Revisiting Binary Code Similarity Analysis Using Interpretable Feature Engineering and Lessons Learned

Kim, Dongkwan; Kim, Eun-Soo; Kil, Sang; Son, Sooel; Kim, Yong‐Dae

doi:10.1109/tse.2022.3187689

Cited by 22 publications

(13 citation statements)

References 139 publications

(372 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A review of related approaches has shown that binary similarity has profited from machine learning and that usage of machine learning is viable for deobfuscation tasks. Out of recent state-of-the-art function clone detection approaches, only some approaches deal with obfuscation [47], [13], [30], [34]. None of these approaches have tried to apply binary code similarity algorithms to counter obfuscation by virtualization.…”

Section: Obfuscated Function Clone Identificationmentioning

confidence: 99%

“…Research dealing with virtualization in the context of function clone detection is scarce. A recent survey [34] highlights the need for covering interprocedural virtualization obfuscators like Themida [57], or VMProtect [61], as the obfuscations applied by Hikari [64] do not appear to be more complex than cross-optimization binary similarity. OFCI does not solve interprocedural obfuscation either, but is intended as a stepping stone to expand research in this area.…”

Section: E Virtual Machine Analysismentioning

confidence: 99%

“…ASM2VEC [13], SAFE [39], GEMINI [63] and BLEX [15], they compare results with different metrics, because with the exception of SAFE, none of the other approaches provides the full source-code or trained model. While there is recent work trying to tackle this issue [34]…”

Section: Performance On Unobfuscated Datamentioning

confidence: 99%

See 2 more Smart Citations

Detecting Obfuscated Function Clones in Binaries using Machine Learning

Pucher¹,

Kudera²,

Merzdovnik³

2022

Proceedings 2022 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

The complexity and functionality of malware is ever-increasing. Obfuscation is used to hide the malicious intent from virus scanners and increase the time it takes to reverse engineer the binary. One way to minimize this effort is function clone detection. Detecting whether a function is already known, or similar to an existing function, can reduce analysis effort. Outside of malware, the same function clone detection mechanism can be used to find vulnerable versions of functions in binaries, making it a powerful technique. This work introduces a slim approach for the identification of obfuscated function clones, called OFCI, building on recent advances in machine learning based function clone detection. To tackle the issue of obfuscation, OFCI analyzes the effect of known function calls on function similarity. Furthermore, we investigate function similarity classification on code obfuscated through virtualization by applying function clone detection on execution traces. While not working adequately, it nevertheless provides insight into potential future directions.Using the ALBERT transformer OFCI can achieve an 83% model size reduction in comparison to state-of-the-art approaches, while only causing an average 7% decrease in the ROC-AUC scores of function pair similarity classification. However, the reduction in model size comes at the cost of precision for function clone search. We discuss the reasons for this as well as other pitfalls of building function similarity detection tooling.

show abstract

Section: Obfuscated Function Clone Identificationmentioning

confidence: 99%

Section: E Virtual Machine Analysismentioning

confidence: 99%

See 1 more Smart Citation

Detecting Obfuscated Function Clones in Binaries using Machine Learning

Pucher¹,

Kudera²,

Merzdovnik³

2022

Proceedings 2022 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

show abstract

“…Second, the function signature of a program is an important feature for representing the function semantics and able to improve the performance of binary code similarity detection [22], however, previous works didn't design methods to extract the information in function signatures.…”

Section: Introductionmentioning

confidence: 99%

Multi-feature based Function Embedding Network for Binary Code Similarity

Guo

et al. 2023

Preprint

View full text Add to dashboard Cite

Binary similarity detection determines whether two given binary code snippets are similar or not, usually on function granularity. This task is challenging due to different compilation optimizations and CPU architectures. Recently, deep-learning methods have made great achievements in this field, although most of them use artificially selected features or ignore some important semantic information like code literals or function signatures during feature processing. In addition, random samples and pair loss function are used in similarity training, which only covers limited similarity relations between functions. In this paper, a new framework MFEN-Sim is proposed to detect similar binary functions. The framework contains three stages: feature extraction and normalization, mutli-feature based function feature embedding network (MFEN) and similarity learning network. Multiple features including assembly instructions, CFG structures and function code literals are extracted from binary functions. Then these features are fed into MFEN composed of three modules: function semantic and structure embedding module, function signature prediction module, and function code literal embedding module. The three modules generate embeddings representing the function semantic and structural features, the function signature prediction features and the function code literal features. Finally, MFEN-Sim utilizes a similarity training network based on contrastive learning to make MFEN recognize more similarity relations between functions. MFEN-Sim is evaluated on 281,601 functions in 144 binaries and 17 CVEs in real-world software. Experimental results show that our work outperforms state-of-the-art systems ( i.e., Gemini, FIT and SAFE) by 7.1%, 9.9% and 8.2% on AUC metric in cross-architecture, optimization-level similarity detection, and achieves higher recall than baselines in searching vulnerabilities in real-world applications.

show abstract

“…Li et al [10] grab intermediate information from the compiler to generate their disassembly ground truth, in an attempt to validate ground truth. Another useful paper is by Kim et al [8] that discusses a benchmark for binary code similarity analysis.…”

Section: Introductionmentioning

confidence: 99%

The Inconvenient Truths of Ground Truth for Binary Analysis

Alves-Foss¹,

Venugopal²

2022

Proceedings 2022 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

The effectiveness of binary analysis tools and techniques is often measured with respect to how well they map to a ground truth. We have found that not all ground truths are created equal. This paper challenges the binary analysis community to take a long look at the concept of ground truth, to ensure that we are in agreement with definition(s) of ground truth, so that we can be confident in the evaluation of tools and techniques. This becomes even more important as we move to trained machine learning models, which are only as useful as the validity of the ground truth in the training.

show abstract

Revisiting Binary Code Similarity Analysis Using Interpretable Feature Engineering and Lessons Learned

Cited by 22 publications

References 139 publications

Detecting Obfuscated Function Clones in Binaries using Machine Learning

Detecting Obfuscated Function Clones in Binaries using Machine Learning

Multi-feature based Function Embedding Network for Binary Code Similarity

The Inconvenient Truths of Ground Truth for Binary Analysis

Contact Info

Product

Resources

About