-consuming. Thus, we introduce a new representation called Reduced Execution Flow Graph (REFG) based on EFG to speed up the isomorphism testing. We have proved that EFGs are subgraph isomorphic as long as their corresponding REFGs are subgraph isomorphic. The high efficiency of the REFG approach in subgraph isomorphism detection comes from fewer nodes and edges in REFGs and new lossless filters for excluding the unmatched subgraphs before detection. Experimental results show that precisions of both the EFG and REFG approaches are higher than the state-of-the-art tool and the REFG approach sharply decreases the processing time of the EFG approach with consistent precision and recall.

Jing Qiu,Xiaohong Su,Peijun Ma

DOI: https://doi.org/10.1002/smr.1733

2015-01-01

Journal of Software Evolution and Process

Abstract:In binary code analysis, current function identification approaches are challenged by functions without explicit call sites and handcrafted assembly without standard prologues/epilogues. We propose a new function representation called a reverse extended control flow graph (RECFG) and a RECFG‐based method for identifying functions in stripped binary code. A function has at least one return instruction (an instruction that makes the control flow leave a function). Therefore, return instructions are more reliable than the function prologues and epilogues used by traditional methods. We first build RECFGs from any values that can be interpreted as return instructions in a code range. Then, for each independent RECFG, the multiple‐decision method chooses a subgraph as the control flow graph of a function. A prototype tool is developed for evaluation on seven open source applications, 138 binaries in MASM32 code examples, and 292 binaries in Windows XP SP3. Experimental results show that the proposed method can identify functions that cannot be identified by current methods with high precision and stable recall. Copyright © 2015 John Wiley & Sons, Ltd.

Wei Tang,Ping Luo,Jialiang Fu,Dan Zhang

DOI: https://doi.org/10.1109/saner48275.2020.9054845

2020-01-01

Abstract:With the development of the open-source movement, third-party library reuse is commonly practiced in programming. Application developers can reuse the code to save time and development costs. However, there are some hidden risks in misusing third-party libraries such as license violation and security vulnerability. The identification of libraries written in C or C++ is impeded by compilation process which hides most features of code. The same open-source package can be compiled into different binary code by different compilation processes. Therefore, this paper proposes LibDX, a platform-independent and fully-automated system, to detect reused libraries in binary files. With a well-designed feature extractor, LibDX can overcome compilation diversity between binary files. LibDX novelly introduces the logic feature block concept which is applied to deal with the feature duplication challenge in a large-scale feature database. We built a large test data set covering multiple platforms and evaluated LibDX with 9.5K packages including 25.8K C/C++ binary files. Our results show that LibDX achieves a precision of 92% and a recall of 97%, and outperforms state-of-the-art tools. We have validated the performance of the system with closed source commercial applications and found some license violation cases.

WANG Wei,CHEN Kai-Ming

DOI: https://doi.org/10.3969/j.issn.1003-3254.2012.08.013

2012-01-01

Abstract:The decompilation decode binary instructions and data into high level source code against compilation.It plays an important part in finding malware and discovering software vulnerability.But the recognition of template library functions is very difficult in decompilation of object-oriented language.This paper analyzes the existing algorithm of library function recognition and aims at the key problem of feature conflicts to introduce an improved algorithm based on feature-recognition.This algorithm can store much more library function informations to avoid feature conflicts and has been verified in some experiments about C++ STL recognition.

Toufique Ahmed,Premkumar Devanbu,Anand Ashok Sawant

DOI: https://doi.org/10.48550/arXiv.2103.05221

2021-03-09

Software Engineering

Abstract:Much software, whether beneficent or malevolent, is distributed only as binaries, sans source code. Absent source code, understanding binaries' behavior can be quite challenging, especially when compiled under higher levels of compiler optimization. These optimizations can transform comprehensible, "natural" source constructions into something entirely unrecognizable. Reverse engineering binaries, especially those suspected of being malevolent or guilty of intellectual property theft, are important and time-consuming tasks. There is a great deal of interest in tools to "decompile" binaries back into more natural source code to aid reverse engineering. Decompilation involves several desirable steps, including recreating source-language constructions, variable names, and perhaps even comments. One central step in creating binaries is optimizing function calls, using steps such as inlining. Recovering these (possibly inlined) function calls from optimized binaries is an essential task that most state-of-the-art decompiler tools try to do but do not perform very well. In this paper, we evaluate a supervised learning approach to the problem of recovering optimized function calls. We leverage open-source software and develop an automated labeling scheme to generate a reasonably large dataset of binaries labeled with actual function usages. We augment this large but limited labeled dataset with a pre-training step, which learns the decompiled code statistics from a much larger unlabeled dataset. Thus augmented, our learned labeling model can be combined with an existing decompilation tool, Ghidra, to achieve substantially improved performance in function call recovery, especially at higher levels of optimization.

