ToolPhet: Inference of Compiler Provenance From Stripped Binaries With Emerging Compilation Toolchains

Jang, Hohyeon; Murodova, Nozima; Koo, Hyungjoon

doi:10.1109/access.2024.3355098

Cited by 1 publication

(1 citation statement)

References 53 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Compilation provenance identification [3][4][5][6][7] is a task that reversely reveals from the binary code the compilation details, like the specific compiler family, the optimization option, and even the compiler version used during the compilation phase, and has thus garnered considerable interest from researchers since it unveils critical insights into the nuances of the binary production process. Precisely pinpointing these compilation details is also crucial and advantageous for enhancing the efficacy of a myriad of binary code analysis applications [8], such as binary code similarity detection [9,10], software plagiarism detection [11], binary safety verification [12], and program authorship attribution [13].…”

Section: Introductionmentioning

confidence: 99%

Function-Level Compilation Provenance Identification with Multi-Faceted Neural Feature Distillation and Fusion

Gao,

Liang,

et al. 2024

Electronics

View full text Add to dashboard Cite

In the landscape of software development, the selection of compilation tools and settings plays a pivotal role in the creation of executable binaries. This diversity, while beneficial, introduces significant challenges for reverse engineers and security analysts in deciphering the compilation provenance of binary code. To this end, we present MulCPI, short for Multi-representation Fusion-based Compilation Provenance Identification, which integrates the features collected from multiple distinct intermediate representations of the binary code for better discernment of the fine-grained function-level compilation details. In particular, we devise a novel graph-oriented neural encoder improved upon the gated graph neural network by subtly introducing an attention mechanism into the neighborhood nodes’ information aggregation computation, in order to better distill the more informative features from the attributed control flow graph. By further integrating the features collected from the normalized assembly sequence with an advanced Transformer encoder, MulCPI is capable of capturing a more comprehensive set of features manifesting the multi-faceted lexical, syntactic, and structural insights of the binary code. Extensive evaluation on a public dataset comprising 854,858 unique functions demonstrates that MulCPI exceeds the performance of current leading methods in identifying the compiler family, optimization level, compiler version, and the combination of compilation settings. It achieves average accuracy rates of 99.3%, 96.4%, 90.7%, and 85.3% on these tasks, respectively. Additionally, an ablation study highlights the significance of MulCPI’s core designs, validating the efficiency of the proposed attention-enhanced gated graph neural network encoder and the advantages of incorporating multiple code representations.

show abstract