Xiuwei Shang,Li Hu,Shaoyin Cheng,Guoqiang Chen,Benlong Wu,Weiming Zhang,Nenghai Yu

2024-10-24

Abstract:Binary Code Similarity Detection (BCSD) plays a crucial role in numerous fields, including vulnerability detection, malware analysis, and code reuse identification. As IoT devices proliferate and rapidly evolve, their highly heterogeneous hardware architectures and complex compilation settings, coupled with the demand for large-scale function retrieval in practical applications, put forward higher requirements for BCSD methods. In this paper, we propose IRBinDiff, which mitigates compilation differences by leveraging LLVM-IR with higher-level semantic abstraction, and integrates a pre-trained language model with a graph neural network to capture both semantic and structural information from different perspectives. By introducing momentum contrastive learning, it effectively enhances retrieval capabilities in large-scale candidate function sets, distinguishing between subtle function similarities and differences. Our extensive experiments, conducted under varied compilation settings, demonstrate that IRBinDiff outperforms other leading BCSD methods in both One-to-one comparison and One-to-many search scenarios.

Software Engineering

Hao Gao,Tong Zhang,Songqiang Chen,Lina Wang,Fajiang Yu

DOI: https://doi.org/10.3390/sym14122549

2022-12-03

Symmetry

Abstract:Binary code similarity measurement is a popular research area in binary analysis with the recent development of deep learning-based models. Current state-of-the-art methods often use the pre-trained language model (PTLM) to embed instructions into basic blocks as representations of nodes within a control flow graph (CFG). These methods will then use the graph neural network (GNN) to embed the whole CFG and measure the binary similarities between these code embeddings. However, these methods almost directly treat the assembly code as a natural language text and ignore its code-specific features when training PTLM. Moreover, They barely consider the direction of edges in the CFG or consider it less efficient. The weaknesses of the above approaches may limit the performances of previous methods. In this paper, we propose a novel method called function similarity using code-specific PPTs and order-sensitive GNN (FUSION). Since the similarity of binary codes is a symmetric/asymmetric problem, we were guided by the ideas of symmetry and asymmetry in our research. They measure the binary function similarity with two code-specific PTLM training strategies and an order-sensitive GNN, which, respectively, alleviate the aforementioned weaknesses. FUSION outperforms the state-of-the-art binary similarity methods by up to 5.4% in accuracy, and performs significantly better.

Zhenhao Luo,Pengfei Wang,Wei Xie,Xu Zhou,Baosheng Wang

DOI: https://doi.org/10.3390/s23187789

2023-09-11

Abstract:Binary code similarity detection (BCSD) plays a crucial role in various computer security applications, including vulnerability detection, malware detection, and software component analysis. With the development of the Internet of Things (IoT), there are many binaries from different instruction architecture sets, which require BCSD approaches robust against different architectures. In this study, we propose a novel IoT-oriented binary code similarity detection approach. Our approach leverages a customized transformer-based language model with disentangled attention to capture relative position information. To mitigate out-of-vocabulary (OOV) challenges in the language model, we introduce a base-token prediction pre-training task aimed at capturing basic semantics for unseen tokens. During function embedding generation, we integrate directed jumps, data dependency, and address adjacency to capture multiple block relations. We then assign different weights to different relations and use multi-layer Graph Convolutional Networks (GCN) to generate function embeddings. We implemented the prototype of IoTSim. Our experimental results show that our proposed block relation matrix improves IoTSim with large margins. With a pool size of 103, IoTSim achieves a recall@1 of 0.903 across architectures, outperforming the state-of-the-art approaches Trex, SAFE, and PalmTree.

