Semantic Learning and Emulation Based Cross-Platform Binary Vulnerability SeekerDownload PDFOpen Website

Jian Gao, Yu Jiang, Zhe Liu, Xin Yang, Cong Wang, Xun Jiao, Zijiang Yang, Jiaguang Sun

Published: 2021, Last Modified: 05 Nov 2023IEEE Trans. Software Eng. 2021Readers: Everyone
Abstract: Clone detection is widely exploited for software vulnerability search. The approaches based on source code analysis cannot be applied to binary clone detection because the same source code can produce significantly different binaries due to different operating systems, microprocessor architectures and compilers. In this paper, we present <i>BinSeeker</i> , a cross-platform binary seeker that integrates semantic learning and emulation. With the help of the labeled semantic flow graph, <i>BinSeeker</i> can quickly identify <inline-formula><tex-math notation="LaTeX">$M$</tex-math></inline-formula> candidate functions that are most similar to the vulnerability from the target binary. The value of <inline-formula><tex-math notation="LaTeX">$M$</tex-math></inline-formula> is relatively large so this semantic learning procedure essentially eliminates those functions that are very unlikely to have the vulnerability. Then, semantic emulation is conducted on these <inline-formula><tex-math notation="LaTeX">$M$</tex-math></inline-formula> candidates to obtain their dynamic signature sequences. By comparing signature sequences, <i>BinSeeker</i> produces top- <inline-formula><tex-math notation="LaTeX">$N$</tex-math></inline-formula> functions that exhibit most similar behavior to that of the vulnerability. With fast filtering of semantic learning and accurate comparison of semantic emulation, <i>BinSeeker</i> seeks vulnerability precisely with little overhead. The experiments on six widely used programs with fifteen known CVE vulnerabilities demonstrate that <i>BinSeeker</i> outperforms three state-of-the-art tools <i>Genius</i> , <i>Gemini</i> and <i>CACompare</i> . Regarding search accuracy, <i>BinSeeker</i> achieves an MRR value of 0.65 in the target programs, whereas the MRR values by <i>Genius</i> , <i>Gemini</i> and <i>CACompare</i> are 0.17, 0.07 and 0.42, respectively. If we consider ranking a function with the targeted vulnerability in the top-5 as accurate, <i>BinSeeker</i> achieves the accuracy of 93.33 percent, while the accuracy of the other three tools is merely 33.33, 13.33 and 53.33 percent, respectively. Such accuracy is achieved with 0.27s on average to determine whether the target binary function contains a known vulnerability, and the time for the other three tools are 1.57s, 0.15s and 0.98s, respectively. Compared to the time used to manually identify the true positive vulnerability from the false positive candidates reported by Gemini, the time overhead of <i>BinSeeker</i> is negligible. Evidently, the proposed <i>BinSeeker</i> achieves a better balance between accuracy and efficiency.
0 Replies