A Semantics-Based Hybrid Approach on Binary Code Similarity Comparison

Abstract

Binary code similarity comparison is a methodology for identifying similar or identical code fragments in binary programs. It is indispensable in fields of software engineering and security, which has many important applications (e.g., plagiarism detection, bug detection). With the widespread of smart and Internet of Things (IoT) devices, an increasing number of programs are ported to multiple architectures (e.g., ARM, MIPS). It becomes necessary to detect similar binary code across architectures as well. The main challenge of this topic lies in the semantics-equivalent code transformation resulting from different compilation settings, code obfuscation, and varied instruction set architectures. Another challenge is the trade-off between comparison accuracy and coverage. Unfortunately, existing methods still heavily rely on semantics-less code features which are susceptible to the code transformation. Additionally, they perform the comparison merely either in a static or in a dynamic manner, which cannot achieve high accuracy and coverage simultaneously. In this paper, we propose a semantics-based hybrid method to compare binary function similarity. We execute the reference function with test cases, then emulate the execution of every target function with the runtime information migrated from the reference function. Semantic signatures are extracted during the execution as well as the emulation. Lastly, similarity scores are calculated from the signatures to measure the likeness of functions. We have implemented the method in a prototype system designated as BINMATCH which performs binary code similarity comparison across architectures of x86, ARM and MIPS on the Linux platform. We evaluate BINMATCH with nine real-word projects compiled with different compilation settings, on variant architectures, and with commonly-used obfuscation methods, totally performing over 100 million pairs of function comparison. The experimental results show that BINMATCH is resilient to the semantics-equivalent code transformation. Besides, it not only covers all target functions for similarity comparison, but also improves the accuracy comparing to the state-of-the-art solutions.

Type

Journal article

Publication
IEEE Transactions on Software Engineering
Yikun HU
Yikun HU
Assistant Research Fellow

I am working in LoCCS at SJTU. My research interests focus on (AI-assisted) Program Analysis and its application to Software Security. We are looking for motivated students interested in Software Security or AI Security. Feel free to contact us please, if you have an interest in researching or interning in our lab.