SlideShare a Scribd company logo

[Dagstuhl Seminar 17281] Similarity Calculation Method for Binary Executables

Asuka Nakajima, profile picture
Asuka Nakajima

The document discusses a similarity calculation method for binary executables, focusing on malware analysis and vulnerability detection. It covers various techniques for identifying code clones, challenges faced in the similarity calculation process, and outlines the author's research on gapped code clone detection. Additionally, it presents a survey of existing methods and provides a research map in this domain.

Engineering
1 of 40
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Similarity Calculation Method for Binary Executables Asuka Nakajima NTT Secure Platform Laboratories, Tokyo, Japan Dagstuhl Seminar 17281, July, 2017 Copyright©2017 NTT Corp. All Rights Reserved.
1Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential # whoami Asuka Nakajima - Researcher at NTT Secure Platform Laboratories - Reverse Engineering / Vulnerability Discovery - Organizer of SECCON CTF / Founder of “CTF for GIRLS”  Detection of Code Clone Vulnerability Software A Vulnerable Part Copy Software B Calculate the similarity between vuln func and target binary func
2Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential 1. Background  Software Similarity Calculation on Malware Analysis Field 2. A Survey on Similarity Calculation Method for Binary Executables  Overview  Taxonomy of Program Features  Challenges  Research Map 3. About My Research  Gapped Code Clone Detection in Binary Executables 4. State-of-the-Art Research  GitZ Outline of Today’s Talk : Similarity Calculation Method for Binary Executables
3Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential 1. Background  Software Similarity Calculation on Malware Analysis Field 2. A Survey on Similarity Calculation Method for Binary Executables  Overview  Taxonomy of Program Features  Challenges  Research Map 3. About My Research  Gapped Code Clone Detection in Binary Executables 4. State-of-the-Art Research  GitZ Outline of Today’s Talk : Similarity Calculation Method for Binary Executables
4Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential  Subspecies  Version update  Toolkit-generated malware  Metamorphic / Polymorphic malware  Code Reuse  e.g. Stuxnet/Duqu  Open sourced malware (e.g. Mirai) Background [1/2] Software Similarity Calculation in Malware Analysis Field “program similarity is a key sub-problem in malware analysis” [1]Andrew Walenstein and Arun Lakhotia, “The Software Similarity Problem in Malware Analysis.” In Proceedings Dagstuhl Seminar 06301: Duplication, Redundancy, and Similarity in Software, 10 pp., Dagstuhl, Germany, July 2006. Stuxnet vs Duqu https://www.welivesecurity.com/wp-content/media_files/2_1.png
5Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential  Related Research Area  Copyright Infringement Detection  Source Code Plagiarism Detection  Vulnerability Discovery  Software Evolution Analysis Background [2/2] It can even identify similar function in other binary across different architecture or compilers or compilation options or OS Similarity Calculation Method Has Become Highly Sophisticated
6Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential 1. Background  Software Similarity Calculation on Malware Analysis Field 2. A Survey on Similarity Calculation Method for Binary Executables  Overview  Taxonomy of Program Features  Challenges  Research Map 3. About My Research  Gapped Code Clone Detection in Binary Executables 4. State-of-the-Art Research  GitZ Outline of Today’s Talk : Similarity Calculation Method for Binary Executables
7Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential  Type of Similarity Calculation Method  Dynamic Analysis Based Method  Memory Usage Pattern, API call pattern, etc  Static Analysis Based Method  Control Flow Graph, Instruction, etc A Survey on Similarity Calculation Method for Binary Executables Overview Step 1: Normalize Step 2: Extract Comparables Step 3: Compare Step 4: Analyze, Modify Overview of Static Analysis Based Method[1]
8Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Category Example Graph-based feature Control Flow Graph Data Flow Graph Call Graph Tree-based feature Abstract Syntax Tree S-Expression Text-based feature String Instructions(opcode/operand) API Name Metric-based feature Complexity Hybrid Graph-based + Text-based Other Basic block I/O sampling Program Features A Survey on Similarity Calculation Method for Binary Executables
9Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Category Example Compiler Difference Compiler Optimization Difference 1. Basic Block Reordering 2. Instruction Reordering 3. Function Inlining/Outlining 4. Loop Unrolling 5. Register Reassignment Software Evolution 1. Patch 2. Update 3. Refactoring Obfuscation/Metamorphism 1. Dead Code-Insertion 2. Instruction Substitution 3. Opaque Predicate Insertion Encryption and Packing UPX, etc Architecture Difference (e.g. IoT Malware) x86/x86-64/ARM/MIPS/PPC/etc Challenges in Similarity Calculation on Binary Executables A Survey on Similarity Calculation Method for Binary Executables
10Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential ~2005 ~2009 2010 2011 2012 2013 2014 2015 2016 2017 Research Map of Static Binary Similarity Calculation [1/3] Zeng Wang et.al ’00(BMAT)[2] Martial Bourquin et.al ’13 (BinSlayer)[16] Arun Lakhotia et.al ’13 (BinJuice) [19] Jiang Ming et.al ’12 (iBinHunt)[13] Wei Ming Khoo et.al ’13 (Rendezvous)[15] Sebastian Eschweiler et.al ’16 (discovRE)[29] Jiyong Jang et.al ’11 (BitShred)[12] Beng Heng Ng, et.al ’13 (Exposé)[14] Mahinthan Chandramohan et.al ’16 (BinGo)[28] Steven H.H. Ding et.al ’16 (Kam1n0) [27] Yaniv David et.al ’16 (Esh)[26] Yaniv David et.al ’17 (GitZ)[32] Debin Gao et.al ’08 (BinHunt)[7] Jannik Pewny et.al ’15 (Multi-MH)[24] Halvar Flake ’04 [3] Lannan Luo et.al ’14 (CoP) [21] Andreas Sæbjørnsen et.al ’09 [8] Mohammad Reza Farhadi et.al ’14 (BinClone) [23] He Huang et.al ’17 (BinSequence)[33] Seokwoo Choi et.al ’07[6] Jiyong Jang et.al ’13 (ILINE)[17] Armijn Hemel et.al ’11 (BAT)[10] Emily R. Jacobsom et.al ’11 [9] Tomas Dullien ’05[4] Asuka Nakajima et.al ’16[30] Malware Analysis Vulnerability DiscoveryCopyright Infringement / Plagiarism Detection Software Evolution Analysis (Binary Diffing) General Purpose Binary Similarity Analysis Ginger Myles et.al ’05 (K-gram)[5] Saed Alrabaee et.al ’15 (SIGMA)[25] Ming Xu et.al ’13 [18] Yaniv David et.al ’14 (Tracelet)[20] Jannik Pewny et.al ’14 (TEDEM) [22] Qian Feng et.al ’17 (XMATCH)[34] Qian Feng et.al ’16 [31] Silvio Cesare et.al ’11[11]
11Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential # Compiler Evolution Architecture Obfuscation Encryption Packer 1 2 3 4 5 1 2 3 1 Zeng Wang et.al ’00(BMAT) [2] ○ △ × △ ○ ○ × × △ × × 2 Halvar Flake ’04 [3] △ ○ × △ ○ ○ △ ○ ○ × × 3 Tomas Dullien’05[4] ○ ○ × ○ ○ ○ △ ○ ○ × × 4 Ginger Myles et.al ’05 (K-gram)[5] ○ ○ × ○ ○ ○ △ × × × × 5 Seokwoo Choi et.al ’07 [6] ○ ○ × ○ ○ △ ○ ○ ○ ○ × 6 Debin Gao et.al ’08 (BinHunt) [7] △ ○ × ○ ○ ○ × ○ ○ × × 7 Andreas Sæbjørnsen et.al ’09 [8] × △ × △ ○ ○ × △ △ △ × 8 Emily R. Jacobsom et.al ’11 [9] ○ ○ △ ○ △ △ × ○ △ △ × 9 Armijn Hemel et.al ’11 (BAT) [10] ○ ○ × △ ○ △ ○ △ △ △ × 10 Silvio Cesare et.al ’11[11] △ ○ △ △ ○ ○ ○ ○ ○ × △ 11 Jiyong Jang et.al ’11 (BitShred) [12] △ × △ △ × ○ × △ △ △ △ 12 Jiang Ming et.al ’12 (iBinHunt) [13] ○ ○ ○ ○ ○ ○ × ○ ○ △ × 13 Beng Heng Ng et.al ’13 (Exposé)[14] ○ △ △ ○ ○ ○ × ○ ○ × × 14 Wei Ming Khoo et.al ’13(Rendezvous)[15] △ △ × △ ○ △ × △ × × × 15 Martial Bourquin et.al ’13 (BinSlayer)[16] △ ○ × △ ○ ○ ○ ○ ○ × × 16 Jiyong Jang et.al ’13 (ILINE)[17] ○ △ △ △ ○ ○ × × ○ × × 17 Ming Xu et.al ’13 [18] ○ ○ × △ ○ △ × × ○ × × Research Map of Static Binary Similarity Calculation [2/3]
12Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential # Compiler Evolution Architecture Obfuscation Encryption Packer 1 2 3 4 5 1 2 3 18 Arun Lakhotia et.al ’13 (BinJuice) [19] ○ ○ △ △ ○ △ × △ △ △ × 19 Yaniv David et.al ’14 (Tracelet)[20] ○ △ × × ○ ○ × × × × × 20 Lannan Luo et.al ’14 (CoP) [21] △ ○ △ ○ ○ ○ × ○ ○ △ × 21 Jannik Pewny et.al ’14 (TEDEM) [22] △ ○ × △ ○ ○ × ○ ○ × × 22 Mohammad Reza Farhadi et.al ’14 (BinClone) [23] × △ × △ ○ △ × △ △ △ × 23 Jannik Pewny et.al ’15 (Multi-MH)[24] ○ ○ × ○ ○ △ ○ ○ ○ △ × 24 Saed Alrabaee et.al ’15 (SIGMA)[25] △ ○ × △ ○ ○ × △ △ × × 25 Yaniv David et.al ’16 (Esh)[26] ○ △ × △ ○ △ ○ × × × × 26 Steven H.H. Ding et.al ’16 (Kam1n0) [27] ○ △ △ △ ○ ○ × △ △ × × 27 Mahinthan Chandramohan et.al ’16 (BinGo)[28] ○ ○ ○ ○ ○ △ ○ ○ ○ × × 28 Sebastian Eschweiler et.al ’16 (discovRE)[29] △ ○ × △ ○ ○ ○ × × × × 29 Asuka Nakajima et.al ’16[30] × △ △ △ ○ ○ × △ △ △ × 30 Qian Feng et.al ’16 [31] △ ○ × △ ○ △ ○ △ △ × × 31 Yaniv David et.al ’17 (GitZ)[32] ○ △ × △ ○ △ ○ × × × × 32 He Huang et.al ’17 (BinSequence)[33] △ △ × △ ○ ○ × △ △ × × 33 Qian Feng et.al ’17 (XMATCH)[34] ○ ○ △ △ ○ △ ○ ○ ○ × × Research Map of Static Binary Similarity Calculation [3/3]
13Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential # Compiler Evolution Architecture Obfuscation Encryption Packer 1 2 3 4 5 1 2 3 18 Arun Lakhotia et.al ’13 (BinJuice) [19] ○ ○ △ △ ○ △ × △ △ △ × 19 Yaniv David et.al ’14 (Tracelet)[20] ○ △ × × ○ ○ × × × × × 20 Lannan Luo et.al ’14 (CoP) [21] △ ○ △ ○ ○ ○ × ○ ○ △ × 21 Jannik Pewny et.al ’14 (TEDEM) [22] △ ○ × △ ○ ○ × ○ ○ × × 22 Mohammad Reza Farhadi et.al ’14 (BinClone) [23] × △ × △ ○ △ × △ △ △ × 23 Jannik Pewny et.al ’15 (Multi-MH)[24] ○ ○ × ○ ○ △ ○ ○ ○ △ × 24 Saed Alrabaee et.al ’15 (SIGMA)[25] △ ○ × △ ○ ○ × △ △ × × 25 Yaniv David et.al ’16 (Esh)[26] ○ △ × △ ○ △ ○ × × × × 26 Steven H.H. Ding et.al ’16 (Kam1n0) [27] ○ △ △ △ ○ ○ × △ △ × × 27 Mahinthan Chandramohan et.al ’16 (BinGo)[28] ○ ○ ○ ○ ○ △ ○ ○ ○ × × 28 Sebastian Eschweiler et.al ’16 (discovRE)[29] △ ○ × △ ○ ○ ○ × × × × 29 Asuka Nakajima et.al ’16[30] × △ △ △ ○ ○ × △ △ △ × 30 Qian Feng et.al ’16 [31] △ ○ × △ ○ △ ○ △ △ × × 31 Yaniv David et.al ’17 (GitZ)[32] ○ △ × △ ○ △ ○ × × × × 32 He Huang et.al ’17 (BinSequence)[33] △ △ × △ ○ ○ × △ △ × × 33 Qian Feng et.al ’17 (XMATCH)[34] ○ ○ △ △ ○ △ ○ ○ ○ × × Research Map of Static Binary Similarity Calculation [3/3]
14Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential 1. Background  Software Similarity Calculation on Malware Analysis Field 2. A Survey on Similarity Calculation Method for Binary Executables  Overview  Taxonomy of Program Features  Challenges  Research Map 3. About My Research  Gapped Code Clone Detection in Binary Executables 4. State-of-the-Art Research  GitZ Outline of Today’s Talk : Similarity Calculation Method for Binary Executables
15Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential  Background & Motivation  Discover Code Clone Vulnerability in Binary Executables  Windows, Adobe Reader, etc  Method that can discover Gapped Code Clone Vulnerability  Source Code Modification (add multiple lines, I/O Change) About My Research: Gapped Code Clone Detection in Binary Executables It can be also applied to malware analysis field
16Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential About My Research: Gapped Code Clone Detection in Binary Executables push REG mov REG REG mov REG VAL call MEM ・・・ mov REG REG push REG mov REG REG push REG push REG mov REG MEM mov REG MEM lea REG MEM ・・・ Similarity Calculation Similarity N% Vuln part Target Binary System Image Step1: Disassemble Step2: Normalization Step3: Similarity Calculation Input Binaryfile - Unpatched vuln - Target Binary File Output Vulnerability Candidate ● System Overview - Needleman-Wunsh Algorithm - Applied “Affine Gap Penalty”
17Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential About My Research: Gapped Code Clone Detection in Binary Executables Search similar region between two given strings LCS (Global Alignment) Smith-Waterman (Local Alignment) Needleman-Wunsch (Semi-Global Alignment) mov REG REG mov REG REG call MEM test REG REG push REG REG push REG REG call MEM test REG REG jmp MEM xor REG REG pop REG pop REG ・ ・ mov REG REG mov REG REG call MEM test REG REG push REG REG push REG REG call MEM test REG REG jmp MEM xor REG REG pop REG pop REG ・ ・ mov REG REG mov REG REG call MEM test REG REG mov REG REG push REG REG push REG REG call MEM test REG REG jmp MEM xor REG REG pop REG pop REG ・ String1 (source) String2 (dest) String1 (source) String2 (dest) String1 (source) String2 (dest) Search all similar part between two given string Search the region (in string2) that best matches to string1 Needleman-Wunsch is most suitable
18Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach: Disassemble & Normalization Disassemble ※Example Normalization (Operand) ・Binary File(unpatched vuln) ・Target Binary File Different assembly(operand) will be generated even the source code is same※ VAL MEM REG Immediate val Memory Register Before After mov eax ecx mov REG REG Original Copy shr rdx,1 lea rdi,[rdx+0x4] call 3f3d0 shr rdx,1 lea rdi,[rdx+0x4] call 41d630 Original Copy xor ebx, ebx add rsp, 38h mov eax, ebx pop rbx pop rbp pop r12 pop r13 retn xor r12d, r12d add rsp, 38h mov eax, r12d pop rbx pop rbp pop r12 pop r13 retn 1 2
19Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Similarity = 𝑺𝒄𝒐𝒓𝒆 𝒐𝒇 𝑴𝒐𝒔𝒕 𝑺𝒊𝒎𝒊𝒍𝒂𝒓 𝑷𝒂𝒓𝒕 𝑴𝒂𝒙𝒊𝒎𝒖𝒎 𝑺𝒄𝒐𝒓𝒆(𝑨𝒍𝒍 𝑴𝒂𝒕𝒄𝒉𝒆𝒅 𝑪𝒂𝒔𝒆) Needleman-Wunsch(Normal Gap) match +2point mismatch –2point gap –1point ■Match ■Mismatch ■Gap pop rax pop rax pop rax push rcx pop rax call rax pop rax Needleman-Wunsch (AffineGap) match +2point mismatch -2point open gap※ -3point extended gap -0.5point Score Calculation Distinct the Gap ※Open gap:The first gap of multiple gaps Approach: Similarity Calculation [1/3]
20Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Affine Gap penalty can mitigate the significant score drop due to the source code modification int main(int argc, char* argv[]){ if(argc !=2){ printf("Usage:%s <your name>¥n", argv[0]); return 1; } printf(“Argument:%d,%s¥n",argc,argv[1]); printf("Hello World! %s¥n", argv[1]); return 0; } push ebp mov ebp,esp and esp,0xfffffff0 sub esp,0x10 cmp DWORD PTR [ebp+0x8],0x2 je 0x8048448 <main+43> mov eax,DWORD PTR [ebp+0xc] mov eax,DWORD PTR [eax] mov DWORD PTR [esp+0x4],eax mov DWORD PTR [esp],0x8048520 call 0x80482f0 <printf@plt> mov eax,0x1 jmp 0x8048484 <main+103> mov eax,DWORD PTR [ebp+0xc] add eax,0x4 mov eax,DWORD PTR [eax] mov DWORD PTR [esp+0x8],eax mov eax,DWORD PTR [ebp+0x8] mov DWORD PTR [esp+0x4],eax mov DWORD PTR [esp],0x8048536 call 0x80482f0 <printf@plt> mov eax,DWORD PTR [ebp+0xc] add eax,0x4 mov eax,DWORD PTR [eax] mov DWORD PTR [esp+0x4],eax mov DWORD PTR [esp],0x8048546 call 0x80482f0 <printf@plt> mov eax,0x0 leave ret ■ Normal gap ■ Affine Gap Total36p 22×2 = 44 Total37.5p Adding 1L Source Code = Adding 8L Assembly Code 8 ×-1 = -8 22×2 = 44 1 ×-3 =-3 7×-0.5 =-3.5 Source Code Assembly Approach: Similarity Calculation [3/3]
21Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Evaluation Calculate the similarity between original and copied binary Vuln1 (CVE-2008-4314) Original Vuln2 (CVE-2008-5023) Original Vuln1 (CVE-2008-4314) Copy Vuln2 (CVE-2008-5023) Copy ?% Vuln1 (CVE-2008-4314) Original Vuln2 (CVE-2008-5023) Original ?% Dataset(432 binary) Ubuntu12.04 /bin,/usr/lib (x86-64/ELF) [score setting] Match2p, Mismatch -2p, Opengap-3p, Extendedgap-0.5p Calculate the similarity between original and dataset binary [GOAL] Evaluate the validity of the approach
22Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Case1: CVE-2008-4316 (Source Code) g_base64_encode (const guchar *data,gsize len){ gchar *out; gint state = 0, outlen; gint save = 0; g_return_val_if_fail (data != NULL, NULL); g_return_val_if_fail (len > 0, NULL); out = g_malloc (len * 4 / 3 + 4); outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save); outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save); out[outlen] = '¥0'; return (gchar *) out; } seahorse_base64_encode (const guchar *data,gsize len){ gchar *out; gint state = 0, outlen; gint save = 0; out = g_malloc (len * 4 / 3 + 4); outlen = seahorse_base64_encode_step (data, len, FALSE, out, &state, &save); outlen += seahorse_base64_encode_close (FALSE,out + outlen,&state,&save); out[outlen] = '¥0'; return (gchar *) out; } 2 lines are deletedOriginal [Glib] Copy [Seahorse]
23Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Case2: CVE-2008-5023 (Source Code) PRBool nsXBLBinding::AllowScripts(){ PRBool result; mPrototypeBinding->GetAllowScripts(&result); … nsCOMPtr<nsIDocument> ourDocument; mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument)); PRBool canExecute; nsresult rv = mgr->CanExecuteScripts(cx, ourDocument->NodePrincipal(), &canExecute); return NS_SUCCEEDED(rv) && canExecute; } PRBool nsXBLBinding::AllowScripts(){ PRBool result; mPrototypeBinding->GetAllowScripts(&result); … nsCOMPtr<nsIDocument> ourDocument; mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument)); nsIPrincipal* principal = ourDocument->GetPrincipal(); if (!principal) { return PR_FALSE; } PRBool canExecute; nsresult rv = mgr->CanExecuteScripts(cx, principal, &canExecute); return NS_SUCCEEDED(rv) && canExecute; } Original [Firefox] Copy [Seamonkey] 4 lines are added & 1 line is modified
24Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Evaluation 1 CVE-ID Original Copy Similarity (unpatched) Similarity (patched) Max similarity (Dataset) CVE- 2008-4316 Glib Seahorse 60.7% 11.5% 9.2% CVE- 2008-5023 Firefox Seamonkey 68.8% 38.0% 9.7% The extracted part was the copied vulnerable part Similarity between the dataset was maximum 9.7% Detected codeclone vulnerability in binary executables, even there was source code modification
25Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Evaluation 2 [1/2] 21 Vulnerabilities 40945 binary files CVE-2015-1635 CVE-2014-0301 CVE-2013-5058 CVE-2013-0030 CVE-2011-2005 CVE-2011-0658 CVE-2010-0816 ?% CVE-2010-0028 CVE-2008-4250 CVE-2008-4028 CVE-2007-1794 CVE-2007-0024 CVE-2006-4691 CVE-2006-0021 Windows XP. Windows Vista, Windows 7 Windows 8.1 Windows Server Virus Total(NSRL) [Score setting]match2p,mismatch-2p,opengap-3p,extendedgap-0.5p [Threshold] 20% CVE-2015-1793 CVE-2015-1790 CVE-2015-1789 CVE-2015-0292 CVE-2015-0288 CVE-2015-0287 CVE-2015-0286 14vulnerabilitiesfromWindows 7 vulnerabilitiesfromOpenSSL [GOAL] Detect codeclone vulnerability from real world software product
26Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Evaluation [2/2] Candidate of codeclone vulnerability CVE-ID Original Copy Similarity Result CVE-2008-4250 netapi32.dll (5.1.2600.2952) netlogon.dll (5.2.3790.1830) 37.7%  CVE-2011-0658 oleaut32.dll (5.2.3790.4202) olepro32.dll (6.1.7601.17514) 75.1%  Deadcode CVE-2015-1789 libeay32.dll (0.9.8.31) JunosPulseVpnBg.dll (1.0.0.206) 43.9%  CVE-2015-1793 libeay32.dll (1.0.1.15) JunosPulseVpnBg.dll (1.0.0.206) 39.0%  No attack vector
27Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2008-4520 (MS08-067) Details - It was real codeclone BoF vulnerability ! - [original] netapi32.dll [copy] netlogon.dll Original Copy → Vulnerabilitywhichwas usedbyConfickerWorm
28Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2008-4520 (MS08-067) Distribution of patch Patch for netapi32.dll KB958644 Patch for netlogon.dll KB961853 Oct/2008 Jan/2009 TIME Patch distribution date differs three month a part 3 month
29Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential 1. Background  Software Similarity Calculation on Malware Analysis Field 2. A Survey on Similarity Calculation Method for Binary Executables  Overview  Taxonomy of Program Features  Challenges  Research Map 3. About My Research  Gapped Code Clone Detection in Binary Executables 4. State-of-the-Art Research  GitZ Outline of Today’s Talk : Similarity Calculation Method for Binary Executables
30Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential State-of-the-art Research Similarity of Binaries through re-Optimization (GitZ) “Similarity of Binaries through re-Optimization” (GitZ) [32] Yaniv David, Nimrod Partush, Eran Yahav, PLDI, June, 2017  Background/Motivation  Develop Cross-{compiler, optimization, architecture} binary code similarity method  Key Idea  Strands  Out-of-context re-optimization
31Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential State-of-the-art Research Similarity of Binaries through re-Optimization (GitZ)  System Overview  Step1: Split the basic block assembly to “strand”  Step2: Lift assembly to IR  Step3: Canonical  Step4: Normalization Basic block(top) and extracted strands (bottom)
32Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential State-of-the-art Research Similarity of Binaries through re-Optimization (GitZ)  System Overview  Step1: Split the basic block assembly to “strand”  Step2: Lift assembly to IR  Step3: Canonical  Step4: Normalization
33Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential State-of-the-art Research Similarity of Binaries through re-Optimization (GitZ)
34Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Questions?
35Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential [1]A. Walenstein and A. Lakhotia, “The Software Similarity Problem in Malware Analysis.” In Proceedings Dagstuhl Seminar 06301: Duplication, Redundancy, and Similarity in Software, 10 pp., Dagstuhl, Germany, July 2006. [2] Z. Wang, K. Pierce and S. McFarling, “BMAT -- A Binary Matching Tool for Stale Profile Propagation”, Journal of Instruction-Level Parallelism, 2, 2000. [3] H. Flake, “Structural Comparison of Executable Objects”, DIMVA 2004,161-173. [4] T. Dullien and R. Rolles “Graph-based comparison of Executable Objects” , SSTIC'05, Rennes, France, June 2005 . [5] G. Myles and C. Collberg, “k-gram Based Software Birthmarks”, In Proceedings of the 2005. ACM Symposium on Applied Computing, ACM, 314-318, 2005. [6] S. Choi, H. Park, H. Lim, and T. Han, “A Static Birthmark of Binary Executables Based on API Call Structure”, ASIAN, 2-16, 2007. [7]D. Gao, M. K. Reiter, and D. Song, ”BinHunt: Automatically Finding Semantic Differences in Binary Programs”, ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security , 238 – 255, Birmingham, UK, October, 2008. [8] A. Sæbjørnsen, J. Willcock, T. Panas, D. Quinlan and Z. Su “Detecting Code Clones in Binary Executables”, In Proceedings of the Eighteenth International. Symposium on Software Testing and Analysis, ISSTA. '09, pages 117–128, New York, NY, USA, 2009. Reference
36Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential [9] E. R. Jacobson, N. Rosenblum and B. P. Miller, “Labeling Library Functions in Stripped Binaries”, In Proceedings of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools, PASTE 2011, pp.1-8, 2011. [10] A. Hemel, K. T. Kalleberg and R. Vermaas, ” Finding Software License Violations Through Binary Code Clone Detection”, MSR ’11, Waikiki, Honolulu, HI, USA, May, 2011. [11] S. Cesare and Y. Xiang. ”Malware Variant Detection Using Similarity Search over Sets of Control Flow Graphs”, In Proceedings of the International Conference on Trust, Security and Privacy in Computing and Communications(TrustCom), 2011. [12] J. Jang, D. Brumley and S. Venkataraman,“BitShred: Feature Hashing Malware for Scalable Triage and Semantic Analysis”, CCS’11, October 17–21, 2011, Chicago, Illinois, USA. [13] J. Ming, M. Pang, D. Gao, ”iBinHunt: Binary Hunting with Inter-Procedural Control Flow”, In Proceedings of the 15th Annual International Conference on Information Security and Cryptology, Seoul, Korea, November, 2012 [14] B. H. Ng and A Prakash, “Exposé : Discovering Potential Binary Code Re-Use”, COMPSAC, IEEE 37th Annual, pp. 492–501, 2013 [15] W. M. Khoo, A. Mycroft and R. Anderson, “Rendezvous: A Search Engine for Binary Code”, In: Proceedings of the 10th Working Conference on Mining Software Repositories, MSR 2013, pp.329-338, 2013 Reference
37Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential [16] M. Bourquin, A King and E Robbins, ”BinSlayer: accurate comparison of binary executables”, PPREW ’13, Jan, 2013,Rome, Italy, [17] J. Jang, M. Woo and D. Brumley, “Towards Automatic Software Lineage Inference”, In the Proceedings of the 22nd USENIX Security Symposium, August, 2013, Washington, D.C., USA [18] M. Xu, L. Wu, S. Qi, J. Xu, H. Zhang, Y. Ren and N. Zheng, ”A similarity metric method of obfuscated malware using function-call graph” , Journal in Computer Virology archive Volume 9 Issue 1, February 2013, Pages 35-47. [19] A. Lakhotia, M. D. Preda and R. Giacobazzi “Fast Location of Similar Code Fragments Using Semantic ‘Juice’”, PPREW ’13 Jan 26, 2013, Rome, Italy. [20] Y. David, E. Yahav, “Tracelet-Based Code Search in Executables”, PLDI ’14, June, 2014, Edinburgh, United Kingdom. [21] L. Luo, J Ming, D. Wu, P. Liu, S. Zhu “Semantics-based obfuscation-resilient binary code similarity comparison with applications to software plagiarism detection”, SIGSOFT FSE, 2014, 389-400. [22] J. Pewnyy, F. Schustery, C. Rossowz, L. Bernhardy and T. Holz, “Leveraging Semantic Signatures for Bug Search in Binary Programs”, ACSAC December 8-12, 2014, New Orleans, LA, USA [23] M. R. Farhadi, B. C. M. Fung, P. Charland and M. Debbabi “BinClone: Detecting Code Clones in Malware”, SERE 2014, 78-87. [24] J. Pewny, B. Garmany, R. Gawlik, C. Rossow, T. Holz,“Cross-Architecture Bug Search in Binary Executables”, In Proceedings of the 2015 IEEE Symposium on Security and Privacy, Pages 709-724 Reference
38Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential [25] S. Alrabaee, P. Shirani, L. Wang and M. Debbabi, “SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code”, Digital Investigation 12, S61- S71, 2015 [26] Y. David, N. Partush and E. Yahav, ”Statistical Similarity of Binaries”, In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, Pages 266-280, 2016 [27] S. H. H. Ding, B. C. M. Fung and P. Charland, “Kam1n0: MapReduce-based Assembly Clone Search for Reverse Engineering”, KDD ’16 August , 2016, San Francisco, CA, USA [28] M. Chandramohan, Y. Xue, Z. Xu, Y. Liu, C. Y. Cho and T. H. B. Kuan, “BinGo: Cross-Architecture Cross-OS Binary Search”, FSE’16, November , 2016, Seattle, WA, USA [29] S. Eschweiler, K. Yakdan, E. Gerhards-Padilla, “discovRE: Efficient Cross-Architecture Identification of Bugs in Binary Code”, NDSS ’16, February 2016, San Diego, CA, USA [30] [31] Q. Fengy, R. Zhouy, C. Xuy, Y. Chengy, B. Testay, and H. Yin, “Scalable Graph-based Bug Search for Firmware Images”, CCS’16, October, 2016, Vienna, Austria [32] Y. David, N. Partush and E. Yahav, “Similarity of Binaries through re-Optimization”, In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation , Pages 79-94, 2017 Reference
39Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential [33] H. Huang, A. M. Youssef and M. Debbabi, “BinSequence: Fast, Accurate and Scalable Binary Code Reuse Detection”, ASIA CCS ’17, April 02-06, 2017, Abu Dhabi, United Arab Emirates [34] Q. Feng, M. Wang , M. Zhang, R. Zhou, A. Henderson and Heng Yin, “Extracting Conditional Formulas for Cross-Platform Bug Search”, ASIA CCS ’17, April 02-06, 2017, Abu Dhabi, United Arab Emirates Reference

