Peng Qian,Zhenguang Liu,Yifang Yin,Qinming He

DOI: https://doi.org/10.1145/3543507.3583367

2023-01-01

Abstract:Over the past couple of years, smart contracts have been plagued by multifarious vulnerabilities, which have led to catastrophic financial losses. Their security issues, therefore, have drawn intense attention. As countermeasures, a family of tools has been developed to identify vulnerabilities in smart contracts at the source-code level. Unfortunately, only a small fraction of smart contracts is currently open-sourced. Another spectrum of work is presented to deal with pure bytecode, but most such efforts still suffer from relatively low performance due to the inherent difficulty in restoring abundant semantics in the source code from the bytecode. This paper proposes a novel cross-modality mutual learning framework for enhancing smart contract vulnerability detection on bytecode. Specifically, we engage in two networks, a student network as the primary network and a teacher network as the auxiliary network. takes two modalities, i.e., source code and its corresponding bytecode as inputs, while is fed with only bytecode. By learning from , is trained to infer the missed source code embeddings and combine both modalities to approach precise vulnerability detection. To further facilitate mutual learning between and , we present a cross-modality mutual learning loss and two transfer losses. As a side contribution, we construct and release a labeled smart contract dataset that concerns four types of common vulnerabilities. Experimental results show that our method significantly surpasses state-of-the-art approaches.

Zhenzhou Tian,Yaqian Huang,Jie Tian,Zhongmin Wang,Yanping Chen,Lingwei Chen

DOI: https://doi.org/10.18293/seke2022-040

2022-01-01

Abstract:Smart contracts are programs that run on a blockchain, where Ethereum is one of the most popular ones supporting them.Due to the fact that they are immutable, it is essential to design smart contracts bug-free before they are deployed.However, various defects have been found in the deployed smart contracts, causing huge economic losses and lowing people's trust.Writing secure smart contracts is far from trivial, where developers tend to engage in reliable resources or social coding platforms to reuse code.This leads to a large number of similar contracts with potential security risks.Therefore, detecting similarity of smart contracts helps to avoid vulnerabilities, identify threats, and improve the security of Ethereum.In this paper, we design a learning-effective and costefficient model, called SmartSD, for Ethereum smart contract similarity detection.Different from the current research efforts, SmartSD is performed on a bytecode level and leverages deep neural networks to learn the latent representations from the opcode sequences for smart contract bytecodes, where the representation learning and similarity measurement are supervised via siamese neural networks.The experimental evaluations demonstrate that SmartSD outperforms EClone's 93.27% accuracy, achieving 98.37% high detection accuracy and 0.9850 F1-score, which is computationally tractable and effectively mitigates the interference caused by compilers.

Zhongyuan Qin,Yadong Shi,Hui Zuo,Xuxian Jiang

DOI: https://doi.org/10.1109/ICSIP57908.2023.10271080

2023-07-08

Abstract:Code similarity detection is crucial for conducting security audits on smart contracts. It enables important audit tasks such as vulnerability mining and malicious contract detection based on code similarity. However, as the majority of smart contracts on Ethereum do not share their source code, detecting code similarity based on bytecode is of great significance. This paper proposes a method for self-supervised learning-based bytecode similarity detection, which obtains the control flow graph (CFG) from the bytecode in a symbolic way by simulating the execution of all instructions on the Ethereum Virtual Machine. Similarity detection is then performed at the function level. The proposed method utilizes a self-supervised model to obtain features from the bytecode and combines them with the features obtained from the stack when generating CFG to detect bytecode similarity. Experimental results demonstrate that the proposed method outperforms the baseline in terms of performance.

