A Heuristic Local-sensitive Program-Wide Diffing Method for IoT Binary Files

Abstract: Code reuse brings vulnerabilities in third-party library to many Internet of Things (IoT) devices, opening them to attacks such as distributed denial of service. Program-wide binary diffing technology can help detect these vulnerabilities in IoT devices whose source codes are not public. Considering the architectures of IoT devices may vary, we propose a data-aware program-wide diffing method across architectures and optimization levels. We rely on the defined anchor functions and call relationship to expand t… Show more

“…In today's computing environment, encountering binary-only software is common including commodity or proprietary programs, system software like firmware and device drivers. Accordingly, binary analysis is essential in implementing a wide range of popular use cases [11,13,21,65]: e.g., detecting code clone or software plagiarism to protect against intellectual property infringement [17,40,67], discovering vulnerabilities in distributed software [7,8,14,15,19,38,42,51,52,57,58], detecting [5,6,35] and classifying [28,34] malware, and analyzing program repairs or patches [20,29,64], and establishing toolchain provenance [48,56] for digital forensics purposes.…”

“…Besides, code generation is impacted by other major factors such as an architecture, compiler, compiler version, compiler option, and code obfuscation. [67] from our evaluation dataset (section VI). The function mismatch represents basic block pairs with a sequence of identical instructions that do not belong to the same function.…”

“…More than eight out of 10 from the whole matching basic blocks incorporate 5 instructions or less. 17,21,36,38,43,65,67,68,69,74] have emerged as a promising solution for addressing the challenge of recognizing code semantics in binaries. While traditional approaches, such as static analysis (e.g., graph isomorphism on call graph [14,19]) or dynamic analysis (e.g., taint analysis [18,51]), have demonstrated high accuracy in specific tasks, machine learning-based approaches offer significant advantages in rapidly changing computing environments.…”

“…With a sufficient amount of training data, a single model can be leveraged for multiple platforms and architectures, and can continuously improve with an increasing number of new inputs. Indeed, recent state-of-the-art tools [17,43,67,69,74] have successfully generated code embeddings (vectors) for semantic clone detection, even across different architectures [69,74], optimizations [17,43,67], and obfuscation techniques [17].…”

“…However, we raise a question about the practicality and effectiveness of code embedding to infer code semantics. Figure 1 illustrates the matching basic block pairs and function mismatch cases from our DeepBinDiff [67] evaluation dataset (Section VI). Our experiment reveals that 83% of matching block pairs contain five instructions or less, indicating that binary code embeddings may not convey sufficient meaning for the inference of a large block.…”

Binary Code Representation With Well-Balanced Instruction Normalization

“…In today's computing environment, encountering binary-only software is common including commodity or proprietary programs, system software like firmware and device drivers. Accordingly, binary analysis is essential in implementing a wide range of popular use cases [11,13,21,65]: e.g., detecting code clone or software plagiarism to protect against intellectual property infringement [17,40,67], discovering vulnerabilities in distributed software [7,8,14,15,19,38,42,51,52,57,58], detecting [5,6,35] and classifying [28,34] malware, and analyzing program repairs or patches [20,29,64], and establishing toolchain provenance [48,56] for digital forensics purposes.…”

“…Besides, code generation is impacted by other major factors such as an architecture, compiler, compiler version, compiler option, and code obfuscation. [67] from our evaluation dataset (section VI). The function mismatch represents basic block pairs with a sequence of identical instructions that do not belong to the same function.…”

“…More than eight out of 10 from the whole matching basic blocks incorporate 5 instructions or less. 17,21,36,38,43,65,67,68,69,74] have emerged as a promising solution for addressing the challenge of recognizing code semantics in binaries. While traditional approaches, such as static analysis (e.g., graph isomorphism on call graph [14,19]) or dynamic analysis (e.g., taint analysis [18,51]), have demonstrated high accuracy in specific tasks, machine learning-based approaches offer significant advantages in rapidly changing computing environments.…”

“…With a sufficient amount of training data, a single model can be leveraged for multiple platforms and architectures, and can continuously improve with an increasing number of new inputs. Indeed, recent state-of-the-art tools [17,43,67,69,74] have successfully generated code embeddings (vectors) for semantic clone detection, even across different architectures [69,74], optimizations [17,43,67], and obfuscation techniques [17].…”

“…However, we raise a question about the practicality and effectiveness of code embedding to infer code semantics. Figure 1 illustrates the matching basic block pairs and function mismatch cases from our DeepBinDiff [67] evaluation dataset (Section VI). Our experiment reveals that 83% of matching block pairs contain five instructions or less, indicating that binary code embeddings may not convey sufficient meaning for the inference of a large block.…”

Binary Code Representation With Well-Balanced Instruction Normalization