More Related Content

PDF
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Asuka Nakajima
 
PDF
技術紹介: S2E: Selective Symbolic Execution Engine
Asuka Nakajima
 
PDF
[JPCERT/CC POC Meeting] 研究紹介 + DLLハイジャックの脆弱性
Asuka Nakajima
 
PDF
第二回CTF勉強会資料
Asuka Nakajima
 
PDF
[CSS×2.0 2014] Polyglotシェルコードの最高記録に挑戦しよう☆
Asuka Nakajima
 
PDF
[セキュリティ・キャンプフォーラム 2014] 卒業生プレゼンテーション 『私とセキュリティと過去と未来』
Asuka Nakajima
 
PDF
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
 
PDF
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
Asuka Nakajima
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Asuka Nakajima
 
技術紹介: S2E: Selective Symbolic Execution Engine
Asuka Nakajima
 
[JPCERT/CC POC Meeting] 研究紹介 + DLLハイジャックの脆弱性
Asuka Nakajima
 
第二回CTF勉強会資料
Asuka Nakajima
 
[CSS×2.0 2014] Polyglotシェルコードの最高記録に挑戦しよう☆
Asuka Nakajima
 
[セキュリティ・キャンプフォーラム 2014] 卒業生プレゼンテーション 『私とセキュリティと過去と未来』
Asuka Nakajima
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
 
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
Asuka Nakajima
 

Recently uploaded (20)

PDF
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
PDF
UNIT no 1 INTRODUCTION TO DBMS NOTES.pdf
pawarbhaktiit
 
PDF
Accra-Kumasi Expressway - Prefeasibility Report Volume 1 of 7.11.2018.pdf
JeorgeWilsonKingson1
 
PDF
BIO-INSPIRED ARCHITECTURE FOR PARSIMONIOUS CONVERSATIONAL INTELLIGENCE : THE ...
ijaia
 
PDF
Visual Aids for Exploratory Data Analysis.pdf
Ashutosh Satapathy
 
PPTX
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
PDF
III.4.1.2_The_Space_Environment.p pdffdf
sittiporn2
 
PPTX
communication and presentation skills 01
CdtAfrazAttaullah
 
PDF
SMART SIGNAL TIMING FOR URBAN INTERSECTIONS USING REAL-TIME VEHICLE DETECTI...
Niraj Aarya
 
PPTX
AUTOMOTIVE ENGINE MANAGEMENT (MECHATRONICS).pptx
joanaabban6
 
PDF
Unit I ESSENTIAL OF DIGITAL MARKETING.pdf
Nitin Shelake
 
PDF
COURSE DESCRIPTOR OF SURVEYING R24 SYLLABUS
MNANDITHACIVILSTAFF
 
PPTX
"Array and Linked List in Data Structures with Types, Operations, Implementat...
usham61
 
PDF
Design Guidelines and solutions for Plastics parts
ferdinand937933
 
PPT
INTRODUCTION -Data Warehousing and Mining-M.Tech- VTU.ppt
Subramanyam Natarajan
 
PDF
BIO-INSPIRED HORMONAL MODULATION AND ADAPTIVE ORCHESTRATION IN S-AI-GPT
ijaia
 
PPTX
CURRICULAM DESIGN engineering FOR CSE 2025.pptx
Amuda3
 
PPTX
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
PDF
Soil Improvement Techniques Note - Rabbi
rahmatideal000
 
PPTX
Module 8- Technological and Communication Skills.pptx
Ramya Nellutla
 
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
UNIT no 1 INTRODUCTION TO DBMS NOTES.pdf
pawarbhaktiit
 
Accra-Kumasi Expressway - Prefeasibility Report Volume 1 of 7.11.2018.pdf
JeorgeWilsonKingson1
 
BIO-INSPIRED ARCHITECTURE FOR PARSIMONIOUS CONVERSATIONAL INTELLIGENCE : THE ...
ijaia
 
Visual Aids for Exploratory Data Analysis.pdf
Ashutosh Satapathy
 
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
III.4.1.2_The_Space_Environment.p pdffdf
sittiporn2
 
communication and presentation skills 01
CdtAfrazAttaullah
 
SMART SIGNAL TIMING FOR URBAN INTERSECTIONS USING REAL-TIME VEHICLE DETECTI...
Niraj Aarya
 
AUTOMOTIVE ENGINE MANAGEMENT (MECHATRONICS).pptx
joanaabban6
 
Unit I ESSENTIAL OF DIGITAL MARKETING.pdf
Nitin Shelake
 
COURSE DESCRIPTOR OF SURVEYING R24 SYLLABUS
MNANDITHACIVILSTAFF
 
"Array and Linked List in Data Structures with Types, Operations, Implementat...
usham61
 
Design Guidelines and solutions for Plastics parts
ferdinand937933
 
INTRODUCTION -Data Warehousing and Mining-M.Tech- VTU.ppt
Subramanyam Natarajan
 
BIO-INSPIRED HORMONAL MODULATION AND ADAPTIVE ORCHESTRATION IN S-AI-GPT
ijaia
 
CURRICULAM DESIGN engineering FOR CSE 2025.pptx
Amuda3
 
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
Soil Improvement Techniques Note - Rabbi
rahmatideal000
 
Module 8- Technological and Communication Skills.pptx
Ramya Nellutla
 
Ad

Featured (20)

PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
PDF
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
PDF
Everything You Need To Know About ChatGPT
Expeed Software
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
PDF
Skeleton Culture Code
Skeleton Technologies
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
PDF
Content Methodology: A Best Practices Report (Webinar)
contently
 
PPTX
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
PDF
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
PDF
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
PDF
Getting into the tech field. what next
Tessa Mero
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
PDF
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Ad