Computer Science

Bu-Tian HUANG,Qi LIU,Qin-Ming HE,Zhen-Guang LIU,Jian-Hai CHEN

DOI: https://doi.org/10.16383/j.aas.2017.c160655

2017-01-01

Abstract:As an innovative extension of the blockchain technology,smart contract enables users to implement personalized logic.As such,blockchain technology becomes more simple and useful.However,due to the rapid increase of the amount of smart contract codes,managing smart contract codes is becoming much more challenging.Automatic code classifier,which rests on the machine learning methods,can automatically identify the categories of the codes so as to saves a lot of human efforts.In this paper we investigate the smart contract codes of the Ethereum platform and propose a novel smart contract code classifier.To the best of our knowledge,this is the first exploration on automatic classification of the smart contract codes.The classifier is based on the word embedding model.Since each smart contract corresponds to a series of transactions,we further utilize the transactions in the contract to understand the intrinsic logic of the contract.Extensive experiments have verified the effectiveness of our proposed system.

Donghai Tian,Xiaoqi Jia,Rui Ma,Shuke Liu,Wenjing Liu,Changzhen Hu

DOI: https://doi.org/10.1016/j.eswa.2020.114348

IF: 8.5

2021-01-01

Expert Systems with Applications

Abstract:Binary code similarity detection (BCSD) plays an important role in malware analysis and vulnerability discovery. Existing methods mainly rely on the expert's knowledge for the BCSD, which may not be reliable in some cases. More importantly, the detection accuracy (or performance) of these methods are not so satisfied. To address these issues, we propose BinDeep, a deep learning approach for binary code similarity detection. This method firstly extracts the instruction sequence from the binary function and then uses the instruction embedding model to vectorize the instruction features. Next, BinDeep applies a Recurrent Neural Network (RNN) deep learning model to identify the specific types of two functions for later comparison. According to the type information, BinDeep selects the corresponding deep learning model for similarity comparison. Specifically, BinDeep uses the Siamese neural networks, which combine the LSTM and CNN to measure the similarities of two target functions. Different from the traditional deep learning model, our hybrid model takes advantage of the CNN spatial structure learning and the LSTM sequence learning. The evaluation shows that our approach can achieve good BCSD between cross-architecture, cross-compiler, cross-optimization, and cross-version binary code.

Di Zhu,Feng Yue,Jianmin Pang,Xin Zhou,Wenjie Han,Fudong Liu

DOI: https://doi.org/10.3390/electronics11040597

IF: 2.9

2022-02-15

Electronics

Abstract:In recent years, the number of smart contracts running in the blockchain has increased rapidly, accompanied by many security problems, such as vulnerability propagation caused by code reuse or vicious transaction caused by malicious contract deployment, for example. Most smart contracts do not publish the source code, but only the bytecode. Based on the research of bytecode similarity of smart contract, smart contract upgrade, vulnerability search and malicious contract analysis can be carried out. The difficulty of bytecode similarity research is that different compilation versions and optimization options lead to the diversification of bytecode of the same source code. This paper presents a solution, including a series of methods to measure the similarity of smart contract bytecode. Starting from the opcode of smart contract, a method of pre-training the basic block sequence of smart contract is proposed, which can embed the basic block vector. Positive samples were obtained by basic block marking, and the negative sampling method is improved. After these works, we put the obtained positive samples, negative samples and basic blocks themselves into the triplet network composed of transformers. Our solution can obtain evaluation results with an accuracy of 97.8%, so that the basic block sequence of optimized and unoptimized options can be transformed into each other. At the same time, the instructions are normalized, and the order of compiled version instructions is normalized. Experiments show that our solution can effectively reduce the bytecode difference caused by optimization options and compiler version, and improve the accuracy by 1.4% compared with the existing work. We provide a data set covering 64 currently used Solidity compilers, including one million basic block pairs extracted from them.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiuwei Shang,Li Hu,Shaoyin Cheng,Guoqiang Chen,Benlong Wu,Weiming Zhang,Nenghai Yu

2024-10-24

Abstract:Binary Code Similarity Detection (BCSD) plays a crucial role in numerous fields, including vulnerability detection, malware analysis, and code reuse identification. As IoT devices proliferate and rapidly evolve, their highly heterogeneous hardware architectures and complex compilation settings, coupled with the demand for large-scale function retrieval in practical applications, put forward higher requirements for BCSD methods. In this paper, we propose IRBinDiff, which mitigates compilation differences by leveraging LLVM-IR with higher-level semantic abstraction, and integrates a pre-trained language model with a graph neural network to capture both semantic and structural information from different perspectives. By introducing momentum contrastive learning, it effectively enhances retrieval capabilities in large-scale candidate function sets, distinguishing between subtle function similarities and differences. Our extensive experiments, conducted under varied compilation settings, demonstrate that IRBinDiff outperforms other leading BCSD methods in both One-to-one comparison and One-to-many search scenarios.