Shouguo Yang,Long Cheng,Yicheng Zeng,Zhe Lang,Hongsong Zhu,Zhiqiang Shi

DOI: https://doi.org/10.48550/arXiv.2108.06082

2021-08-13

Cryptography and Security

Abstract:Binary code similarity detection is a fundamental technique for many security applications such as vulnerability search, patch analysis, and malware detection. There is an increasing need to detect similar code for vulnerability search across architectures with the increase of critical vulnerabilities in IoT devices. The variety of IoT hardware architectures and software platforms requires to capture semantic equivalence of code fragments in the similarity detection. However, existing approaches are insufficient in capturing the semantic similarity. We notice that the abstract syntax tree (AST) of a function contains rich semantic information. Inspired by successful applications of natural language processing technologies in sentence semantic understanding, we propose a deep learning-based AST-encoding method, named ASTERIA, to measure the semantic equivalence of functions in different platforms. Our method leverages the Tree-LSTM network to learn the semantic representation of a function from its AST. Then the similarity detection can be conducted efficiently and accurately by measuring the similarity between two representation vectors. We have implemented an open-source prototype of ASTERIA. The Tree-LSTM model is trained on a dataset with 1,022,616 function pairs and evaluated on a dataset with 95,078 function pairs. Evaluation results show that our method outperforms the AST-based tool Diaphora and the-state-of-art method Gemini by large margins with respect to the binary similarity detection. And our method is several orders of magnitude faster than Diaphora and Gemini for the similarity calculation. In the application of vulnerability search, our tool successfully identified 75 vulnerable functions in 5,979 IoT firmware images.

Yuhao Jia,Zhicheng Yu,Zhen Hong

DOI: https://doi.org/10.1371/journal.pone.0305299

IF: 3.7

2024-06-12

PLoS ONE

Abstract:Binary code similarity detection plays a crucial role in various applications within binary security, including vulnerability detection, malicious software analysis, etc. However, existing methods suffer from limited differentiation in binary embedding representations across different compilation environments, lacking dynamic high-level semantics. Moreover, current approaches often neglect multi-level semantic feature extraction, thereby failing to acquire precise semantic information about the binary code. To address these limitations, this paper introduces a novel detection solution called BinBcla. This method employs an enhanced pre-training model to generate instruction embeddings with dynamic semantics for binary functions. Subsequently, multi-feature fusion technique is utilized to extract local semantic information and long-distance global features from the code, respectively, employing self-attention to comprehend the structure information of the code. Finally, an improved cosine similarity method is employed to learn relationships among all elements of the distance vectors, thereby enhancing the model's robustness to new sample functions. Experiments are conducted across different architectures, compilers, and optimization levels. The results indicate that BinBcla achieves higher accuracy, precision and F1 score compared to existing methods.

multidisciplinary sciences

Hao Wang,Zeyu Gao,Chao Zhang,Mingyang Sun,Yuchen Zhou,Han Qiu,Xi Xiao

2024-02-29

Abstract:Binary code similarity detection (BCSD) is a fundamental technique for various application. Many BCSD solutions have been proposed recently, which mostly are embedding-based, but have shown limited accuracy and efficiency especially when the volume of target binaries to search is large. To address this issue, we propose a cost-effective BCSD framework, CEBin, which fuses embedding-based and comparison-based approaches to significantly improve accuracy while minimizing overheads. Specifically, CEBin utilizes a refined embedding-based approach to extract features of target code, which efficiently narrows down the scope of candidate similar code and boosts performance. Then, it utilizes a comparison-based approach that performs a pairwise comparison on the candidates to capture more nuanced and complex relationships, which greatly improves the accuracy of similarity detection. By bridging the gap between embedding-based and comparison-based approaches, CEBin is able to provide an effective and efficient solution for detecting similar code (including vulnerable ones) in large-scale software ecosystems. Experimental results on three well-known datasets demonstrate the superiority of CEBin over existing state-of-the-art (SOTA) baselines. To further evaluate the usefulness of BCSD in real world, we construct a large-scale benchmark of vulnerability, offering the first precise evaluation scheme to assess BCSD methods for the 1-day vulnerability detection task. CEBin could identify the similar function from millions of candidate functions in just a few seconds and achieves an impressive recall rate of $85.46\%$ on this more practical but challenging task, which are several order of magnitudes faster and $4.07\times$ better than the best SOTA baseline. Our code is available at

