Liting Ruan,Qizhen Xu,Shunzhi Zhu,Xujing Huang,Xinyang Lin

DOI: https://doi.org/10.3390/electronics13091715

IF: 2.9

2024-04-30

Electronics

Abstract:Binary Code Similarity Detection is a method that involves comparing two or more binary code segments to identify their similarities and differences. This technique plays a crucial role in areas such as software security, vulnerability detection, and software composition analysis. With the extensive use of binary code in software development and system optimization, binary code similarity detection has become an important area of research. Traditional methods of source code similarity detection face challenges when dealing with the unreadable and complex nature of binary code, necessitating specialized techniques and algorithms. This review compares and summarizes various techniques and methods of binary code similarity detection, highlighting their strengths and limitations in handling different characteristics of binary code. Additionally, the article suggests potential future research directions. As research and innovation in this technology continue to advance, binary code similarity detection is expected to play an increasingly significant role in fields like software security.

engineering, electrical & electronic,physics, applied,computer science, information systems

Shouguo Yang,Zhengzi Xu,Yang Xiao,Zhe Lang,Wei Tang,Yang Liu,Zhiqiang Shi,Hong Li,Limin Sun

DOI: https://doi.org/10.1145/3604608

IF: 3.685

2023-06-17

ACM Transactions on Software Engineering and Methodology

Abstract:Vulnerability is a major threat to software security. It has been proven that binary code similarity detection approaches are efficient to search for recurring vulnerabilities introduced by code sharing in binary software. However, these approaches suffer from high false-positive rates since they usually take the patched functions as vulnerable, and they usually do not work well when binaries are compiled with different compilation settings. To this end, we propose an approach, named Robin , to confirm recurring vulnerabilities by filtering out patched functions. Robin is powered by a lightweight symbolic execution to solve the set of function inputs that can lead to the vulnerability-related code. It then executes the target functions with the same inputs to capture the vulnerable or patched behaviors for patched function filtration. Experimental results show that Robin achieves high accuracy for patch detection across different compilers and compiler optimization levels respectively on 287 real-world vulnerabilities of 10 different software. Based on accurate patch detection, Robin significantly reduces the false-positive rate of state-of-the-art vulnerability detection tools (by 94.3% on average), making them more practical. Robin additionally detects 12 new potentially vulnerable functions.

computer science, software engineering

Zian Liu,Zhi Zhang,Siqi Ma,Dongxi Liu,Jun Zhang,Chao Chen,Shigang Liu,Muhammad Ejaz Ahmed,Yang Xiang

2023-08-03

Abstract:Binary similarity detection is a critical technique that has been applied in many real-world scenarios where source code is not available, e.g., bug search, malware analysis, and code plagiarism detection. Existing works are ineffective in detecting similar binaries in cases where different compiling optimizations, compilers, source code versions, or obfuscation are deployed. We observe that all the cases do not change a binary's key code behaviors although they significantly modify its syntax and structure. With this key observation, we extract a set of key instructions from a binary to capture its key code behaviors. By detecting the similarity between two binaries' key instructions, we can address well the ineffectiveness limitation of existing works. Specifically, we translate each extracted key instruction into a self-defined key expression, generating a key-semantics graph based on the binary's control flow. Each node in the key-semantics graph denotes a key instruction, and the node attribute is the key expression. To quantify the similarity between two given key-semantics graphs, we first serialize each graph into a sequence of key expressions by topological sort. Then, we tokenize and concatenate key expressions to generate token lists. We calculate the locality-sensitive hash value for all token lists and quantify their similarity. %We implement a prototype, called SemDiff, consisting of two modules: graph generation and graph diffing. The first module generates a pair of key-semantics graphs and the second module diffs the graphs. Our evaluation results show that overall, SemDiff outperforms state-of-the-art tools when detecting the similarity of binaries generated from different optimization levels, compilers, and obfuscations. SemDiff is also effective for library version search and finding similar vulnerabilities in firmware.

Cryptography and Security

Xiangzhe Xu,Zhou Xuan,Shiwei Feng,Siyuan Cheng,Yapeng Ye,Qingkai Shi,Guanhong Tao,Le Yu,Zhuo Zhang,Xiangyu Zhang

DOI: https://doi.org/10.48550/arXiv.2308.15449

2023-08-30

Abstract:Binary similarity analysis determines if two binary executables are from the same source program. Existing techniques leverage static and dynamic program features and may utilize advanced Deep Learning techniques. Although they have demonstrated great potential, the community believes that a more effective representation of program semantics can further improve similarity analysis. In this paper, we propose a new method to represent binary program semantics. It is based on a novel probabilistic execution engine that can effectively sample the input space and the program path space of subject binaries. More importantly, it ensures that the collected samples are comparable across binaries, addressing the substantial variations of input specifications. Our evaluation on 9 real-world projects with 35k functions, and comparison with 6 state-of-the-art techniques show that PEM can achieve a precision of 96% with common settings, outperforming the baselines by 10-20%.