Software Engineering

Yan Wang,Peng Jia,Cheng Huang,Jiayong Liu,Peisong He

DOI: https://doi.org/10.1155/2021/9954520

IF: 1.968

2021-08-10

Security and Communication Networks

Abstract:Binary code similarity comparison is the technique that determines if two functions are similar by only considering their compiled form, which has many applications, including clone detection, malware classification, and vulnerability discovery. However, it is challenging to design a robust code similarity comparison engine since different compilation settings that make logically similar assembly functions appear to be very different. Moreover, existing approaches suffer from high-performance overheads, lower robustness, or poor scalability. In this paper, a novel solution HBinSim is proposed by employing the multiview features of the function to address these challenges. It first extracts the syntactic and semantic features of each basic block by static analysis. HBinSim further analyzes the function and constructs a syntactic attribute control flow graph and a semantic attribute control flow graph for each function. Then, a hierarchical attention graph embedding network is designed for graph-structured data processing. The network model has a hierarchical structure that mirrors the hierarchical structure of the function. It has three levels of attention mechanisms applied at the instruction, basic block, and function level, enabling it to attend differentially to more and less critical content when constructing the function representation. We conduct extensive experiments to evaluate its effectiveness and efficiency. The results show that our tool outperforms the state-of-the-art binary code similarity comparison tools by a large margin against compilation diversity clone searching. A real-world vulnerabilities search case further demonstrates the usefulness of our system.

computer science, information systems,telecommunications

Jiang Du,Qiang Wei,Yisen Wang,Xiangjie Sun

DOI: https://doi.org/10.3390/electronics12224671

IF: 2.9

2023-01-01

Electronics

Abstract:Against the backdrop of highly developed software engineering, code reuse has been widely recognized as an effective strategy to significantly alleviate the burden of development and enhance productivity. However, improper code citation could lead to security risks and license issues. With the source codes of many pieces of software being difficult to obtain, binary code similarity analysis (BCSA) has been extensively implemented in fields such as bug search, code clone detection, and patch analysis. This research selects 39 papers on BCSA from top-tier and emerging conferences within artificial intelligence, network security, and software engineering from 2016 to 2022 for deep analysis. The central focus lies on methods utilizing deep learning technologies, detailing a thorough summary and the arrangement of the application and implementation specifics of various deep learning technologies. Furthermore, this study summarizes the research patterns and development trends in this field, thereby proposing potential directions for future research.

Yang Zhang,Da Xiao,XinHao Guo,Can Cui

DOI: https://doi.org/10.1109/iaecst57965.2022.10062142

2022-01-01

Abstract:The problem of binary code similarity detection has made significant progress in malware detection. The comparison of similarity by file bytecode, assembly code, control flow graph, and so on has been applied sufficiently. Nevertheless, the above method must be revised in practical application to judge the similarity of artificially obfuscating binary code. Therefore, this paper proposes a method based on deep learning for binary similarity comparison, which works directly on function disassembly instruction sequences without manual feature extraction. Through the experiment, the improved method can get a good effect on the similarity detection of the binary code which has been obfuscated.