[Dagstuhl Seminar 17281] Similarity Calculation Method for Binary Executables

  • 1. Similarity Calculation Method for Binary Executables Asuka Nakajima NTT Secure Platform Laboratories, Tokyo, Japan Dagstuhl Seminar 17281, July, 2017 Copyright©2017 NTT Corp. All Rights Reserved.
  • 2. 1Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential # whoami Asuka Nakajima - Researcher at NTT Secure Platform Laboratories - Reverse Engineering / Vulnerability Discovery - Organizer of SECCON CTF / Founder of “CTF for GIRLS”  Detection of Code Clone Vulnerability Software A Vulnerable Part Copy Software B Calculate the similarity between vuln func and target binary func
  • 3. 2Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential 1. Background  Software Similarity Calculation on Malware Analysis Field 2. A Survey on Similarity Calculation Method for Binary Executables  Overview  Taxonomy of Program Features  Challenges  Research Map 3. About My Research  Gapped Code Clone Detection in Binary Executables 4. State-of-the-Art Research  GitZ Outline of Today’s Talk : Similarity Calculation Method for Binary Executables
  • 4. 3Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential 1. Background  Software Similarity Calculation on Malware Analysis Field 2. A Survey on Similarity Calculation Method for Binary Executables  Overview  Taxonomy of Program Features  Challenges  Research Map 3. About My Research  Gapped Code Clone Detection in Binary Executables 4. State-of-the-Art Research  GitZ Outline of Today’s Talk : Similarity Calculation Method for Binary Executables
  • 5. 4Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential  Subspecies  Version update  Toolkit-generated malware  Metamorphic / Polymorphic malware  Code Reuse  e.g. Stuxnet/Duqu  Open sourced malware (e.g. Mirai) Background [1/2] Software Similarity Calculation in Malware Analysis Field “program similarity is a key sub-problem in malware analysis” [1]Andrew Walenstein and Arun Lakhotia, “The Software Similarity Problem in Malware Analysis.” In Proceedings Dagstuhl Seminar 06301: Duplication, Redundancy, and Similarity in Software, 10 pp., Dagstuhl, Germany, July 2006. Stuxnet vs Duqu https://www.welivesecurity.com/wp-content/media_files/2_1.png
  • 6. 5Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential  Related Research Area  Copyright Infringement Detection  Source Code Plagiarism Detection  Vulnerability Discovery  Software Evolution Analysis Background [2/2] It can even identify similar function in other binary across different architecture or compilers or compilation options or OS Similarity Calculation Method Has Become Highly Sophisticated
  • 7. 6Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential 1. Background  Software Similarity Calculation on Malware Analysis Field 2. A Survey on Similarity Calculation Method for Binary Executables  Overview  Taxonomy of Program Features  Challenges  Research Map 3. About My Research  Gapped Code Clone Detection in Binary Executables 4. State-of-the-Art Research  GitZ Outline of Today’s Talk : Similarity Calculation Method for Binary Executables
  • 8. 7Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential  Type of Similarity Calculation Method  Dynamic Analysis Based Method  Memory Usage Pattern, API call pattern, etc  Static Analysis Based Method  Control Flow Graph, Instruction, etc A Survey on Similarity Calculation Method for Binary Executables Overview Step 1: Normalize Step 2: Extract Comparables Step 3: Compare Step 4: Analyze, Modify Overview of Static Analysis Based Method[1]
  • 9. 8Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Category Example Graph-based feature Control Flow Graph Data Flow Graph Call Graph Tree-based feature Abstract Syntax Tree S-Expression Text-based feature String Instructions(opcode/operand) API Name Metric-based feature Complexity Hybrid Graph-based + Text-based Other Basic block I/O sampling Program Features A Survey on Similarity Calculation Method for Binary Executables
  • 10. 9Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Category Example Compiler Difference Compiler Optimization Difference 1. Basic Block Reordering 2. Instruction Reordering 3. Function Inlining/Outlining 4. Loop Unrolling 5. Register Reassignment Software Evolution 1. Patch 2. Update 3. Refactoring Obfuscation/Metamorphism 1. Dead Code-Insertion 2. Instruction Substitution 3. Opaque Predicate Insertion Encryption and Packing UPX, etc Architecture Difference (e.g. IoT Malware) x86/x86-64/ARM/MIPS/PPC/etc Challenges in Similarity Calculation on Binary Executables A Survey on Similarity Calculation Method for Binary Executables
  • 11. 10Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential ~2005 ~2009 2010 2011 2012 2013 2014 2015 2016 2017 Research Map of Static Binary Similarity Calculation [1/3] Zeng Wang et.al ’00(BMAT)[2] Martial Bourquin et.al ’13 (BinSlayer)[16] Arun Lakhotia et.al ’13 (BinJuice) [19] Jiang Ming et.al ’12 (iBinHunt)[13] Wei Ming Khoo et.al ’13 (Rendezvous)[15] Sebastian Eschweiler et.al ’16 (discovRE)[29] Jiyong Jang et.al ’11 (BitShred)[12] Beng Heng Ng, et.al ’13 (Exposé)[14] Mahinthan Chandramohan et.al ’16 (BinGo)[28] Steven H.H. Ding et.al ’16 (Kam1n0) [27] Yaniv David et.al ’16 (Esh)[26] Yaniv David et.al ’17 (GitZ)[32] Debin Gao et.al ’08 (BinHunt)[7] Jannik Pewny et.al ’15 (Multi-MH)[24] Halvar Flake ’04 [3] Lannan Luo et.al ’14 (CoP) [21] Andreas Sæbjørnsen et.al ’09 [8] Mohammad Reza Farhadi et.al ’14 (BinClone) [23] He Huang et.al ’17 (BinSequence)[33] Seokwoo Choi et.al ’07[6] Jiyong Jang et.al ’13 (ILINE)[17] Armijn Hemel et.al ’11 (BAT)[10] Emily R. Jacobsom et.al ’11 [9] Tomas Dullien ’05[4] Asuka Nakajima et.al ’16[30] Malware Analysis Vulnerability DiscoveryCopyright Infringement / Plagiarism Detection Software Evolution Analysis (Binary Diffing) General Purpose Binary Similarity Analysis Ginger Myles et.al ’05 (K-gram)[5] Saed Alrabaee et.al ’15 (SIGMA)[25] Ming Xu et.al ’13 [18] Yaniv David et.al ’14 (Tracelet)[20] Jannik Pewny et.al ’14 (TEDEM) [22] Qian Feng et.al ’17 (XMATCH)[34] Qian Feng et.al ’16 [31] Silvio Cesare et.al ’11[11]