Software Engineering

Zhi Xin,Huiyu Chen,Hao Han,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-18178-8_16

2011-01-01

Abstract:Program obfuscation techniques have been widely used by malware to dodge the scanning from anti-virus detectors. However, signature based on the data structures appearing in the runtime memory makes traditional code obfuscation useless. Laika [2] implements this signature using Bayesian unsupervised learning, which clusters similar vectors of bytes in memory into the same class. We present a novel malware obfuscation technique that automatically obfuscate the data structure layout so that memory similarities between malware programs are blurred and hardly recognized. We design and implement the automatic data structure obfuscation technique as a GNU GCC compiler extension that can automatically distinguish the obfuscability of the data structures and convert part of the unobfuscable data structures into obfuscable. After evaluated by fourteen real-world malware programs, we present that our tool maintains a high proportion of obfuscated data structures as 60.19% for type and 60.49% for variable.

Fei Zuo,Xiaopeng Li,Patrick Young,Lannan Luo,Qiang Zeng,Zhexin Zhang

DOI: https://doi.org/10.14722/ndss.2019.23492

2018-01-01

Abstract: Binary code analysis allows analyzing binary code without having access to the corresponding source code. A binary, after disassembly, is expressed in an assembly language. This inspires us to approach binary analysis by leveraging ideas and techniques from Natural Language Processing (NLP), a rich area focused on processing text of various natural languages. We notice that binary code analysis and NLP share a lot of analogical topics, such as semantics extraction, summarization, and classification. This work utilizes these ideas to address two important code similarity comparison problems. (I) Given a pair of basic blocks for different instruction set architectures (ISAs), determining whether their semantics is similar or not; and (II) given a piece of code of interest, determining if it is contained in another piece of assembly code for a different ISA. The solutions to these two problems have many applications, such as cross-architecture vulnerability discovery and code plagiarism detection. We implement a prototype system INNEREYE and perform a comprehensive evaluation. A comparison between our approach and existing approaches to Problem I shows that our system outperforms them in terms of accuracy, efficiency and scalability. And the case studies utilizing the system demonstrate that our solution to Problem II is effective. Moreover, this research showcases how to apply ideas and techniques from NLP to large-scale binary code analysis.

Ming Xu,Lingfei Wu,Shuhui Qi,Jian Xu,Haiping Zhang,Yizhi Ren,Ning Zheng

DOI: https://doi.org/10.1007/s11416-012-0175-y

2013-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:Code obfuscating technique plays a significant role to produce new obfuscated malicious programs, generally called malware variants, from previously encountered malwares. However, the traditional signature-based malware detecting method is hard to recognize the up-to-the-minute obfuscated malwares. This paper proposes a method to identify the malware variants based on the function-call graph. Firstly, the function-call graphs were created from the disassembled codes of program; then the caller–callee relationships of functions and the operational code (opcode) information about functions, combining the graph coloring techniques were used to measure the similarity metric between two function-call graphs; at last, the similarity metric was utilized to identify the malware variants from known malwares. The experimental results show that the proposed method is able to identify the obfuscated malicious softwares effectively.

Yikun Hu,Yuanyuan Zhang,Juanru Li,Hui Wang,Bodong Li,Dawu Gu

DOI: https://doi.org/10.48550/arXiv.1808.06216

2018-08-19

Abstract:Binary code clone analysis is an important technique which has a wide range of applications in software engineering (e.g., plagiarism detection, bug detection). The main challenge of the topic lies in the semantics-equivalent code transformation (e.g., optimization, obfuscation) which would alter representations of binary code tremendously. Another chal- lenge is the trade-off between detection accuracy and coverage. Unfortunately, existing techniques still rely on semantics-less code features which are susceptible to the code transformation. Besides, they adopt merely either a static or a dynamic approach to detect binary code clones, which cannot achieve high accuracy and coverage simultaneously. In this paper, we propose a semantics-based hybrid approach to detect binary clone functions. We execute a template binary function with its test cases, and emulate the execution of every target function for clone comparison with the runtime information migrated from that template function. The semantic signatures are extracted during the execution of the template function and emulation of the target function. Lastly, a similarity score is calculated from their signatures to measure their likeness. We implement the approach in a prototype system designated as BinMatch which analyzes IA-32 binary code on the Linux platform. We evaluate BinMatch with eight real-world projects compiled with different compilation configurations and commonly-used obfuscation methods, totally performing over 100 million pairs of function comparison. The experimental results show that BinMatch is robust to the semantics-equivalent code transformation. Besides, it not only covers all target functions for clone analysis, but also improves the detection accuracy comparing to the state-of-the-art solutions.

