Abstract
The binary similarity problem consists in determining if two functions are similar by only considering their compiled form. Techniques for binary similarity have an immediate practical impact on several fields such as copyright disputes, malware analysis, vulnerability detection, etc. Current solutions compare functions by first transforming their binary code in multi-dimensional vector representations (embeddings), and then comparing vectors through simple and efficient geometric operations. In this paper we propose SAFE, a novel architecture for the embedding of functions based on a self-attentive neural network. SAFE works directly on disassembled binary functions, does not require manual feature extraction, is computationally more efficient than existing solutions, and is more general as it works on stripped binaries and on multiple architectures. We report the results from a quantitative and qualitative analysis that show how SAFE provides a noticeable performance improvement with respect to previous solutions. Furthermore, we show how clusters of our embedding vectors are closely related to the semantic of the implemented algorithms, paving the way for further interesting applications.
R. Baldoni—On leave at the presidency of council of ministries of Italy.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
Tests conducted using the Radare2 https://github.com/radare/radare2.
- 4.
Interestingly, recognizing library functions in stripped statically linked binaries is an application of the binary similarity problem without symbolic calls.
- 5.
The source code of our prototype and the datasets are publicly available at the following address: https://github.com/gadiluna/SAFE.
- 6.
Classic RNNs do not cope well with really long sequences.
- 7.
We designed our system to be compatible with several disassemblers, including two opensource solutions.
- 8.
Note that gcc-3.4 has been released more than 10 years before gcc-5.4.
- 9.
Gemini has not been distributed publicly. We implemented it using the information contained in [27]. For Gemini the parameters are: function embeddings of dimension 64, number of rounds 2, and a number of layers 2. These parameters are the ones that give the better performance for Gemini, according to our experiments and the one in the original Gemini paper.
- 10.
48 = 12 compilers \(\times \) 4 optimizations level.
- 11.
cve-2014-0160, cve-2014-6271, cve-2015-3456, cve-2014-9295, cve-2014-7169, cve-2011-0444, cve-2014-4877, cve-2015-6862.
- 12.
Some vulnerable functions are lost during the disassembling process.
- 13.
We used the TensorBoard implementation of t-SNE.
- 14.
Sample available at https://github.com/ytisf/theZoo/tree/master/malwares/Bin-aries/Ransomware.TeslaCrypt – Hash: 3372c1eda...4a370.
- 15.
Sample available at https://github.com/ytisf/theZoo/tree/master/malwares/Bin-aries/Ransomware.Vipasana – Hash: 0442cfabb...4b6ab.
References
Abadi, M., et al.: TensorFlow: a system for large-scale machine learning. In: Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation, (OSDI), pp. 265–283 (2016)
Al-Maskari, A., Sanderson, M., Clough, P.: The relationship between IR effectiveness measures and user satisfaction. In: Proceedings of the 30th International ACM Conference on R&D in Information Retrieval, (SIGIR), pp. 773–774 (2007)
Alrabaee, S., Shirani, P., Wang, L., Debbabi, M.: Sigma: a semantic integrated graph matching approach for identifying reused functions in binary code. Digit. Investig. 12, S61–S71 (2015)
Bromley, J., Guyon, I., LeCun, Y., Säckinger, E., Shah, R.: Signature verification using a “siamese” time delay neural network. In: Proceedings of the 6th International Conference on Neural Information Processing Systems, (NIPS), pp. 737–744 (1994)
Cho, K., et al.: Learning phrase representations using RNN encoder-decoder for statistical machine translation. In: Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing, (EMNLP) (2014)
Chua, Z.L., Shen, S., Saxena, P., Liang, Z.: Neural nets can learn function type signatures from binaries. In: Proceedings of 26th USENIX Security Symposium, (USENIX Security), pp. 99–116 (2017)
Dai, H., Dai, B., Song, L.: Discriminative embeddings of latent variable models for structured data. In: Proceedings of the 33rd International Conference on Machine Learning, (ICML), pp. 2702–2711 (2016)
David, Y., Partush, N., Yahav, E.: Statistical similarity of binaries. In: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, (PLDI), pp. 266–280 (2016)