Software Engineering,Cryptography and Security

Wenbo Zhang,Yongxin Feng,Guangjie Han,Hongbo Zhu,Xiaobo Tan

DOI: https://doi.org/10.3390/s22228739

IF: 3.9

2022-11-13

Sensors

Abstract:It is critical to detect malicious code for the security of the Internet of Things (IoT). Therefore, this work proposes a malicious code detection algorithm based on the novel feature fusion–malware image convolutional neural network (FF-MICNN). This method combines a feature fusion algorithm with deep learning. First, the malicious code is transformed into grayscale image features by image technology, after which the opcode sequence features of the malicious code are extracted by the n-gram technique, and the global and local features are fused by feature fusion technology. The fused features are input into FF-MICNN for training, and an appropriate classifier is selected for detection. The results of experiments show that the proposed algorithm exhibits improvements in its detection speed, the comprehensiveness of features, and accuracy as compared with other algorithms. The accuracy rate of the proposed algorithm is also 0.2% better than that of a detection algorithm based on a single feature.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Liting Ruan,Qizhen Xu,Shunzhi Zhu,Xujing Huang,Xinyang Lin

DOI: https://doi.org/10.3390/electronics13091715

IF: 2.9

2024-04-30

Electronics

Abstract:Binary Code Similarity Detection is a method that involves comparing two or more binary code segments to identify their similarities and differences. This technique plays a crucial role in areas such as software security, vulnerability detection, and software composition analysis. With the extensive use of binary code in software development and system optimization, binary code similarity detection has become an important area of research. Traditional methods of source code similarity detection face challenges when dealing with the unreadable and complex nature of binary code, necessitating specialized techniques and algorithms. This review compares and summarizes various techniques and methods of binary code similarity detection, highlighting their strengths and limitations in handling different characteristics of binary code. Additionally, the article suggests potential future research directions. As research and innovation in this technology continue to advance, binary code similarity detection is expected to play an increasingly significant role in fields like software security.

engineering, electrical & electronic,physics, applied,computer science, information systems

Qige Song,Yongzheng Zhang,Binglai Wang,Yige Chen

DOI: https://doi.org/10.1109/JIOT.2022.3170927

2022-06-01

Abstract:The big wave of Internet of Things (IoT) malware reflects the fragility of the current IoT ecosystem. Research has found that IoT malware can spread quickly on devices of different processer architectures, which leads our attention to cross-architecture binary similarity comparison technology. The goal of binary similarity comparison is to determine whether the semantics of two binary snippets is similar. Existing learning-based approaches usually learn the representations of binary code snippets individually and perform similarity matching based on the distance metric, without considering inter-binary semantic interactions. Moreover, they often rely on the large-scale external code corpus for instruction embeddings pre-training, which is heavyweight and easy to suffer the out-of-vocabulary (OOV) problem. In this paper, we propose an interaction-based cross-architecture IoT binary similarity comparison system, Inter-BIN. Our key insight is to introduce interaction between instruction sequences by co-attention mechanism, which can flexibly perform soft alignment of semantically related instructions from different architectures. And we design a lightweight multi-feature fusion-based instruction embedding method, which can avoid the heavy workload and the OOV problem of previous approaches. Extensive experiments show that Inter-BIN can significantly outperform state-of-the-art approaches on cross-architecture binary similarity comparison tasks of different input granularities. Furthermore, we present an IoT malware function matching dataset from real network environments, CrossMal, containing 1,878,437 cross-architecture reuse function pairs. Experimental results on CrossMal prove that Inter-BIN is practical and scalable on real-world binary similarity comparison collections.