Wei Tang,Yanlin Wang,Hongyu Zhang,Shi Han,Ping Luo,Dongmei Zhang

DOI: https://doi.org/10.1145/3524842.3528442

2022-01-01

Abstract:Third-party libraries (TPLs) are reused frequently in software applications for reducing development cost. However, they could introduce security risks as well. Many TPL detection methods have been proposed to detect TPL reuse in Android bytecode or in source code. This paper focuses on detecting TPL reuse in binary code, which is a more challenging task. For a detection target in binary form, libraries may be compiled and linked to separate dynamic-link files or built into a fused binary that contains multiple libraries and project-specific code. This could result in fewer available code features and lower the effectiveness of feature engineering. In this paper, we propose a binary TPL reuse detection framework, LibDB, which can effectively and efficiently detect imported TPLs even in stripped and fused binaries. In addition to the basic and coarse-grained features (string literals and exported function names), LibDB utilizes function contents as a new type of feature. It embeds all functions in a binary file to low-dimensional representations with a trained neural network. It further adopts a function call graph-based comparison method to improve the accuracy of the detection. LibDB is able to support version identification of TPLs contained in the detection target, which is not considered by existing detection methods. To evaluate the performance of LibDB, we construct three datasets for binary-based TPL reuse detection. Our experimental results show that LibDB is more accurate and efficient than state-of-the-art tools on the binary TPL detection task and the version identification task. Our datasets and source code used in this work are anonymously available at https://github.com/DeepSoftwareAnalytics/LibDB.

Yanchen Qiao,Xiaochun Yun,Yongzheng Zhang

DOI: https://doi.org/10.1109/TrustCom.2016.0159

2016-01-01

Abstract:It is a common phenomenon to reuse code from open source code or personal previous work in software/malware development. In addition, compilers often insert many functions when compiling. Therefore, to fast identify these reused functions in binary executables and trace their origins is helpful for reverse engineering, software copyright protection, malware detection and correlation and so on. Much research in recent years has focused on code similarity identification, whereas only a few researchers have addressed the problem of reused function retrieval. In this paper, we proposed a method for fast retrieving reused function in a large corpus of code based on simhash and inverted index. First of all, we constructed a code database including massive binary executables, their functions, the code blocks of functions and the simhash value of code blocks and the inverted index of these elements. Then, for a function to be retrieved, we split it into several code blocks according to the jump instructions and jump addresses, and calculated simhash value for every code block. Similar code blocks could be fast retrieved from the code database based on simhash. Consequently, we could easily retrieve those possibly similar functions using inverted index, and further locate them in binary executables. The experimental evaluation shows that our method achieves high accuracy rate and recall rate, and has a fast speed.

Tao Wei,Runpu Wu,Tielei Wang,Xinjian Zhao,Wei Zou,Weihong Zheng

DOI: https://doi.org/10.1007/978-3-642-28798-5_19

2012-01-01

Abstract:Call graph plays an important role in interprocedural program analysis methods. However, due to the common exist of function pointers and virtual functions in large programs, call graphs used in current program analysis systems are usually incomplete and imprecise, especially in analysis systems for binary executables. In this paper, we present a scalable and effective approach to automatically resolve virtual-function calls in executables. For the benchmark used in previous studies, our approach resolved almost 100% of reachable virtual function call-sites, whereas CodeSurfer/x86 resolved about 82%. © 2012 Springer-Verlag.

Ang Jia,Ming Fan,Xi Xu,Wuxia Jin,Haijun Wang,Ting Liu

2024-01-11

Abstract:Binary function similarity detection plays an important role in a wide range of security applications. Existing works usually assume that the query function and target function share equal semantics and compare their full semantics to obtain the similarity. However, we find that the function mapping is more complex, especially when function inlining happens.

