Professional Documents
Culture Documents
42
Session on Analysis of Binary Code PLAS'18, October 19, 2018, Toronto, ON, Canada
vectors that originate from semantically equivalent proce- (1) shr eax, 4
(1) (2) (3) mov r8, rbx
dures. In order to train our classifier, we build a database lea rcx, [r8+3]
(3)
with dozens of millions of examples, generated by compiling (1) mov [r8+1], al
various open-source renowned projects. We compile each (2) mov [r8+2], r13b
(3) mov rdi, rcx
project using different compilers, with different compiler
versions, optimization levels and for different architectures.
Finally, we evaluate our approach by predicting similar-
ities in open-source projects that are not included in the (1) (2) (3)
training set. We show that our proposed classifier achieves shr eax, 4
mov r8, rbx
mov r8, rbx
high accuracy and executes more than 250X faster than cur- mov r8, rbx lea rcx, [r8+3]
mov [r8+2], r13b
mov [r8+1], al mov rdi, rcx
rent state-of-the-art tools.
43
Session on Analysis of Binary Code PLAS'18, October 19, 2018, Toronto, ON, Canada
(a) Assembly code (b) Basic blocks (c) Strands (d) Normalized & canonized (e) Hashes
bb0: shr eax, 1
shr eax, 1
shr eax, 1
mov r8, rbx M[t1+2]:=64to32(t2)>>1 113
mov r8, rbx mov [r8+2], eax
mov r8, rbx lea rcx, [r8+4]
lea rcx, [r8+4] mov [r8+2], eax mov r8, rbx
lea rcx, [r8+4] t1 := t2 + 4 550
mov [r8+2], r13 mov rdi, rcx mov rdi, rcx
mov rdi, rcx
test rdi, rdi
mov rax, 2
jz bb2 t1 := t1 + 2 7
mov rax, 2 add rbx, rax
bb1:
add rbx, rax
mov rax, 10
shr rcx, al mov rax, 2
927
add rbx, rax shr rcx, al
t1 := t1 >> 2
shr rcx, al
jmp addr
bb2:
sub rax, 8 sub rax, 8
sub rax, 8 shl rax, 4
t1 := (t1 – 8) << 4 7
shl rax, 4
shl rax, 4
44
Session on Analysis of Binary Code PLAS'18, October 19, 2018, Toronto, ON, Canada
..
OpenSSL 1.0.1 FFmpeg 2.7.1
..
Procedure 1
bash 4.3 Wireshark 1.10.10
httpd
ntp
cURL
2.4.33
4.2.8
7.60.0
coreutils
bzip2
wget
8.29
1.0.6
1.15
. . .. P(similar)
Snort 2.9.11.1
Git
util-linux
2.9.5
2.32
.. .. . P(¬ similar)
Procedure 2
Apache Mesos 1.5.0
.
QEMU 2.12.0
(a) Open source projects used for data generation.
.
Compiler Versions Architecture Optimization Levels
gcc 4.{7,8,9} x86_64 -O{s,0,1,2,3}
Size=2 × 2b Size=L1 Size=L2
icc 14, 15 x86_64 -O{s,0,1,2,3}
Clang 3.{5,6,7,8} x86_64 -O{s,0,1,2,3}
gcc 4.8 AArch64 -O{s,0,1,2,3} Figure 4: Our neural network skeleton.
Clang 4.0 AArch64 -O{s,0,1,2,3}
(b) Compilers and versions used for data generation.
45
Session on Analysis of Binary Code PLAS'18, October 19, 2018, Toronto, ON, Canada
1 Zeek GitZ
Concentrated ROC (CROC)
Concetrated ROC
1 0.96 0.96 0.95
0.94 0.93
0.95
0.9
0.8
0.9
0.7
46
Session on Analysis of Binary Code PLAS'18, October 19, 2018, Toronto, ON, Canada
REFERENCES Systems Languages & Applications (OOPSLA ’13). ACM, New York,
[1] Martin Abadi, Paul Barham, Jianmin Chen, Zhifeng Chen, Andy Davis, NY, USA, 391–406. https://doi.org/10.1145/2509136.2509509
Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat, Geoffrey Irving, [15] Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher,
Michael Isard, Manjunath Kudlur, Josh Levenberg, Rajat Monga, Sherry J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna. 2016. SOK:
Moore, Derek G. Murray, Benoit Steiner, Paul Tucker, Vijay Vasudevan, (State of) The Art of War: Offensive Techniques in Binary Analysis.
