Order Matters: Semantic-Aware Neural Networks for Binary Code Similarity Detection

Yu, Zeping; Cao, Rui; Tang, Qiyi; Nie, Sen; Huang, Junzhou; Shi, Wei

doi:10.1609/aaai.v34i01.5466

Cited by 132 publications

(79 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Roberto et al [26] proposed various feature embedding generation schemes of the basic block based on the similar Siamese network to calculate similarity. Yu et al [44] propose combining semantic, structural, and order features of functions to generate the embedding of functions for similarity comparison.…”

Section: Learning-based Approachesmentioning

confidence: 99%

Hierarchical Attention Graph Embedding Networks for Binary Code Similarity against Compilation Diversity

Wang

Jia

Huang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

Binary code similarity comparison is the technique that determines if two functions are similar by only considering their compiled form, which has many applications, including clone detection, malware classification, and vulnerability discovery. However, it is challenging to design a robust code similarity comparison engine since different compilation settings that make logically similar assembly functions appear to be very different. Moreover, existing approaches suffer from high-performance overheads, lower robustness, or poor scalability. In this paper, a novel solution HBinSim is proposed by employing the multiview features of the function to address these challenges. It first extracts the syntactic and semantic features of each basic block by static analysis. HBinSim further analyzes the function and constructs a syntactic attribute control flow graph and a semantic attribute control flow graph for each function. Then, a hierarchical attention graph embedding network is designed for graph-structured data processing. The network model has a hierarchical structure that mirrors the hierarchical structure of the function. It has three levels of attention mechanisms applied at the instruction, basic block, and function level, enabling it to attend differentially to more and less critical content when constructing the function representation. We conduct extensive experiments to evaluate its effectiveness and efficiency. The results show that our tool outperforms the state-of-the-art binary code similarity comparison tools by a large margin against compilation diversity clone searching. A real-world vulnerabilities search case further demonstrates the usefulness of our system.

show abstract

Section: Learning-based Approachesmentioning

confidence: 99%

Hierarchical Attention Graph Embedding Networks for Binary Code Similarity against Compilation Diversity

Wang

Jia

Huang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Massarelli [16] shows a similar method as Gemini [], but replace manual feature extraction with unsupervised-based neural network feature extraction. Yu [19] uses BERT to pretrain the binary code on one token-level task, one block-level task, and two graph-level tasks. Moreover, they adopt convolution neural network (CNN) on adjacency matrices to extract the order information of CFG nodes.…”

Section: Related Workmentioning

confidence: 99%

“…How to deal with the OOV problem is a challenge. Order Matters [19] used BERT to pre-train the binary code on one token-level task, one block-level task, and two graphlevel tasks. They also adopt a convolution neural network (CNN) on adjacency matrices to extract the order information.…”

Section: Introductionmentioning

confidence: 99%

Codee: A Tensor Embedding Scheme for Binary Code Search

Yang

Liu

et al. 2022

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Given a target binary function, the binary code search retrieves top-K similar functions in the repository, and similar functions represent that they are compiled from the same source codes. Searching binary code is particularly challenging due to large variations of compiler tool-chains and options and CPU architectures, as well as thousands of binary codes. Furthermore, there are some pivotal issues in current binary code search schemes, including inaccurate text-based or token-based analysis, slow graph matching, or complex deep learning processes. In this paper, we present an unsupervised tensor embedding scheme, Codee, to carry out code search efficiently and accurately at the binary function level. First, we use an NLP-based neural network to generate the semantic-aware token embedding. Second, we propose an efficient basic block embedding generation algorithm based on the network representation learning model. We learn both the semantic information of instructions and the control flow structural information to generate the basic block embedding. Then we use all basic block embeddings in a function to obtain a variable-length function feature vector. Third, we build a tensor to generate function embeddings based on the tensor singular value decomposition, which compresses the variable-length vectors into short fixed-length vectors to facilitate efficient search afterward. We further propose a dynamic tensor compression algorithm to incrementally update the function embedding database. Finally, we use the local sensitive hash method to find the top-K similar matching functions in the repository. Compared with state-of-the-art cross-optimization-level code search schemes, such as Asm2Vec and DeepBinDiff, our scheme achieves higher average search accuracy, shorter feature vectors, and faster feature generation performance using four datasets, OpenSSL, Coreutils, libgmp and libcurl. Compared with other cross-platform and cross-optimization-level code search schemes, such as Gemini, Safe, the average recall of our method also outperforms others.

show abstract

“…Some other features are also taken into consideration, such as numeric features in instruction (Eschweiler et al 2016), callgrah (Gao et al 2008;Liu et al 2018;Wang et al 2009) and control flow graph (Eschweiler et al 2016;Xu et al 2017;Feng et al 2016), and semantic related information including IO behavior (Pewny et al 2015) and execution traces (Chandramohan et al 2016). Besides manually selected features, some work automatically extracts semantic information with the help of NLP techniques (Ding et al 2019;Duan et al 2020;Yu et al 2020).…”

Section: Binary-to-binarymentioning

confidence: 99%

B2SMatcher: fine-Grained version identification of open-Source software in binary files

Ban

Xiao

et al. 2021

Cybersecur

View full text Add to dashboard Cite

Codes of Open Source Software (OSS) are widely reused during software development nowadays. However, reusing some specific versions of OSS introduces 1-day vulnerabilities of which details are publicly available, which may be exploited and lead to serious security issues. Existing state-of-the-art OSS reuse detection work can not identify the specific versions of reused OSS well. The features they selected are not distinguishable enough for version detection and the matching scores are only based on similarity.This paper presents B2SMatcher, a fine-grained version identification tool for OSS in commercial off-the-shelf (COTS) software. We first discuss five kinds of version-sensitive code features that are trackable in both binary and source code. We categorize these features into program-level features and function-level features and propose a two-stage version identification approach based on the two levels of code features. B2SMatcher also identifies different types of OSS version reuse based on matching scores and matched feature instances. In order to extract source code features as accurately as possible, B2SMatcher innovatively uses machine learning methods to obtain the source files involved in the compilation and uses function abstraction and normalization methods to eliminate the comparison costs on redundant functions across versions. We have evaluated B2SMatcher using 6351 candidate OSS versions and 585 binaries. The result shows that B2SMatcher achieves a high precision up to 89.2% and outperforms state-of-the-art tools. Finally, we show how B2SMatcher can be used to evaluate real-world software and find some security risks in practice.

show abstract

Order Matters: Semantic-Aware Neural Networks for Binary Code Similarity Detection

Cited by 132 publications

References 13 publications

Hierarchical Attention Graph Embedding Networks for Binary Code Similarity against Compilation Diversity

Hierarchical Attention Graph Embedding Networks for Binary Code Similarity against Compilation Diversity

Codee: A Tensor Embedding Scheme for Binary Code Search

B2SMatcher: fine-Grained version identification of open-Source software in binary files

Contact Info

Product

Resources

About