Software Engineering,Cryptography and Security

Yikun Hu,Hui Wang,Yuanyuan Zhang,Bodong Li,Dawu Gu

DOI: https://doi.org/10.1109/tse.2019.2918326

IF: 7.4

2019-01-01

IEEE Transactions on Software Engineering

Abstract:Binary code similarity comparison is a methodology for identifying similar or identical code fragments in binary programs. It is indispensable in fields of software engineering and security, which has many important applications (e.g., plagiarism detection, bug detection). With the widespread of smart and Internet of Things (IoT) devices, an increasing number of programs are ported to multiple architectures (e.g., ARM, MIPS). It becomes necessary to detect similar binary code across architectures as well. The main challenge of this topic lies in the semantics-equivalent code transformation resulting from different compilation settings, code obfuscation, and varied instruction set architectures. Another challenge is the trade-off between comparison accuracy and coverage. Unfortunately, existing methods still heavily rely on semantics-less code features which are susceptible to the code transformation. Additionally, they perform the comparison merely either in a static or in a dynamic manner, which cannot achieve high accuracy and coverage simultaneously. In this paper, we propose a semantics-based hybrid method to compare binary function similarity. We execute the reference function with test cases, then emulate the execution of every target function with the runtime information migrated from the reference function. Semantic signatures are extracted during the execution as well as the emulation. Lastly, similarity scores are calculated from the signatures to measure the likeness of functions. We have implemented the method in a prototype system designated as BinMatch which performs binary code similarity comparison across architectures of x86, ARM and MIPS on the Linux platform. We evaluate BinMatch with nine real-word projects compiled with different compilation settings, on variant architectures, and with commonly-used obfuscation methods, totally performing over 100 million pairs of function comparison. The experimental results show that BinMatch is resilient to the semantics-equivalent code transformation. Besides, it not only covers all target functions for similarity comparison, but also improves the accuracy comparing to the state-of-the-art solutions.

Matan Avitan,Elena V. Ravve,Zeev Volkovich

DOI: https://doi.org/10.3390/math12050658

IF: 2.4

2024-02-25

Mathematics

Abstract:Many different aspects of software system development and verification rely on precise function identification in binary code. Recognition of the source Assembly functions in embedded systems is one of the fundamental challenges in binary program analysis. While numerous approaches assume that the functions are given a priori, correct identification of the functions in binaries remains a great issue. This contribution addresses the problem of uncertainty in binary code in identification of functions, which were optimized during compilation. This paper investigates the difference between debug and optimized functions via modeling of these functions. To do so, we introduce an extensible model-centred hands-on approach for examining similarities between binary functions. The main idea is to model each function using a set of predetermined, experimentally discovered features, and then find a suitable weight vector that could give impact factor to each such a feature. After finding the weight vector, the introduced models of such desired functions can be identified in binary software packages. It means that we reduce the similarity identification problem of the models to a classical version of optimization problems with one optimization criterion. Using our implementation, we found that the proposed approach works smoothly for functions, which contain at least ten Assembly instructions. Our tool guarantees success at a very high level.

mathematics

Ang Jia,Ming Fan,Wuxia Jin,Xi Xu,Zhaohui Zhou,Qiyi Tang,Sen Nie,Shi Wu,Ting Liu

DOI: https://doi.org/10.1145/3561385

IF: 3.685

2023-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Binary similarity analysis is critical to many code-reuse-related issues, where function matching is its fundamental task. “ 1-to-1 ” mechanism has been applied in most binary similarity analysis works, in which one function in a binary file is matched against one function in a source file or binary file. However, we discover that the function mapping is a more complex problem of “ 1-to-n ” (one binary function matches multiple source functions or binary functions) or even “ n-to-n ” (multiple binary functions match multiple binary functions) due to the existence of function inlining , different from traditional understanding. In this article, we investigate the effect of function inlining on binary similarity analysis. We carry out three studies to investigate the extent of function inlining, the performance of existing works under function inlining, and the effectiveness of existing inlining-simulation strategies. Firstly, a scalable and lightweight identification method is designed to recover function inlining in binaries. 88 projects (compiled in 288 versions and resulting in 32,460,156 binary functions) are collected and analyzed to construct four inlining-oriented datasets for four security tasks in the software supply chain, including code search, OSS (Open Source Software) reuse detection, vulnerability detection, and patch presence test. Datasets reveal that the proportion of function inlining ranges from 30–40% when using O3 and sometimes can reach nearly 70%. Then, we evaluate four existing works on our dataset. Results show most existing works neglect inlining and use the “1-to-1” mechanism. The mismatches cause a 30% loss in performance during code search and a 40% loss during vulnerability detection. Moreover, most inlined functions would be ignored during OSS reuse detection and patch presence test, thus leaving these functions risky. Finally, we analyze two inlining-simulation strategies on our dataset. It is shown that they miss nearly 40% of the inlined functions, and there is still a large space for promotion. By precisely recovering when function inlining happens, we discover that inlining is usually cumulative when optimization increases. Thus, conditional inlining and incremental inlining are recommended to design a low-cost and high-coverage inlining-simulation strategy.