David, Y., Partush, N., Yahav, E.: Similarity of binaries through re-optimization. ACM SIGPLAN Not. 52, 79–94 (2017)
David, Y., Yahav, E.: Tracelet-based code search in executables. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, (PLDI), pp. 349–360 (2014)
Ding, S.H., Fung, B.C., Charland, P.: Asm2Vec: boosting static representation robustness for binary clone search against code obfuscation and compiler optimization. In: Proceedings of 40th Symposium on Security and Privacy, (SP) (2019, to appear)
Dullien, T., Rolles, R.: Graph-based comparison of executable objects. In: Proceedings of Symposium sur la sécurité des Technologies de l’information et des Communications, (STICC) (2005)
Egele, M., Woo, M., Chapman, P., Brumley, D.: Blanket execution: dynamic similarity testing for program binaries and components. In: Proceedings of 23rd USENIX Security Symposium, (USENIX Security), pp. 303–317 (2014)
Feng, Q., Wang, M., Zhang, M., Zhou, R., Henderson, A., Yin, H.: Extracting conditional formulas for cross-platform bug search. In: Proceedings of the 12th ACM on Asia Conference on Computer and Communications Security, (ASIA CCS), pp. 346–359. ACM (2017)
Feng, Q., Zhou, R., Xu, C., Cheng, Y., Testa, B., Yin, H.: Scalable graph-based bug search for firmware images. In: Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security, (CCS), pp. 480–491. ACM (2016)
Herlocker, J.L., et al.: Evaluating collaborative filtering recommender systems. ACM Trans. Inf. Syst. 22(1), 5–53 (2004)
Khoo, W.M., Mycroft, A., Anderson, R.: Rendezvous: a search engine for binary code. In: Proceedings of the 10th Working Conference on Mining Software Repositories, (MSR), pp. 329–338 (2013)
Le, Q.V., Mikolov, T.: Distributed representations of sentences and documents. In: Proceedings of the 31th International Conference on Machine Learning, (ICML), pp. 1188–1196 (2014)
Lin, Z., et al.: A structured self-attentive sentence embedding. arXiv:1703.03130 (2017)
van der Maaten, L., Hinton, G.: Visualizing data using t-SNE. J. Mach. Learn. Res. 9(Nov), 2579–2605 (2008)
Massarelli, L., Di Luna, G.A., Petroni, F., Querzoni, L., Baldoni, R.: Investigating graph embedding neural networks with unsupervised features extraction for binary analysis. In: Proceedings of the 2nd Workshop on Binary Analysis Research (BAR) (2019)
Mikolov, T., et al.: Distributed representations of words and phrases and their compositionality. In: Proceedings of the 26th International Conference on Neural Information Processing Systems, (NIPS), pp. 3111–3119 (2013)
Pewny, J., Garmany, B., Gawlik, R., Rossow, C., Holz, T.: Cross-architecture bug search in binary executables. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, (SP), pp. 709–724 (2015)
Pewny, J., Schuster, F., Bernhard, L., Holz, T., Rossow, C.: Leveraging semantic signatures for bug search in binary programs. In: Proceedings of the 30th Annual Computer Security Applications Conference, (ACSAC), pp. 406–415. ACM (2014)
Shin, E.C.R., Song, D., Moazzezi, R.: Recognizing functions in binaries with neural networks. In: Proceedings of the 24th USENIX Conference on Security Symposium, (USENIX Security), pp. 611–626 (2015)
Shoshitaishvili, Y., et al.: SOK: (state of) the art of war: offensive techniques in binary analysis. In: Proceedings of the 37th IEEE Symposium on Security and Privacy, (SP), pp. 138–157 (2016)
Xu, X., Liu, C., Feng, Q., Yin, H., Song, L., Song, D.: Neural network-based graph embedding for cross-platform binary code similarity detection. In: Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security, (CCS), pp. 363–376 (2017)
Zuo, F., Li, X., Zhang, Z., Young, P., Luo, L., Zeng, Q.: Neural machine translation inspired binary code similarity comparison beyond function pairs. arXiv preprint arXiv:1808.04706 (2018)
Acknowledgments
This work has been partially founded by a grant by the Italian Presidency of the Council of Ministers, by CINI with the FilieraSicura project, by the PANACEA Horizon 2020 research and innovation programme under the Grant Agreement no 826293 and by the University of Rome “La Sapienza” with the Calypso project. The authors would also like to thank Google for providing cloud computing resources through the Education Program and NVIDIA Corporation for the donation of a GPGPU. Finally, the authors would like to thank Davide Italiano for the insightful discussions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Massarelli, L., Di Luna, G.A., Petroni, F., Baldoni, R., Querzoni, L. (2019). SAFE: Self-Attentive Function Embeddings for Binary Similarity. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)