Xiaojun Xu,Chang Liu,Qian Feng,Heng Yin,Le Song,Dawn Song

DOI: https://doi.org/10.1145/3133956.3134018

2017-01-01

Abstract:The problem of cross-platform binary code similarity detection aims at detecting whether two binary functions coming from different platforms are similar or not. It has many security applications, including plagiarism detection, malware detection, vulnerability search, etc. Existing approaches rely on approximate graph-matching algorithms, which are inevitably slow and sometimes inaccurate, and hard to adapt to a new task. To address these issues, in this work, we propose a novel neural network-based approach to compute the embedding, i.e., a numeric vector, based on the control flow graph of each binary function, then the similarity detection can be done efficiently by measuring the distance between the embeddings for two functions. We implement a prototype called Gemini. Our extensive evaluation shows that Gemini outperforms the state-of-the-art approaches by large margins with respect to similarity detection accuracy. Further, Gemini can speed up prior art's embedding generation time by 3 to 4 orders of magnitude and reduce the required training time from more than 1 week down to 30 minutes to 10 hours. Our real world case studies demonstrate that Gemini can identify significantly more vulnerable firmware images than the state-of-the-art, i.e., Genius. Our research showcases a successful application of deep learning on computer security problems.

Fengliang Xia,Guixing Wu,Guochao Zhao,Xiangyu Li

DOI: https://doi.org/10.1007/978-3-031-15777-6_25

2022-01-01

Abstract:Binary code similarity detection (BCSD) has many applications in computer security, whose task is to detect the similarity of two binary functions without having access to the source code. Recently deep learning methods have shown better efficiency, accuracy, and potential in BCSD. Most of them reduce losses by the Siamese network, and they ignore some shortcomings of the Siamese network. In this paper, we introduce the idea of contrastive learning into graph neural networks and experimentally demonstrate that the way of training graph models by contrastive learning is significantly better than Siamese. In addition, we found that Principal Neighbourhood Aggregation for Graph Nets (PNA) has the best ability to extract structural information of control flow graph (CFG) among various graph neural networks.

Bing Xia,Jianmin Pang,Xin Zhou,Zheng Shan,Junchao Wang,Feng Yue

DOI: https://doi.org/10.1038/s41598-023-42769-9

IF: 4.6

2023-09-22

Scientific Reports

Abstract:Binary code similarity analysis is widely used in the field of vulnerability search where source code may not be available to detect whether two binary functions are similar or not. Based on deep learning and natural processing techniques, several approaches have been proposed to perform cross-platform binary code similarity analysis using control flow graphs. However, existing schemes suffer from the shortcomings of large differences in instruction syntaxes across different target platforms, inability to align control flow graph nodes, and less introduction of high-level semantics of stability, which pose challenges for identifying similar computations between binary functions of different platforms generated from the same source code. We argue that extracting stable, platform-independent semantics can improve model accuracy, and a cross-platform binary function similarity comparison model N_Match is proposed. The model elevates different platform instructions to the same semantic space to shield their underlying platform instruction differences, uses graph embedding technology to learn the stability semantics of neighbors, extracts high-level knowledge of naming function to alleviate the differences brought about by cross-platform and cross-optimization levels, and combines the stable graph structure as well as the stable, platform-independent API knowledge of naming function to represent the final semantics of functions. The experimental results show that the model accuracy of N_Match outperforms the baseline model in terms of cross-platform, cross-optimization level, and industrial scenarios. In the vulnerability search experiment, N_Match significantly improves hit@N, the mAP exceeds the current graph embedding model by 66%. In addition, we also give several interesting observations from the experiments. The code and model are publicly available at https://www.github.com/CSecurityZhongYuan/Binary-Name_Match.

multidisciplinary sciences

Guangming Liu,Xin Zhou,Jianmin Pang,Feng Yue,Wenfu Liu,Junchao Wang

DOI: https://doi.org/10.3390/electronics12071722

IF: 2.9

2023-04-05

Electronics

Abstract:Binary code similarity detection is used to calculate the code similarity of a pair of binary functions or files, through a certain calculation method and judgment method. It is a fundamental task in the field of computer binary security. Traditional methods of similarity detection usually use graph matching algorithms, but these methods have poor performance and unsatisfactory effects. Recently, graph neural networks have become an effective method for analyzing graph embeddings in natural language processing. Although these methods are effective, the existing methods still do not sufficiently learn the information of the binary code. To solve this problem, we propose Codeformer, an iterative model of a graph neural network (GNN)-nested Transformer. The model uses a Transformer to obtain an embedding vector of the basic block and uses the GNN to update the embedding vector of each basic block of the control flow graph (CFG). Codeformer iteratively executes basic block embedding to learn abundant global information and finally uses the GNN to aggregate all the basic blocks of a function. We conducted experiments on the OpenSSL, Clamav and Curl datasets. The evaluation results show that our method outperforms the state-of-the-art models.