Hoyt Koepke,Elizabeth Thompson

DOI: https://doi.org/10.48550/arXiv.1301.3946

2013-02-19

Abstract:We propose a new framework for designing test and query functions for complex structures that vary across a given parameter such as genetic marker position. The operations we are interested in include equality testing, set operations, isolating unique states, duplication counting, or finding equivalence classes under identifiability constraints. A motivating application is locating equivalence classes in identity-by-descent (IBD) graphs, graph structures in pedigree analysis that change over genetic marker location. The nodes of these graphs are unlabeled and identified only by their connecting edges, a constraint easily handled by our approach. The general framework introduced is powerful enough to build a range of testing functions for IBD graphs, dynamic populations, and other structures using a minimal set of operations. The theoretical and algorithmic properties of our approach are analyzed and proved. Computational results on several simulations demonstrate the effectiveness of our approach.

Data Structures and Algorithms,Quantitative Methods,Computation

Siyuan Li,Yongpan Wang,Chaopeng Dong,Shouguo Yang,Hong Li,Hao Sun,Zhe Lang,Zuxin Chen,Weijie Wang,Hongsong Zhu,Limin Sun

2023-09-12

Abstract:Third-party libraries (TPLs) are extensively utilized by developers to expedite the software development process and incorporate external functionalities. Nevertheless, insecure TPL reuse can lead to significant security risks. Existing methods are employed to determine the presence of TPL code in the target binary. Existing methods, which involve extracting strings or conducting function matching, are employed to determine the presence of TPL code in the target binary. However, these methods often yield unsatisfactory results due to the recurrence of strings and the presence of numerous similar non-homologous functions. Additionally, they struggle to identify specific pieces of reused code in the target binary, complicating the detection of complex reuse relationships and impeding downstream tasks. In this paper, we observe that TPL reuse typically involves not just isolated functions but also areas encompassing several adjacent functions on the Function Call Graph (FCG). We introduce LibAM, a novel Area Matching framework that connects isolated functions into function areas on FCG and detects TPLs by comparing the similarity of these function areas. Furthermore, LibAM is the first approach capable of detecting the exact reuse areas on FCG and offering substantial benefits for downstream tasks. Experimental results demonstrate that LibAM outperforms all existing TPL detection methods and provides interpretable evidence for TPL detection results by identifying exact reuse areas. We also evaluate LibAM's accuracy on large-scale, real-world binaries in IoT firmware and generate a list of potential vulnerabilities for these devices. Last but not least, by analyzing the detection results of IoT firmware, we make several interesting findings, such as different target binaries always tend to reuse the same code area of TPL.

Software Engineering,Cryptography and Security

Tie-Ming Liu,Lie-Hui Jiang,Jing,Yuan-Yuan Zhang

DOI: https://doi.org/10.4236/jcc.2015.35003

2015-01-01

Journal of Computer and Communications

Abstract:When doing reverse analysis of program’s binary codes, it is often to encounter the function of cryptographic library. In order to reduce workload, a cryptographic library model has been designed by analysts. Models use formalized approach to describe the frame of cryptology and the structure of cryptographic function, complete the mapping from cryptographic function property to its architecture, and accomplish the result presentation of data analysis and mapping at last. The model can solve two problems: the first one is to know the hierarchy of the cryptographic function in the library well; the second one is to know some kinds of information, such as related cryptology algorithm and protocol, etc. These function implements can display the result graphically. The model can find relevant knowledge for the analysts automatically and rapidly, which is helpful to the learning of the overall abstract structure of cryptology.