  • 12. 11Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential # Compiler Evolution Architecture Obfuscation Encryption Packer 1 2 3 4 5 1 2 3 1 Zeng Wang et.al ’00(BMAT) [2] ○ △ × △ ○ ○ × × △ × × 2 Halvar Flake ’04 [3] △ ○ × △ ○ ○ △ ○ ○ × × 3 Tomas Dullien’05[4] ○ ○ × ○ ○ ○ △ ○ ○ × × 4 Ginger Myles et.al ’05 (K-gram)[5] ○ ○ × ○ ○ ○ △ × × × × 5 Seokwoo Choi et.al ’07 [6] ○ ○ × ○ ○ △ ○ ○ ○ ○ × 6 Debin Gao et.al ’08 (BinHunt) [7] △ ○ × ○ ○ ○ × ○ ○ × × 7 Andreas Sæbjørnsen et.al ’09 [8] × △ × △ ○ ○ × △ △ △ × 8 Emily R. Jacobsom et.al ’11 [9] ○ ○ △ ○ △ △ × ○ △ △ × 9 Armijn Hemel et.al ’11 (BAT) [10] ○ ○ × △ ○ △ ○ △ △ △ × 10 Silvio Cesare et.al ’11[11] △ ○ △ △ ○ ○ ○ ○ ○ × △ 11 Jiyong Jang et.al ’11 (BitShred) [12] △ × △ △ × ○ × △ △ △ △ 12 Jiang Ming et.al ’12 (iBinHunt) [13] ○ ○ ○ ○ ○ ○ × ○ ○ △ × 13 Beng Heng Ng et.al ’13 (Exposé)[14] ○ △ △ ○ ○ ○ × ○ ○ × × 14 Wei Ming Khoo et.al ’13(Rendezvous)[15] △ △ × △ ○ △ × △ × × × 15 Martial Bourquin et.al ’13 (BinSlayer)[16] △ ○ × △ ○ ○ ○ ○ ○ × × 16 Jiyong Jang et.al ’13 (ILINE)[17] ○ △ △ △ ○ ○ × × ○ × × 17 Ming Xu et.al ’13 [18] ○ ○ × △ ○ △ × × ○ × × Research Map of Static Binary Similarity Calculation [2/3]
  • 13. 12Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential # Compiler Evolution Architecture Obfuscation Encryption Packer 1 2 3 4 5 1 2 3 18 Arun Lakhotia et.al ’13 (BinJuice) [19] ○ ○ △ △ ○ △ × △ △ △ × 19 Yaniv David et.al ’14 (Tracelet)[20] ○ △ × × ○ ○ × × × × × 20 Lannan Luo et.al ’14 (CoP) [21] △ ○ △ ○ ○ ○ × ○ ○ △ × 21 Jannik Pewny et.al ’14 (TEDEM) [22] △ ○ × △ ○ ○ × ○ ○ × × 22 Mohammad Reza Farhadi et.al ’14 (BinClone) [23] × △ × △ ○ △ × △ △ △ × 23 Jannik Pewny et.al ’15 (Multi-MH)[24] ○ ○ × ○ ○ △ ○ ○ ○ △ × 24 Saed Alrabaee et.al ’15 (SIGMA)[25] △ ○ × △ ○ ○ × △ △ × × 25 Yaniv David et.al ’16 (Esh)[26] ○ △ × △ ○ △ ○ × × × × 26 Steven H.H. Ding et.al ’16 (Kam1n0) [27] ○ △ △ △ ○ ○ × △ △ × × 27 Mahinthan Chandramohan et.al ’16 (BinGo)[28] ○ ○ ○ ○ ○ △ ○ ○ ○ × × 28 Sebastian Eschweiler et.al ’16 (discovRE)[29] △ ○ × △ ○ ○ ○ × × × × 29 Asuka Nakajima et.al ’16[30] × △ △ △ ○ ○ × △ △ △ × 30 Qian Feng et.al ’16 [31] △ ○ × △ ○ △ ○ △ △ × × 31 Yaniv David et.al ’17 (GitZ)[32] ○ △ × △ ○ △ ○ × × × × 32 He Huang et.al ’17 (BinSequence)[33] △ △ × △ ○ ○ × △ △ × × 33 Qian Feng et.al ’17 (XMATCH)[34] ○ ○ △ △ ○ △ ○ ○ ○ × × Research Map of Static Binary Similarity Calculation [3/3]
  • 14. 13Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential # Compiler Evolution Architecture Obfuscation Encryption Packer 1 2 3 4 5 1 2 3 18 Arun Lakhotia et.al ’13 (BinJuice) [19] ○ ○ △ △ ○ △ × △ △ △ × 19 Yaniv David et.al ’14 (Tracelet)[20] ○ △ × × ○ ○ × × × × × 20 Lannan Luo et.al ’14 (CoP) [21] △ ○ △ ○ ○ ○ × ○ ○ △ × 21 Jannik Pewny et.al ’14 (TEDEM) [22] △ ○ × △ ○ ○ × ○ ○ × × 22 Mohammad Reza Farhadi et.al ’14 (BinClone) [23] × △ × △ ○ △ × △ △ △ × 23 Jannik Pewny et.al ’15 (Multi-MH)[24] ○ ○ × ○ ○ △ ○ ○ ○ △ × 24 Saed Alrabaee et.al ’15 (SIGMA)[25] △ ○ × △ ○ ○ × △ △ × × 25 Yaniv David et.al ’16 (Esh)[26] ○ △ × △ ○ △ ○ × × × × 26 Steven H.H. Ding et.al ’16 (Kam1n0) [27] ○ △ △ △ ○ ○ × △ △ × × 27 Mahinthan Chandramohan et.al ’16 (BinGo)[28] ○ ○ ○ ○ ○ △ ○ ○ ○ × × 28 Sebastian Eschweiler et.al ’16 (discovRE)[29] △ ○ × △ ○ ○ ○ × × × × 29 Asuka Nakajima et.al ’16[30] × △ △ △ ○ ○ × △ △ △ × 30 Qian Feng et.al ’16 [31] △ ○ × △ ○ △ ○ △ △ × × 31 Yaniv David et.al ’17 (GitZ)[32] ○ △ × △ ○ △ ○ × × × × 32 He Huang et.al ’17 (BinSequence)[33] △ △ × △ ○ ○ × △ △ × × 33 Qian Feng et.al ’17 (XMATCH)[34] ○ ○ △ △ ○ △ ○ ○ ○ × × Research Map of Static Binary Similarity Calculation [3/3]
  • 15. 14Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential 1. Background  Software Similarity Calculation on Malware Analysis Field 2. A Survey on Similarity Calculation Method for Binary Executables  Overview  Taxonomy of Program Features  Challenges  Research Map 3. About My Research  Gapped Code Clone Detection in Binary Executables 4. State-of-the-Art Research  GitZ Outline of Today’s Talk : Similarity Calculation Method for Binary Executables
  • 16. 15Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential  Background & Motivation  Discover Code Clone Vulnerability in Binary Executables  Windows, Adobe Reader, etc  Method that can discover Gapped Code Clone Vulnerability  Source Code Modification (add multiple lines, I/O Change) About My Research: Gapped Code Clone Detection in Binary Executables It can be also applied to malware analysis field
  • 17. 16Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential About My Research: Gapped Code Clone Detection in Binary Executables push REG mov REG REG mov REG VAL call MEM ・・・ mov REG REG push REG mov REG REG push REG push REG mov REG MEM mov REG MEM lea REG MEM ・・・ Similarity Calculation Similarity N% Vuln part Target Binary System Image Step1: Disassemble Step2: Normalization Step3: Similarity Calculation Input Binaryfile - Unpatched vuln - Target Binary File Output Vulnerability Candidate ● System Overview - Needleman-Wunsh Algorithm - Applied “Affine Gap Penalty”
  • 18. 17Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential About My Research: Gapped Code Clone Detection in Binary Executables Search similar region between two given strings LCS (Global Alignment) Smith-Waterman (Local Alignment) Needleman-Wunsch (Semi-Global Alignment) mov REG REG mov REG REG call MEM test REG REG push REG REG push REG REG call MEM test REG REG jmp MEM xor REG REG pop REG pop REG ・ ・ mov REG REG mov REG REG call MEM test REG REG push REG REG push REG REG call MEM test REG REG jmp MEM xor REG REG pop REG pop REG ・ ・ mov REG REG mov REG REG call MEM test REG REG mov REG REG push REG REG push REG REG call MEM test REG REG jmp MEM xor REG REG pop REG pop REG ・ String1 (source) String2 (dest) String1 (source) String2 (dest) String1 (source) String2 (dest) Search all similar part between two given string Search the region (in string2) that best matches to string1 Needleman-Wunsch is most suitable
  • 19. 18Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach: Disassemble & Normalization Disassemble ※Example Normalization (Operand) ・Binary File(unpatched vuln) ・Target Binary File Different assembly(operand) will be generated even the source code is same※ VAL MEM REG Immediate val Memory Register Before After mov eax ecx mov REG REG Original Copy shr rdx,1 lea rdi,[rdx+0x4] call 3f3d0 shr rdx,1 lea rdi,[rdx+0x4] call 41d630 Original Copy xor ebx, ebx add rsp, 38h mov eax, ebx pop rbx pop rbp pop r12 pop r13 retn xor r12d, r12d add rsp, 38h mov eax, r12d pop rbx pop rbp pop r12 pop r13 retn 1 2