Cryptography and Security

Yan Wang,Peng Jia,Cheng Huang,Jiayong Liu,Peisong He

DOI: https://doi.org/10.1155/2021/9954520

IF: 1.968

2021-08-10

Security and Communication Networks

Abstract:Binary code similarity comparison is the technique that determines if two functions are similar by only considering their compiled form, which has many applications, including clone detection, malware classification, and vulnerability discovery. However, it is challenging to design a robust code similarity comparison engine since different compilation settings that make logically similar assembly functions appear to be very different. Moreover, existing approaches suffer from high-performance overheads, lower robustness, or poor scalability. In this paper, a novel solution HBinSim is proposed by employing the multiview features of the function to address these challenges. It first extracts the syntactic and semantic features of each basic block by static analysis. HBinSim further analyzes the function and constructs a syntactic attribute control flow graph and a semantic attribute control flow graph for each function. Then, a hierarchical attention graph embedding network is designed for graph-structured data processing. The network model has a hierarchical structure that mirrors the hierarchical structure of the function. It has three levels of attention mechanisms applied at the instruction, basic block, and function level, enabling it to attend differentially to more and less critical content when constructing the function representation. We conduct extensive experiments to evaluate its effectiveness and efficiency. The results show that our tool outperforms the state-of-the-art binary code similarity comparison tools by a large margin against compilation diversity clone searching. A real-world vulnerabilities search case further demonstrates the usefulness of our system.

computer science, information systems,telecommunications

Yisen Wang,Ruimin Wang,Jing,Huanwei Wang

DOI: https://doi.org/10.1371/journal.pone.0245098

IF: 3.7

2021-01-01

PLoS ONE

Abstract:The rapid expansion of the open-source community has shortened the software development cycle, but the spread of vulnerabilities has been accelerated, especially in the field of the Internet of Things. In recent years, the frequency of attacks against connected devices is increasing exponentially; thus, the vulnerabilities are more serious in nature. The state-of-the-art firmware security inspection technologies, such as methods based on machine learning and graph theory, find similar applications depending on the known vulnerabilities but cannot do anything without detailed information about the vulnerabilities. Moreover, model training, which is necessary for the machine learning technologies, requires a significant amount of time and data, resulting in low efficiency and poor extensibility. Aiming at the above shortcomings, a high-efficiency similarity analysis approach for firmware code is proposed in this study. First, the function control flow features and data flow features are extracted from the functions of the firmware and of the vulnerabilities, and the features are used to calculate the SimHash of the functions. The mass storage and fast query capabilities of the SimHash are implemented by the pigeonhole principle. Second, the similarity function pairs are analyzed in detail within and among the basic blocks. Within the basic blocks, the symbolic execution is used to generate the basic block semantic information, and the constraint solver is used to determine the semantic equivalence. Among the basic blocks, the local control flow graphs are analyzed to obtain their similarity. Then, we implemented a prototype and present the evaluation. The evaluation results demonstrate that the proposed approach can implement large-scale firmware function similarity analysis. It can also get the location of the real-world firmware patch without vulnerability function information. Finally, we compare our method with existing methods. The comparison results demonstrate that our method is more efficient and accurate than the Gemini and StagedMethod. More than 90% of the firmware functions can be indexed within 0.1 s, while the search time of 100,000 firmware functions is less than 2 s.

Sun RuiJin,Guo Shize,Guo Jinhong,Li Wei,Zhan Dazhi,Sun Meng,Pan Zhisong

2023-12-27

Abstract:Function-level binary code similarity detection is a crucial aspect of cybersecurity. It enables the detection of bugs and patent infringements in released software and plays a pivotal role in preventing supply chain attacks. A practical embedding learning framework relies on the robustness of the assembly code representation and the accuracy of function-pair annotation, which is traditionally accomplished using supervised learning-based frameworks. However, annotating different function pairs with accurate labels poses considerable challenges. These supervised learning methods can be easily overtrained and suffer from representation robustness problems. To address these challenges, we propose SimCLF: A Simple Contrastive Learning Framework for Function-level Binary Embeddings. We take an unsupervised learning approach and formulate binary code similarity detection as instance discrimination. SimCLF directly operates on disassembled binary functions and could be implemented with any encoder. It does not require manually annotated information but only augmented data. Augmented data is generated using compiler optimization options and code obfuscation techniques. The experimental results demonstrate that SimCLF surpasses the state-of-the-art in accuracy and has a significant advantage in few-shot settings.