Software Engineering

Zhaoguo Wang,Chenglong Li,Yi Guan,Yibo Xue

DOI: https://doi.org/10.13245/j.hust.160312

2016-01-01

Abstract:In order to confront the code obfuscation problem,and better respond to the needs of simi-larity detection,a new method based on anti-obfuscation characteristics was designed,which included 7 kinds of anti-obfuscation code characteristics,audio characteristics and image characteristics.The method was proposed for detecting similarity and evaluating.Based on these characteristics and the methods,a prototype system was implemented and made suitable for large-scale scenario.The detec-tions of 1259 malware and 288 APPs from 12 APP markets show that the proposed method has obvi-ous advantages over the state-of-the-art methods against code obfuscation with high detection perform-ance.

Yan Wang,Peng Jia,Cheng Huang,Jiayong Liu,Peisong He

DOI: https://doi.org/10.1155/2021/9954520

IF: 1.968

2021-08-10

Security and Communication Networks

Abstract:Binary code similarity comparison is the technique that determines if two functions are similar by only considering their compiled form, which has many applications, including clone detection, malware classification, and vulnerability discovery. However, it is challenging to design a robust code similarity comparison engine since different compilation settings that make logically similar assembly functions appear to be very different. Moreover, existing approaches suffer from high-performance overheads, lower robustness, or poor scalability. In this paper, a novel solution HBinSim is proposed by employing the multiview features of the function to address these challenges. It first extracts the syntactic and semantic features of each basic block by static analysis. HBinSim further analyzes the function and constructs a syntactic attribute control flow graph and a semantic attribute control flow graph for each function. Then, a hierarchical attention graph embedding network is designed for graph-structured data processing. The network model has a hierarchical structure that mirrors the hierarchical structure of the function. It has three levels of attention mechanisms applied at the instruction, basic block, and function level, enabling it to attend differentially to more and less critical content when constructing the function representation. We conduct extensive experiments to evaluate its effectiveness and efficiency. The results show that our tool outperforms the state-of-the-art binary code similarity comparison tools by a large margin against compilation diversity clone searching. A real-world vulnerabilities search case further demonstrates the usefulness of our system.

computer science, information systems,telecommunications

Qiubo Huang,Xuezhi Song,Guozheng Fang

DOI: https://doi.org/10.1109/icaica50127.2020.9182389

2020-01-01

Abstract:We proposed a plagiarism detection approach based on code similarity and student behavior characteristics in educational scenarios. The traditional plagiarism check is based on the code only, which enables that students can escape inspection by modifying a small amount of code. We proposed that if the behavioral characteristics of students when submitting code can be considered, the suspected plagiarism can be more accurately identified. We proposed the concept of code similarity concentration (SCD) with reference to the Gini coefficient idea. SCD can reflect the similarity distribution between all the codes submitted by a student and others' codes. A large value of SCD means that a student's codes are always the most similar to the codes of some particular classmates. In addition, we also extracted other features to help detection. Finally, we classify the plagiarism detection problem as a binary classification problem and use LightGBM to make decisions. The experimental results show that the accuracy is close to 99% and f1-score is close to 98%.

Hayden Cheers,Yuqing Lin,Shamus P. Smith

DOI: https://doi.org/10.48550/arXiv.2102.03995

2021-02-08

Software Engineering

Abstract:Source code plagiarism is a long-standing issue in tertiary computer science education. Many source code plagiarism detection tools have been proposed to aid in the detection of source code plagiarism. However, existing detection tools are not robust to pervasive plagiarism-hiding transformations, and as a result can be inaccurate in the detection of plagiarised source code. This article presents BPlag, a behavioural approach to source code plagiarism detection. BPlag is designed to be both robust to pervasive plagiarism-hiding transformations, and accurate in the detection of plagiarised source code. Greater robustness and accuracy is afforded by analysing the behaviour of a program, as behaviour is perceived to be the least susceptible aspect of a program impacted upon by plagiarism-hiding transformations. BPlag applies symbolic execution to analyse execution behaviour and represent a program in a novel graph-based format. Plagiarism is then detected by comparing these graphs and evaluating similarity scores. BPlag is evaluated for robustness, accuracy and efficiency against 5 commonly used source code plagiarism detection tools. It is then shown that BPlag is more robust to plagiarism-hiding transformations and more accurate in the detection of plagiarised source code, but is less efficient than compared tools.