Yan Wang,Peng Jia,Cheng Huang,Jiayong Liu,Peisong He

DOI: https://doi.org/10.1155/2021/9954520

IF: 1.968

2021-08-10

Security and Communication Networks

Abstract:Binary code similarity comparison is the technique that determines if two functions are similar by only considering their compiled form, which has many applications, including clone detection, malware classification, and vulnerability discovery. However, it is challenging to design a robust code similarity comparison engine since different compilation settings that make logically similar assembly functions appear to be very different. Moreover, existing approaches suffer from high-performance overheads, lower robustness, or poor scalability. In this paper, a novel solution HBinSim is proposed by employing the multiview features of the function to address these challenges. It first extracts the syntactic and semantic features of each basic block by static analysis. HBinSim further analyzes the function and constructs a syntactic attribute control flow graph and a semantic attribute control flow graph for each function. Then, a hierarchical attention graph embedding network is designed for graph-structured data processing. The network model has a hierarchical structure that mirrors the hierarchical structure of the function. It has three levels of attention mechanisms applied at the instruction, basic block, and function level, enabling it to attend differentially to more and less critical content when constructing the function representation. We conduct extensive experiments to evaluate its effectiveness and efficiency. The results show that our tool outperforms the state-of-the-art binary code similarity comparison tools by a large margin against compilation diversity clone searching. A real-world vulnerabilities search case further demonstrates the usefulness of our system.

computer science, information systems,telecommunications

Tiantian Wang,Xiaohong Su,Peijun Ma

DOI: https://doi.org/10.1109/CISE.2009.5364393

2009-01-01

Abstract:Most of existing inlining algorithms are used in optimizing compilers and are not suitable for program analysis. Therefore, an inlining algorithm based on program dependence graph is proposed. It uses simple function call tree to determine the sequence of inlining and adopts program dependence graph as the intermediate representation for a program. Inline expansion is performed on program dependence graphs, and a single program dependence graph without call node is produced in the end, so that the original program is transformed into a semantically equivalent program that is free of function invocation. This algorithm has already been applied to the code normalization process of an automatic grading system of student programs and a similar code detection system. Test results show that it can improve the variation removal rate of the code normalization and facilitate program analysis. ©2009 IEEE.

Carlo Meijer,Veelasha Moonsamy,Jos Wetzels

DOI: https://doi.org/10.48550/arXiv.2009.04274

2020-09-09

Cryptography and Security

Abstract:The continuing use of proprietary cryptography in embedded systems across many industry verticals, from physical access control systems and telecommunications to machine-to-machine authentication, presents a significant obstacle to black-box security-evaluation efforts. In-depth security analysis requires locating and classifying the algorithm in often very large binary images, thus rendering manual inspection, even when aided by heuristics, time consuming. In this paper, we present a novel approach to automate the identification and classification of (proprietary) cryptographic primitives within binary code. Our approach is based on Data Flow Graph (DFG) isomorphism, previously proposed by Lestringant et al. Unfortunately, their DFG isomorphism approach is limited to known primitives only, and relies on heuristics for selecting code fragments for analysis. By combining the said approach with symbolic execution, we overcome all limitations of their work, and are able to extend the analysis into the domain of unknown, proprietary cryptographic primitives. To demonstrate that our proposal is practical, we develop various signatures, each targeted at a distinct class of cryptographic primitives, and present experimental evaluations for each of them on a set of binaries, both publicly available (and thus providing reproducible results), and proprietary ones. Lastly, we provide a free and open-source implementation of our approach, called Where's Crypto?, in the form of a plug-in for the popular IDA disassembler.

Junjie Tao,Jifei Shi,Ming Fan,Yin Wang,Junfeng Liu,Ting Liu

DOI: https://doi.org/10.1145/3605762.3624428

2023-01-01

Abstract:Miniapps have become an indispensable part of people's lives. Meanwhile, the utilization of third-party libraries greatly streamlines, expedites, and enhances the development of miniapps. However, ensuring the security of these third-party libraries presents a challenge, as they may harbor security vulnerabilities, such as plaintext transmission. In this paper, we propose JSLibD, an automated extraction method for third-party libraries in miniapps. Unlike conventional extraction methods that heavily rely on prior knowledge, JSLibD introduces a heuristic prediction approach, comprising two integral components: a whitelist matching method to match the known libraries and a heuristic prediction method to extract the unknown libraries using function call relationships. The results demonstrate that JSLibD can efficiently match known libraries, and accurately predict unknown libraries, achieving an impressive precision rate of 85.9% and a high recall rate of 97.2%.