Pete Warden, Martin Wicke, Yuan Yu, and Xiaoqiang Zheng. 2016. In 2016 IEEE Symposium on Security and Privacy (SP). 138–157. https:
TensorFlow: A system for large-scale machine learning. In 12th USENIX //doi.org/10.1109/SP.2016.17
Symposium on Operating Systems Design and Implementation (OSDI [16] S. Joshua Swamidass, Chloé-Agathe Azencott, Kenny Daily, and Pierre
16). 265–283. https://www.usenix.org/system/files/conference/osdi16/ Baldi. 2010. A CROC Stronger Than ROC: Measuring, Visualizing and
osdi16-abadi.pdf Optimizing Early Retrieval. Bioinformatics 26, 10 (2010), 1348–1356.
[2] Upul Bandara and Gamini Wijayrathna. 2012. Detection of Source https://doi.org/10.1093/bioinformatics/btq140
Code Plagiarism Using Machine Learning Approach. In International [17] Martin White, Michele Tufano, Christopher Vendome, and Denys
Journal of Computer Theory and Engineering (IJCTE 2012 Volume 4, Poshyvanyk. 2016. Deep Learning Code Fragments for Code Clone
Number 5). https://doi.org/10.7763/IJCTE Detection. In Proceedings of the 31st IEEE/ACM International Conference
[3] Oren Boiman and Michal Irani. 2006. Similarity by Composition. In on Automated Software Engineering (ASE 2016). ACM, New York, NY,
Advances in Neural Information Processing Systems 19, Proceedings of the USA, 87–98. https://doi.org/10.1145/2970276.2970326
Twentieth Annual Conference on Neural Information Processing Systems, [18] zynamics. 2011. BinDiff. Available at http://www.zynamics.com/.
Vancouver, British Columbia, Canada, December 4-7, 2006. 177–184.
[4] Yaniv David, Nimrod Partush, and Eran Yahav. 2016. Statistical Similar-
ity of Binaries. In Proceedings of the 37th ACM SIGPLAN Conference on
Programming Language Design and Implementation (PLDI 2016). ACM,
New York, NY, USA, 266–280. https://doi.org/10.1145/2908080.2908126
[5] Yaniv David, Nimrod Partush, and Eran Yahav. 2017. Similarity of
Binaries Through Re-optimization. In Proceedings of the 38th ACM
SIGPLAN Conference on Programming Language Design and Imple-
mentation (PLDI 2017). ACM, New York, NY, USA, 79–94. https:
//doi.org/10.1145/3062341.3062387
[6] Manuel Egele, Maverick Woo, Peter Chapman, and David Brum-
ley. 2014. Blanket Execution: Dynamic Similarity Testing for Pro-
gram Binaries and Components. In 23rd USENIX Security Sym-
posium (USENIX Security 14). USENIX Association, San Diego,
CA, 303–317. https://www.usenix.org/conference/usenixsecurity14/
technical-sessions/presentation/egele
[7] L. Li, H. Feng, W. Zhuang, N. Meng, and B. Ryder. 2017. CCLearner: A
Deep Learning-Based Clone Detection Approach. In 2017 IEEE Inter-
national Conference on Software Maintenance and Evolution (ICSME).
249–260. https://doi.org/10.1109/ICSME.2017.46
[8] Zhen Li, Deqing Zou, Shouhuai Xu, Xinyu Ou, Hai Jin, Sujuan Wang,
Zhijun Deng, and Yuyi Zhong. 2018. VulDeePecker: A Deep Learning-
Based System for Vulnerability Detection. CoRR abs/1801.01681 (2018).
[9] Asuka Nakajime. 2017. Similarity Calculation Method for Binary
Executables. (2017).
[10] B. H. Ng and A. Prakash. 2013. Expose: Discovering Potential Binary
Code Re-use. In 2013 IEEE 37th Annual Computer Software and Applica-
tions Conference. 492–501. https://doi.org/10.1109/COMPSAC.2013.83
[11] NIST. 2018. National Vulnerability Database. Available at https:
//nvd.nist.gov/.
[12] Hao Peng, Lili Mou, Ge Li, Yuxuan Liu, Lu Zhang, and Zhi Jin.
2015. Building Program Vector Representations for Deep Learn-
ing. In Proceedings of the 8th International Conference on Knowledge
Science, Engineering and Management - Volume 9403 (KSEM 2015).
Springer-Verlag, Berlin, Heidelberg, 547–553. https://doi.org/10.1007/
978-3-319-25159-2_49
[13] Nathan E. Rosenblum, Barton P. Miller, and Xiaojin Zhu. 2010. Ex-
tracting Compiler Provenance from Program Binaries. In Proceedings
of the 9th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for
Software Tools and Engineering (PASTE ’10). ACM, New York, NY, USA,
21–28. https://doi.org/10.1145/1806672.1806678
[14] Rahul Sharma, Eric Schkufza, Berkeley Churchill, and Alex Aiken. 2013.
Data-driven Equivalence Checking. In Proceedings of the 2013 ACM
SIGPLAN International Conference on Object Oriented Programming
47