Bing Xia,Jianmin Pang,Xin Zhou,Zheng Shan,Junchao Wang,Feng Yue

DOI: https://doi.org/10.1038/s41598-023-42769-9

IF: 4.6

2023-09-22

Scientific Reports

Abstract:Binary code similarity analysis is widely used in the field of vulnerability search where source code may not be available to detect whether two binary functions are similar or not. Based on deep learning and natural processing techniques, several approaches have been proposed to perform cross-platform binary code similarity analysis using control flow graphs. However, existing schemes suffer from the shortcomings of large differences in instruction syntaxes across different target platforms, inability to align control flow graph nodes, and less introduction of high-level semantics of stability, which pose challenges for identifying similar computations between binary functions of different platforms generated from the same source code. We argue that extracting stable, platform-independent semantics can improve model accuracy, and a cross-platform binary function similarity comparison model N_Match is proposed. The model elevates different platform instructions to the same semantic space to shield their underlying platform instruction differences, uses graph embedding technology to learn the stability semantics of neighbors, extracts high-level knowledge of naming function to alleviate the differences brought about by cross-platform and cross-optimization levels, and combines the stable graph structure as well as the stable, platform-independent API knowledge of naming function to represent the final semantics of functions. The experimental results show that the model accuracy of N_Match outperforms the baseline model in terms of cross-platform, cross-optimization level, and industrial scenarios. In the vulnerability search experiment, N_Match significantly improves hit@N, the mAP exceeds the current graph embedding model by 66%. In addition, we also give several interesting observations from the experiments. The code and model are publicly available at https://www.github.com/CSecurityZhongYuan/Binary-Name_Match.

multidisciplinary sciences

Yuhao Jia,Zhicheng Yu,Zhen Hong

DOI: https://doi.org/10.1371/journal.pone.0305299

IF: 3.7

2024-06-12

PLoS ONE

Abstract:Binary code similarity detection plays a crucial role in various applications within binary security, including vulnerability detection, malicious software analysis, etc. However, existing methods suffer from limited differentiation in binary embedding representations across different compilation environments, lacking dynamic high-level semantics. Moreover, current approaches often neglect multi-level semantic feature extraction, thereby failing to acquire precise semantic information about the binary code. To address these limitations, this paper introduces a novel detection solution called BinBcla. This method employs an enhanced pre-training model to generate instruction embeddings with dynamic semantics for binary functions. Subsequently, multi-feature fusion technique is utilized to extract local semantic information and long-distance global features from the code, respectively, employing self-attention to comprehend the structure information of the code. Finally, an improved cosine similarity method is employed to learn relationships among all elements of the distance vectors, thereby enhancing the model's robustness to new sample functions. Experiments are conducted across different architectures, compilers, and optimization levels. The results indicate that BinBcla achieves higher accuracy, precision and F1 score compared to existing methods.

multidisciplinary sciences

Matija Novak,Mike Joy,Dragutin Kermek

DOI: https://doi.org/10.1145/3313290

2019-09-30

ACM Transactions on Computing Education

Abstract:Teachers deal with plagiarism on a regular basis, so they try to prevent and detect plagiarism, a task that is complicated by the large size of some classes. Students who cheat often try to hide their plagiarism (obfuscate), and many different similarity detection engines (often called plagiarism detection tools) have been built to help teachers. This article focuses only on plagiarism detection and presents a detailed systematic review of the field of source-code plagiarism detection in academia. This review gives an overview of definitions of plagiarism, plagiarism detection tools, comparison metrics, obfuscation methods, datasets used for comparison, and algorithm types. Perspectives on the meaning of source-code plagiarism detection in academia are presented, together with categorisations of the available detection tools and analyses of their effectiveness. While writing the review, some interesting insights have been found about metrics and datasets for quantitative tool comparison and categorisation of detection algorithms. Also, existing obfuscation methods classifications have been expanded together with a new definition of “source-code plagiarism detection in academia.”

education, scientific disciplines

Xulu Yao,Moi Hoon Yap,Yanlong Zhang

DOI: https://doi.org/10.1109/times-icon47539.2019.9024512

2019-12-01

Abstract:Statistical Machine Translation (SMT) is a research hotspot in machine translation and natural language processing. Recently, source code translation tasks based on SMT model have been applied to Software Engineering. Unfortunately, there is no automated metric that can effectively detect the accuracy of code translation. Considering the similarity between code similarity detection and machine translation scoring process, this paper proposes Code Semantic Metric (CSM) based on traditional code plagiarism detection metrics to verify its applicability to code translation tasks. Our empirical research shows that the results of different methods of code plagiarism detection are quite different. After specific parameter adjustment, CSM can reflect the correctness of translation code semantics to a certain extent. We confirm that CSM has a high correlation with human judgment in the semantic accuracy of translated code, which surpasses the scores of MOSS and JPlag, the mainstream traditional code plagiarism detection methods.