Cryptography and Security,Artificial Intelligence,Machine Learning,Programming Languages,Software Engineering

Zian Liu,Zhi Zhang,Siqi Ma,Dongxi Liu,Jun Zhang,Chao Chen,Shigang Liu,Muhammad Ejaz Ahmed,Yang Xiang

2023-08-03

Abstract:Binary similarity detection is a critical technique that has been applied in many real-world scenarios where source code is not available, e.g., bug search, malware analysis, and code plagiarism detection. Existing works are ineffective in detecting similar binaries in cases where different compiling optimizations, compilers, source code versions, or obfuscation are deployed. We observe that all the cases do not change a binary's key code behaviors although they significantly modify its syntax and structure. With this key observation, we extract a set of key instructions from a binary to capture its key code behaviors. By detecting the similarity between two binaries' key instructions, we can address well the ineffectiveness limitation of existing works. Specifically, we translate each extracted key instruction into a self-defined key expression, generating a key-semantics graph based on the binary's control flow. Each node in the key-semantics graph denotes a key instruction, and the node attribute is the key expression. To quantify the similarity between two given key-semantics graphs, we first serialize each graph into a sequence of key expressions by topological sort. Then, we tokenize and concatenate key expressions to generate token lists. We calculate the locality-sensitive hash value for all token lists and quantify their similarity. %We implement a prototype, called SemDiff, consisting of two modules: graph generation and graph diffing. The first module generates a pair of key-semantics graphs and the second module diffs the graphs. Our evaluation results show that overall, SemDiff outperforms state-of-the-art tools when detecting the similarity of binaries generated from different optimization levels, compilers, and obfuscations. SemDiff is also effective for library version search and finding similar vulnerabilities in firmware.

Cryptography and Security

Shuai Jiang,Cai Fu,Shuai He,Jianqiang Lv,Lansheng Han,Hong Hu

DOI: https://doi.org/10.1109/tse.2024.3411072

2024-01-01

Abstract:Binary Code Similarity Detection (BCSD) is a fundamental binary analysis technique in the area of software security. Recently, advanced deep learning algorithms are integrated into BCSD platforms to achieve superior performance on well-known benchmarks. However, real-world large programs embed more complex diversities due to different compilers, various optimization levels, multiple architectures and even obfuscations. Existing BCSD solutions suffer from low accuracy issues in such complicated real-world application scenarios. In this paper, we propose BinCola, a novel Transformer-based dual diversity-sensitive contrastive learning framework that comprehensively considers the diversity of compiler options and candidate functions in the real-world application scenarios and employs the attention mechanism to fuse multi-granularity function features for enhancing generality and scalability. BinCola simultaneously compares multiple candidate functions across various compilation option scenarios to learn the differences caused by distinct compiler options and different candidate functions. We evaluate BinCola's performance in a variety of ways, including binary similarity detection and real-world vulnerability search in multiple application scenarios. The results demonstrate that BinCola achieves superior performance compared to state-of-the-art (SOTA) methods, with improvements of 2.80%, 33.62%, 22.41%, and 34.25% in cross-architecture, cross-optimization level, cross-compiler, and cross-obfuscation scenarios, respectively.

