Fast location of similar code fragments using semantic 'juice'

Lakhotia, Arun; Preda, Mila Dalla; Giacobazzi, Roberto

doi:10.1145/2430553.2430558

Cited by 69 publications

(35 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Modern approaches for binaries follow strategies to compare the semantics of code. Examples are TEDEM [23], Exposé [22], BinHunt [8], its follow-up project, iBinHunt [21], and BinJuice [17], which uses syntactic equations similar to our formulas and hashes those to measure similarity. BinHash [14] inspired our sampling, which is also used by Blanket Execution (Blex) [6]).…”

Section: Related Workmentioning

confidence: 99%

Cross-architecture bug search in binary executables

Pewny

Garmany

Gawlik

et al. 2017

It - Information Technology

177

View full text Add to dashboard Cite

Abstract:With the general availability of closed-source software for various CPU architectures, there is a need to identify security-critical vulnerabilities at the binary level. Unfortunately, existing bug finding methods fall short in that they i) require source code, ii) only work on a single architecture (typically x86), or iii) rely on dynamic analysis, which is difficult for embedded devices. In this paper, we propose a system to derive bug signatures for known bugs. First, we compute semantic hashes for the basic blocks of the binary. When can then use these semantics to find code parts in the binary that behave similarly to the bug signature, effectively revealing code parts that contain the bug. As a result, we can find vulnerabilities, e.g., the famous Heartbleed vulnerabilities, in buggy binary code for any of the supported architectures (currently, ARM, MIPS and x86).

show abstract

Section: Related Workmentioning

confidence: 99%

Cross-architecture bug search in binary executables

Pewny

Garmany

Gawlik

et al. 2017

It - Information Technology

177

View full text Add to dashboard Cite

show abstract

“…This includes websites, e-mail messages and PE file headers. Names, addresses, and certain constants are generalized using BinJuice [89]. The discovery system itself uses concolic execution: It is able to explore multiple execution paths by using an SMT solver to create new input values for subsequent runs.…”

Section: Malware Analysis Solutionsmentioning

confidence: 99%

Semantics-aware detection of targeted attacks: a survey

Luh

Marschalek

Kaiser

et al. 2016

J Comput Virol Hack Tech

View full text Add to dashboard Cite

In today's interconnected digital world, targeted attacks have become a serious threat to conventional computer systems and critical infrastructure alike. Many researchers contribute to the fight against network intrusions or malicious software by proposing novel detection systems or analysis methods. However, few of these solutions have a particular focus on Advanced Persistent Threats or similarly sophisticated multi-stage attacks. This turns finding domainappropriate methodologies or developing new approaches into a major research challenge. To overcome these obstacles, we present a structured review of semantics-aware works that have a high potential for contributing to the analysis or detection of targeted attacks. We introduce a detailed literature evaluation schema in addition to a highly granular model for article categorization. Out of 123 identified papers, 60 were found to be relevant in the context of this study. The selected articles are comprehensively reviewed and assessed in accordance to Kitchenham's guidelines for systematic literature reviews. In conclusion, we combine new insights and the status quo of current research into the concept of an ideal systemic approach capable of semantically processing and evaluating information from different observation points.

show abstract

“…To match the basic blocks with the same semantics, BinHunt [44] and its successor iBinHunt [45] performed symbolic execution in the scope of basic blocks and verified the equivalence of the input-output relationship formulas with theorem proving techniques. BinJuice [46] represented abstraction of semantics of basic blocks as "semantic juice" and matched malware variants with such semantic juice. Exposé [47] combined function-level syntactic heuristics with semantics detection.…”

Section: Semantic Differential Detectionmentioning

confidence: 99%

“…Luo et al [48] detected software plagiarism by matching longest common subsequence of semantically equivalent basic blocks. However, these tools suffered from the "block-centric" limitation [46]; that is, they were insufficient to capture similarities or differences across basic blocks. In contrast, LoPD is trace-oriented and is therefore able to find similarities and differences beyond the scope of basic blocks to a great extent.…”

Section: Semantic Differential Detectionmentioning

confidence: 99%

Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection

Jiang

Zhang

et al. 2016

IEEE Trans. Rel.

View full text Add to dashboard Cite

Software plagiarism, an act of illegally copying others' code, has become a serious concern for honest software companies and the open source community. Considerable research efforts have been dedicated to searching the evidence of software plagiarism. In this paper, we continue this line of research and propose LoPD, a deviation-based program equivalence checking approach, which is an ideal fit for the whole-program plagiarism detection. Instead of directly comparing the similarity between two programs, LoPD searches for any dissimilarity between two programs by finding an input that will cause these two programs to behave differently, either with different output states or with semantically different execution paths. As long as we can find one dissimilarity, the programs are semantically different; but if we cannot find any dissimilarity, it is more likely a plagiarism case. We leverage dynamic symbolic execution to capture the semantics of execution paths and to find path deviations. Compared to the existing detection approaches, LoPD's formal program semantics-based method is more resilient to automatic obfuscation schemes. Our evaluation results indicate that LoPD is effective in detecting whole-program plagiarism. Furthermore, we demonstrate that LoPD can be applied to partial software plagiarism detection as well. The encouraging experiment results show that LoPD is an appealing complement to existing software plagiarism detection approaches.Index Terms-Path deviation, program logic, semantical difference, software plagiarism, symbolic execution.

show abstract

Fast location of similar code fragments using semantic 'juice'

Cited by 69 publications

References 7 publications

Cross-architecture bug search in binary executables

Cross-architecture bug search in binary executables

Semantics-aware detection of targeted attacks: a survey

Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection

Contact Info

Product

Resources

About