engineering, electrical & electronic,computer science, information systems,physics, applied

Hui Guo,Shuguang Huang,Cheng Huang,Min Zhang,Zulie Pan,Fan Shi,Hui Huang,Donghui Hu,Xiaoping Wang

DOI: https://doi.org/10.1109/access.2020.3004813

IF: 3.9

2020-01-01

IEEE Access

Abstract:The technique of binary code similarity detection (BCSD) has been applied in many fields, such as malware detection, plagiarism detection and vulnerability search, etc. Existing solutions for the BCSD problem usually compare specific features between binaries based on the control flow graphs of functions from binaries or compute the embedding vector of binary functions and solve the problem based on deep learning algorithms. In this paper, from another research perspective, we propose a new and lightweight method to solve cross-version BCSD problem based on multiple features. It transforms binary functions into vectors and signals and computes the similarity coefficient value and correlation coefficient value for solving cross-version BCSD problem. Without relying on the CFG of functions, deep learning algorithms and other related attributes, our method works directly on the raw bytes of each binary and it can be used as an alternative method to coping with various complex situations that exist in the real-world environment. We implement the method and evaluate it on a custom dataset with about 423,282 samples. The result shows that the method could perform well in cross-version BCSD field, and the recall of our method could reach 96.63%, which is almost the same as the state-of-the-art static solution.

XIANGYU LI,GUOHAO WU,Zhimin Gao,HONGLIANG LIANG

DOI: https://doi.org/10.22541/au.168232923.30848803/v1

2023-01-01

Abstract:Binary similarity detection determines whether two given binary code snippets are similar or not, usually on function granularity. This task is challenging due to different compilation optimizations and CPU architectures. Recently, deep-learning methods have made great achievements in this field, although most of them use artificially selected features or ignore some important semantic information like code literals or function signatures during feature processing. In addition, random samples and pair loss function are used in similarity training, which only covers limited similarity relations between functions. In this paper, a new framework MFEN-Sim is proposed to detect similar binary functions. The framework contains three stages: feature extraction and normalization, mutli-feature based function feature embedding network (MFEN) and similarity learning network. Multiple features including assembly instructions, CFG structures and function code literals are extracted from binary functions. Then these features are fed into MFEN composed of three modules: function semantic and structure embedding module, function signature prediction module, and function code literal embedding module. The three modules generate embeddings representing the function semantic and structural features, the function signature prediction features and the function code literal features. Finally, MFEN-Sim utilizes a similarity training network based on contrastive learning to make MFEN recognize more similarity relations between functions. MFEN-Sim is evaluated on 281,601 functions in 144 binaries and 17 CVEs in real-world software. Experimental results show that our work outperforms state-of-the-art systems ( i.e., Gemini, FIT and SAFE) by 7.1%, 9.9% and 8.2% on AUC metric in cross-architecture, optimization-level similarity detection, and achieves higher recall than baselines in searching vulnerabilities in real-world applications.

Fei Zuo,Xiaopeng Li,Patrick Young,Lannan Luo,Qiang Zeng,Zhexin Zhang

DOI: https://doi.org/10.14722/ndss.2019.23492

2018-01-01

Abstract: Binary code analysis allows analyzing binary code without having access to the corresponding source code. A binary, after disassembly, is expressed in an assembly language. This inspires us to approach binary analysis by leveraging ideas and techniques from Natural Language Processing (NLP), a rich area focused on processing text of various natural languages. We notice that binary code analysis and NLP share a lot of analogical topics, such as semantics extraction, summarization, and classification. This work utilizes these ideas to address two important code similarity comparison problems. (I) Given a pair of basic blocks for different instruction set architectures (ISAs), determining whether their semantics is similar or not; and (II) given a piece of code of interest, determining if it is contained in another piece of assembly code for a different ISA. The solutions to these two problems have many applications, such as cross-architecture vulnerability discovery and code plagiarism detection. We implement a prototype system INNEREYE and perform a comprehensive evaluation. A comparison between our approach and existing approaches to Problem I shows that our system outperforms them in terms of accuracy, efficiency and scalability. And the case studies utilizing the system demonstrate that our solution to Problem II is effective. Moreover, this research showcases how to apply ideas and techniques from NLP to large-scale binary code analysis.