Yisen Wang,Jianjing Shen,Jian Lin,Rui Lou

DOI: https://doi.org/10.1109/access.2019.2893733

IF: 3.9

2019-01-01

IEEE Access

Abstract:The security situation of the Internet of Things (IoT) is more serious than ever, and there is an urgent need to detect and patch device vulnerability rapidly. With the astronomical numbers of IoT devices, it is very difficult to execute regular security inspections. Existing vulnerability detection technology based on simple feature matching cannot reach high accuracy to detect firmware vulnerabilities while using a control flow graph matching directly has proven to be too expensive. To address the problem of accurate and efficient, we present a method of staged firmware vulnerability detection based on code similarity. The first stage, function embedding based on neural network is used to analyze the similarities among functions, and large-scale firmware security inspection can be achieved efficiently. The second stage, the similarity among function local call flow graphs is calculated for fine-grained firmware security analysis, and this stage can improve the accuracy of vulnerability detection. We compared our method with state-of-the-art approaches, and the experimental results demonstrate that our method is more accurate. The average retraining time of our method is 1 h, and the real-world firmware vulnerability detection experiment of our method demonstrates that the true positive rate of the top 30 is as high as 86%.

Josh Collyer,Tim Watson,Iain Phillips

2023-11-29

Abstract:Being able to identify functions of interest in cross-architecture software is useful whether you are analysing for malware, securing the software supply chain or conducting vulnerability research. Cross-Architecture Binary Code Similarity Search has been explored in numerous studies and has used a wide range of different data sources to achieve its goals. The data sources typically used draw on common structures derived from binaries such as function control flow graphs or binary level call graphs, the output of the disassembly process or the outputs of a dynamic analysis approach. One data source which has received less attention is binary intermediate representations. Binary Intermediate representations possess two interesting properties: they are cross architecture by their very nature and encode the semantics of a function explicitly to support downstream usage. Within this paper we propose Function as a String Encoded Representation (FASER) which combines long document transformers with the use of intermediate representations to create a model capable of cross architecture function search without the need for manual feature engineering, pre-training or a dynamic analysis step. We compare our approach against a series of baseline approaches for two tasks; A general function search task and a targeted vulnerability search task. Our approach demonstrates strong performance across both tasks, performing better than all baseline approaches.

Cryptography and Security,Artificial Intelligence,Information Retrieval,Machine Learning

Jiang Du,Qiang Wei,Yisen Wang,Xiangjie Sun

DOI: https://doi.org/10.3390/electronics12224671

IF: 2.9

2023-01-01

Electronics

Abstract:Against the backdrop of highly developed software engineering, code reuse has been widely recognized as an effective strategy to significantly alleviate the burden of development and enhance productivity. However, improper code citation could lead to security risks and license issues. With the source codes of many pieces of software being difficult to obtain, binary code similarity analysis (BCSA) has been extensively implemented in fields such as bug search, code clone detection, and patch analysis. This research selects 39 papers on BCSA from top-tier and emerging conferences within artificial intelligence, network security, and software engineering from 2016 to 2022 for deep analysis. The central focus lies on methods utilizing deep learning technologies, detailing a thorough summary and the arrangement of the application and implementation specifics of various deep learning technologies. Furthermore, this study summarizes the research patterns and development trends in this field, thereby proposing potential directions for future research.

