Detecting code clones in binary executables

Saebjornsen, Andreas; Willcock, Jeremiah; Panas, Thomas; Quinlan, Daniel J.; Su, Zhendong

doi:10.1145/1572272.1572287

Cited by 135 publications

(79 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Semantics is the only characteristic guaranteed to be preserved across the obfuscation. Static Analysis Based Plagiarism Detection: The existing static analysis techniques except for the birthmarkbased techniques are closely related to the clone detection [1,3,18,19,16,12,15,14,31]. While possessing common interests with the clone detection, the plagiarism detection is different in that (1) we must deal with code obfuscation techniques which are often employed with a malicious intention; (2) source code analysis of the suspicious program is not possible in most cases.…”

Section: State Of the Artmentioning

confidence: 99%

“…The existing birthmark-based schemes are vulnerable to either obfuscation techniques mentioned in [23] or some well-known obfuscation such as statement reordering and junk instruction insertion. Moreover, all existing techniques except for [23,31] need to access source code. Dynamic Analysis Based Plagiarism Detection: Myles and Collberg [24] proposed a whole program path (WPP) based dynamic birthmark.…”

Section: State Of the Artmentioning

confidence: 99%

See 1 more Smart Citation

Value-based program characterization and its application to software plagiarism detection

Jhi

Wang

Jia

et al. 2011

Proceedings of the 33rd International Conference on Software Engineering

View full text Add to dashboard Cite

Identifying similar or identical code fragments becomes much more challenging in code theft cases where plagiarizers can use various automated code transformation techniques to hide stolen code from being detected. Previous works in this field are largely limited in that (1) most of them cannot handle advanced obfuscation techniques; (2) the methods based on source code analysis are less practical since the source code of suspicious programs is typically not available until strong evidences are collected; and (3) those depending on the features of specific operating systems or programming languages have limited applicability.Based on an observation that some critical runtime values are hard to be replaced or eliminated by semanticspreserving transformation techniques, we introduce a novel approach to dynamic characterization of executable programs. Leveraging such invariant values, our technique is resilient to various control and data obfuscation techniques. We show how the values can be extracted and refined to expose the critical values and how we can apply this runtime property to help solve problems in software plagiarism detection. We have implemented a prototype with a dynamic taint analyzer atop a generic processor emulator. Our experimental results show that the value-based method successfully discriminates 34 plagiarisms obfuscated by SandMark, plagiarisms heavily obfuscated by KlassMaster, programs obfuscated by Thicket, and executables obfuscated by Loco/Diablo.

show abstract

Section: State Of the Artmentioning

confidence: 99%

Section: State Of the Artmentioning

confidence: 99%

Value-based program characterization and its application to software plagiarism detection

Jhi

Wang

Jia

et al. 2011

Proceedings of the 33rd International Conference on Software Engineering

View full text Add to dashboard Cite

show abstract

“…Saebjornsen et al [25] developed a clone detection technique that performs inexact matching of binary code using an instruction-based representation similar to our idiom features. While the mechanics of clone detection and provenance recovery are similar, the goals are orthogonal: clone detection seeks to find code instances with similar functionality and as the authors note is hampered by compiler-introduce variations; provenance recovery tools must ignore patterns due to program functionality and focus on the compiler or other toolchain components.…”

Section: Related Workmentioning

confidence: 99%

Recovering the toolchain provenance of binary code

Rosenblum

Miller

Zhu

2011

Proceedings of the 2011 International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

Program binaries are an artifact of a production process that begins with source code and ends with a string of bytes representing executable code. There are many reasons to want to know the specifics of this process for a given binary-for forensic investigation of malware, to diagnose the role of the compiler in crashes or performance problems, or for reverse engineering and decompilation-but binaries are not generally annotated with such provenance details. Intuitively, the binary code should exhibit properties specific to the process that produced it, but it is not at all clear how to find such properties and map them to specific elements of that process.In this paper, we present an automatic technique to recover toolchain provenance: those details, such as the source language and the compiler and compilation options, that define the transformation process through which the binary was produced. We approach provenance recovery as a classification problem, discovering characteristics of binary code that are strongly associated with particular toolchain components and developing models that can infer the likely provenance of program binaries. Our experiments show that toolchain provenance can be recovered with high accuracy, approaching 100% accuracy for some components and yielding good results (90%) even when the binaries emitted by different components appear to be very similar.

show abstract

“…Existing source code clone detection techniques include String-based [5], Tree-based [6,18], Token-based [19,31,29] and PDG-based [21,14,22]. Saebjørnsen et al [30] proposed a tree-based clone detection in binary code. Most clone detection techniques do not take code obfuscation into consideration.…”

Section: Clone Detectionmentioning

confidence: 99%

A first step towards algorithm plagiarism detection

Zhang

Jhi

et al. 2012

Proceedings of the 2012 International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

In this work, we address the problem of algorithm plagiarism, which occurs when a plagiarist, violating intellectual property rights, steals others' algorithms and covertly implements them. In contrast to software plagiarism, which has been extensively studied, limited attention has been paid to algorithm plagiarism. In this paper, we propose two dynamic value-based approaches, namely N-version and annotation, for algorithm plagiarism detection. Our approaches are motivated by the observation that there exist some critical runtime values which are irreplaceable and uneliminatable for all implementations of the same algorithm. The Nversion approach extracts such values by filtering out noncore values. The annotation approach leverages auxiliary information to flag important variables which contain core values. We also propose a value dependence graph based similarity metric in addition to the longest common subsequence based one, in order to address the potential value reordering attack. We have implemented a prototype and evaluated the proposed schemes on various algorithms. The results show that our approaches to algorithm plagiarism detection are practical, effective and resilient to many automatic obfuscation techniques.

show abstract

Detecting code clones in binary executables

Cited by 135 publications

References 24 publications

Value-based program characterization and its application to software plagiarism detection

Value-based program characterization and its application to software plagiarism detection

Recovering the toolchain provenance of binary code

A first step towards algorithm plagiarism detection

Contact Info

Product

Resources

About