Meng Qiao,Xiaochuan Zhang,Huihui Sun,Zheng Shan,Fudong Liu,Wenjie Sun,Xingwei Li

DOI: https://doi.org/10.1007/s13369-021-05630-7

IF: 2.807

2021-04-16

Arabian Journal for Science and Engineering

Abstract:Cross-architecture binary code similarity metric is a fundamental technique in many machine learning-based binary program analysis methods. Some researches recently utilize graph embedding methods to generate binary code embedding and regard Euclidean distance between two binary code as a similarity. However, these researches utilize manual features and do not make full use of binary code structure information, which causes the loss of binary code information. To solve above problems, we propose a multi-level neural network model to generate binary code embedding, which includes CFG(control flow graph) structure information and basic block information. We could measure the cross-architecture similarity through the Euclidean distance of binary code embedding. We conduct a series of experiments to compare the similarity of cross-architecture binary code, and the results demonstrate that our model can overcome the limitations described above and show superiority over the state-of-the-art methods.

multidisciplinary sciences

Hao Gao,Tong Zhang,Songqiang Chen,Lina Wang,Fajiang Yu

DOI: https://doi.org/10.3390/sym14122549

2022-12-03

Symmetry

Abstract:Binary code similarity measurement is a popular research area in binary analysis with the recent development of deep learning-based models. Current state-of-the-art methods often use the pre-trained language model (PTLM) to embed instructions into basic blocks as representations of nodes within a control flow graph (CFG). These methods will then use the graph neural network (GNN) to embed the whole CFG and measure the binary similarities between these code embeddings. However, these methods almost directly treat the assembly code as a natural language text and ignore its code-specific features when training PTLM. Moreover, They barely consider the direction of edges in the CFG or consider it less efficient. The weaknesses of the above approaches may limit the performances of previous methods. In this paper, we propose a novel method called function similarity using code-specific PPTs and order-sensitive GNN (FUSION). Since the similarity of binary codes is a symmetric/asymmetric problem, we were guided by the ideas of symmetry and asymmetry in our research. They measure the binary function similarity with two code-specific PTLM training strategies and an order-sensitive GNN, which, respectively, alleviate the aforementioned weaknesses. FUSION outperforms the state-of-the-art binary similarity methods by up to 5.4% in accuracy, and performs significantly better.

Jianjun Huang,Songming Han,Wei You,Wenchang Shi,Bin Liang,Jingzheng Wu,Yanjun Wu

DOI: https://doi.org/10.1109/TIFS.2021.3050051

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Smart contract vulnerabilities have attracted lots of concerns due to the resultant financial losses. Matching-based detection methods extrapolating known vulnerabilities to unknown have proven to be effective in other platforms. However, directly adopting the technique to smart contracts is obstructed by two issues, i.e., diversity of bytecode generation resulting from the rapid evolution of compilers and interference of noise code easily caused by the homogeneous business logics. To address the problems, we propose contract bytecode-oriented normalization and slicing techniques to augment bytecode matching. Specifically, we conduct data- and instruction-level normalizations to uniform the bytecode generated by different compilers, and enforce contract-specific slicing by tracking data- and control-flows with simulated bytecode executions to prune the noise code as far as possible. Based on the above techniques, we design an unsupervised graph embedding algorithm to encode the code graphs into quantitatively comparable vectors. The potentially vulnerable smart contracts can be identified by measuring the similarities between their vectors and known vulnerable ones. Our evaluations have shown the efficiency (0.47 seconds per contract on average), effectiveness (160 verified true positives) and high precision (91.95% for top-ranked). It is worth noting that, we also identify dozens of honeypot contracts, further demonstrating the capability of our method.