Feng Zhang,Guofan Li,Cong Liu,Qian Song

DOI: https://doi.org/10.1155/2020/8835310

2020-12-17

Scientific Programming

Abstract:Source code similarity detection has various applications in code plagiarism detection and software intellectual property protection. In computer programming teaching, students may convert the source code written in one programming language into another language for their code assignment submission. Existing similarity measures of source code written in the same language are not applicable for the cross-language code similarity detection because of syntactic differences among different programming languages. Meanwhile, existing cross-language source similarity detection approaches are susceptible to complex code obfuscation techniques, such as replacing equivalent control structure and adding redundant statements. To solve this problem, we propose a cross-language code similarity detection (CLCSD) approach based on code flowcharts. In general, two source code fragments written in different programming languages are transformed into standardized code flowcharts (SCFC), and their similarity is obtained by measuring their corresponding SCFC. More specifically, we first introduce the standardized code flowchart (SCFC) model to be the uniform flowcharts representation of source code written in different languages. SCFC is language-independent, and therefore, it can be used as the intermediate structure for source code similarity detection. Meanwhile, transformation techniques are given to transform source code written in a specific programming language into an SCFC. Second, we propose the SCFC-SPGK algorithm based on the shortest path graph kernel to measure the similarity between two SCFCs. Thus, the similarity between two pieces of source code in different programming languages is given by the similarity between SCFCs. Experimental results show that compared with existing approaches, CLCSD has higher accuracy in cross-language source code similarity detection. Furthermore, CLCSD cannot only handle common source code obfuscation techniques used by students in computer programming teaching but also obtain nearly 90% accuracy in dealing with some complex obfuscation techniques.

computer science, software engineering

zhiyin liang,tao wei,yu zong chen,xinhui han,jianwei zhuge,wanhong zou

2007-01-01

Abstract:In recent years with the popularity of source code sharing, the number of types of malware increases sharply; furthermore, malwares are also getting more and more sophisticated. These developments together propose a tremendous challenge to traditional ways of analyzing malware. One way to handle such challenge is to develop tools to automate the analyzing task, and in this paper we describe one such method for static analysis of malware. Inspired by the observation that a malicious executable usually consists of several components, each performing certain tasks, and that these components are often reused by others, our method employs techniques from reverse engineering and data clustering to component decomposing of an executable. For each component obtained, we then match it against a library of known malware components to identify it. For malicious programs, we further utilize the match result to classify them. We have built a prototype system called CompSim, and have applied it to analyze bot-like malicious executables. Initial results show that our approach has outperformed classical signature-based detection method in terms of false negative rate. Furthermore, comparing to dynamic analysis methods and model checking methods, our static method has the advantage of larger analytical coverage.

李卓,邓明荣

DOI: https://doi.org/10.3969/j.issn.1007-130x.2010.04.020

2010-01-01

Abstract:Similar code detection is a common entry point of software refactoring activities. The paper firstly introduces texts mapping-based similar code detection algorithms like the dynamic text mapping algorithm and the suffix tree algorithm. Based on the combination of these two algorithms,a tool for automated similar code detection is implemented. This tool provides not only a capability to detect similar code both between and within the source files,for an improved accuracy,but also an automatic approach to help developers secure similar code candidates,hence improves the efficiency of software refactoring. Finally,the paper analyzes the experimental outputs of practical programs in a financial information system. Its practicality is shown.

William Zhu,Clark Thomborson,Fei-Yue Wang

DOI: https://doi.org/10.1007/11734628_18

2006-01-01

Abstract:As various computers are connected into a world wide network, software is a target of copyright pirates, attackers, or even terrorists, as a result, software protections become a more and more important issue for software users and developers. There are some technical measures for software protections, such as hardware-based protections and software-based techniques [1], etc. Software obfuscation [2] is one of these measures to protect software from unauthorized modification by making software more obscure so that it is hard for potential attackers to understand the obfuscated software. There are several algorithms of software obfuscation such as layout transformation, computation transformation, ordering transformation, and data transformation [2]. Variable transformation is a major method of data transformation to transform software into a new semantically equivalent one that is hard for attackers to understand the true meaning of variables in software.