DOI: https://doi.org/10.1007/s44196-023-00206-9

IF: 2.259

2023-03-18

International Journal of Computational Intelligence Systems

Abstract:Binary code similarity detection (BCSD) is a task of detecting similarity of binary functions which are not available to the corresponding source code. It has been widely utilized to facilitate various kinds of crucial security analysis in software engineering. Because of the complexity of the program compilation process, identifying binary code similarity presents tough challenges. The most sensible binary similarity detector relies on a robust vector representation of binary code. However, few BCSD approaches are suitable to form vector representations for analyzing similarities between binaries, which may not only diverge in semantics but also in structures. And the existing solutions which only depend on hands-on feature engineering to form feature vectors, fail to take into consideration the relationships between instructions. To resolve these problems, we propose a novel and unified approach called DeepDual-SD that aims to combine the dual attributes (semantic and structural attribute). More specifically, DeepDual-SD consists of two branches, in which one text-based feature representation is driven by semantic attribute learning to exploit instruction semantics, another graph-based feature representation for structural attribute learning to investigate structural differences. Meanwhile deep embedding (DE) technology is utilized to map this information into low-dimensional vector representation. In addition, to get together the dual attributes, a fusion mechanism based on gate architecture is designed for learning to pay proper attention between the two attribute-aware embeddings. Experimental verifications are conducted on Openssl and Debian datasets for several tasks, including cross-compiler, cross-architecture and cross-version scenarios. The results demonstrate that our method outperforms the state-of-the-art BCSD methods in different scenarios in terms of detection accuracy.

computer science, artificial intelligence, interdisciplinary applications

Shuai Jiang,Cai Fu,Yekui Qian,Shuai He,Jianqiang Lv,Lansheng Han

DOI: https://doi.org/10.1016/j.cose.2022.102804

IF: 5.105

2022-01-01

Computers & Security

Abstract:Binary code similarity analysis (BCSAI(1)) is meaningful in various software security applications, including vulnerability discovery, clone detection, and malware detection. Although many BCSA studies have been based on neural networks in recent years, some significant problems are challenging to solve. First, most existing methods focus more on the function pair similarity detection task (FPSDT2) while ignoring the function search task (FST3), which is more major in vulnerability discovery. Moreover, they care more about the final result, which is to improve the success rate of FPSDT by using unexplainable neural networks. Finally, in practice, most methods are difficult to resist cross-optimization and cross-obfuscation in BCSA. We first proposed an adaptive BCSA architecture combining interpretable feature engineering and learnable attention mechanism to solve these problems. We design an adaptive model with rich interpretable features, and the experimental results on FPSDT and FST are better than the state-of-the-art methods. In addition, we also found that the attention mechanism has outstanding advantages in functional semantic expression. Finally, the evaluation shows that our approach can significantly improve FST performance between cross-architecture, cross-optimization, cross-obfuscation and cross-compiler binaries. (C) 2022 Elsevier Ltd. All rights reserved.

Bing Xia,Jianmin Pang,Xin Zhou,Zheng Shan,Junchao Wang,Feng Yue

DOI: https://doi.org/10.1038/s41598-023-42769-9

IF: 4.6

2023-09-22

Scientific Reports

Abstract:Binary code similarity analysis is widely used in the field of vulnerability search where source code may not be available to detect whether two binary functions are similar or not. Based on deep learning and natural processing techniques, several approaches have been proposed to perform cross-platform binary code similarity analysis using control flow graphs. However, existing schemes suffer from the shortcomings of large differences in instruction syntaxes across different target platforms, inability to align control flow graph nodes, and less introduction of high-level semantics of stability, which pose challenges for identifying similar computations between binary functions of different platforms generated from the same source code. We argue that extracting stable, platform-independent semantics can improve model accuracy, and a cross-platform binary function similarity comparison model N_Match is proposed. The model elevates different platform instructions to the same semantic space to shield their underlying platform instruction differences, uses graph embedding technology to learn the stability semantics of neighbors, extracts high-level knowledge of naming function to alleviate the differences brought about by cross-platform and cross-optimization levels, and combines the stable graph structure as well as the stable, platform-independent API knowledge of naming function to represent the final semantics of functions. The experimental results show that the model accuracy of N_Match outperforms the baseline model in terms of cross-platform, cross-optimization level, and industrial scenarios. In the vulnerability search experiment, N_Match significantly improves hit@N, the mAP exceeds the current graph embedding model by 66%. In addition, we also give several interesting observations from the experiments. The code and model are publicly available at https://www.github.com/CSecurityZhongYuan/Binary-Name_Match.

multidisciplinary sciences