  • 20. 19Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Similarity = 𝑺𝒄𝒐𝒓𝒆 𝒐𝒇 𝑴𝒐𝒔𝒕 𝑺𝒊𝒎𝒊𝒍𝒂𝒓 𝑷𝒂𝒓𝒕 𝑴𝒂𝒙𝒊𝒎𝒖𝒎 𝑺𝒄𝒐𝒓𝒆(𝑨𝒍𝒍 𝑴𝒂𝒕𝒄𝒉𝒆𝒅 𝑪𝒂𝒔𝒆) Needleman-Wunsch(Normal Gap) match +2point mismatch –2point gap –1point ■Match ■Mismatch ■Gap pop rax pop rax pop rax push rcx pop rax call rax pop rax Needleman-Wunsch (AffineGap) match +2point mismatch -2point open gap※ -3point extended gap -0.5point Score Calculation Distinct the Gap ※Open gap:The first gap of multiple gaps Approach: Similarity Calculation [1/3]
  • 21. 20Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Affine Gap penalty can mitigate the significant score drop due to the source code modification int main(int argc, char* argv[]){ if(argc !=2){ printf("Usage:%s <your name>¥n", argv[0]); return 1; } printf(“Argument:%d,%s¥n",argc,argv[1]); printf("Hello World! %s¥n", argv[1]); return 0; } push ebp mov ebp,esp and esp,0xfffffff0 sub esp,0x10 cmp DWORD PTR [ebp+0x8],0x2 je 0x8048448 <main+43> mov eax,DWORD PTR [ebp+0xc] mov eax,DWORD PTR [eax] mov DWORD PTR [esp+0x4],eax mov DWORD PTR [esp],0x8048520 call 0x80482f0 <printf@plt> mov eax,0x1 jmp 0x8048484 <main+103> mov eax,DWORD PTR [ebp+0xc] add eax,0x4 mov eax,DWORD PTR [eax] mov DWORD PTR [esp+0x8],eax mov eax,DWORD PTR [ebp+0x8] mov DWORD PTR [esp+0x4],eax mov DWORD PTR [esp],0x8048536 call 0x80482f0 <printf@plt> mov eax,DWORD PTR [ebp+0xc] add eax,0x4 mov eax,DWORD PTR [eax] mov DWORD PTR [esp+0x4],eax mov DWORD PTR [esp],0x8048546 call 0x80482f0 <printf@plt> mov eax,0x0 leave ret ■ Normal gap ■ Affine Gap Total36p 22×2 = 44 Total37.5p Adding 1L Source Code = Adding 8L Assembly Code 8 ×-1 = -8 22×2 = 44 1 ×-3 =-3 7×-0.5 =-3.5 Source Code Assembly Approach: Similarity Calculation [3/3]
  • 22. 21Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Evaluation Calculate the similarity between original and copied binary Vuln1 (CVE-2008-4314) Original Vuln2 (CVE-2008-5023) Original Vuln1 (CVE-2008-4314) Copy Vuln2 (CVE-2008-5023) Copy ?% Vuln1 (CVE-2008-4314) Original Vuln2 (CVE-2008-5023) Original ?% Dataset(432 binary) Ubuntu12.04 /bin,/usr/lib (x86-64/ELF) [score setting] Match2p, Mismatch -2p, Opengap-3p, Extendedgap-0.5p Calculate the similarity between original and dataset binary [GOAL] Evaluate the validity of the approach
  • 23. 22Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Case1: CVE-2008-4316 (Source Code) g_base64_encode (const guchar *data,gsize len){ gchar *out; gint state = 0, outlen; gint save = 0; g_return_val_if_fail (data != NULL, NULL); g_return_val_if_fail (len > 0, NULL); out = g_malloc (len * 4 / 3 + 4); outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save); outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save); out[outlen] = '¥0'; return (gchar *) out; } seahorse_base64_encode (const guchar *data,gsize len){ gchar *out; gint state = 0, outlen; gint save = 0; out = g_malloc (len * 4 / 3 + 4); outlen = seahorse_base64_encode_step (data, len, FALSE, out, &state, &save); outlen += seahorse_base64_encode_close (FALSE,out + outlen,&state,&save); out[outlen] = '¥0'; return (gchar *) out; } 2 lines are deletedOriginal [Glib] Copy [Seahorse]
  • 24. 23Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Case2: CVE-2008-5023 (Source Code) PRBool nsXBLBinding::AllowScripts(){ PRBool result; mPrototypeBinding->GetAllowScripts(&result); … nsCOMPtr<nsIDocument> ourDocument; mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument)); PRBool canExecute; nsresult rv = mgr->CanExecuteScripts(cx, ourDocument->NodePrincipal(), &canExecute); return NS_SUCCEEDED(rv) && canExecute; } PRBool nsXBLBinding::AllowScripts(){ PRBool result; mPrototypeBinding->GetAllowScripts(&result); … nsCOMPtr<nsIDocument> ourDocument; mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument)); nsIPrincipal* principal = ourDocument->GetPrincipal(); if (!principal) { return PR_FALSE; } PRBool canExecute; nsresult rv = mgr->CanExecuteScripts(cx, principal, &canExecute); return NS_SUCCEEDED(rv) && canExecute; } Original [Firefox] Copy [Seamonkey] 4 lines are added & 1 line is modified
  • 25. 24Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Evaluation 1 CVE-ID Original Copy Similarity (unpatched) Similarity (patched) Max similarity (Dataset) CVE- 2008-4316 Glib Seahorse 60.7% 11.5% 9.2% CVE- 2008-5023 Firefox Seamonkey 68.8% 38.0% 9.7% The extracted part was the copied vulnerable part Similarity between the dataset was maximum 9.7% Detected codeclone vulnerability in binary executables, even there was source code modification
  • 26. 25Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Evaluation 2 [1/2] 21 Vulnerabilities 40945 binary files CVE-2015-1635 CVE-2014-0301 CVE-2013-5058 CVE-2013-0030 CVE-2011-2005 CVE-2011-0658 CVE-2010-0816 ?% CVE-2010-0028 CVE-2008-4250 CVE-2008-4028 CVE-2007-1794 CVE-2007-0024 CVE-2006-4691 CVE-2006-0021 Windows XP. Windows Vista, Windows 7 Windows 8.1 Windows Server Virus Total(NSRL) [Score setting]match2p,mismatch-2p,opengap-3p,extendedgap-0.5p [Threshold] 20% CVE-2015-1793 CVE-2015-1790 CVE-2015-1789 CVE-2015-0292 CVE-2015-0288 CVE-2015-0287 CVE-2015-0286 14vulnerabilitiesfromWindows 7 vulnerabilitiesfromOpenSSL [GOAL] Detect codeclone vulnerability from real world software product
  • 27. 26Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Evaluation [2/2] Candidate of codeclone vulnerability CVE-ID Original Copy Similarity Result CVE-2008-4250 netapi32.dll (5.1.2600.2952) netlogon.dll (5.2.3790.1830) 37.7%  CVE-2011-0658 oleaut32.dll (5.2.3790.4202) olepro32.dll (6.1.7601.17514) 75.1%  Deadcode CVE-2015-1789 libeay32.dll (0.9.8.31) JunosPulseVpnBg.dll (1.0.0.206) 43.9%  CVE-2015-1793 libeay32.dll (1.0.1.15) JunosPulseVpnBg.dll (1.0.0.206) 39.0%  No attack vector
  • 28. 27Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2008-4520 (MS08-067) Details - It was real codeclone BoF vulnerability ! - [original] netapi32.dll [copy] netlogon.dll Original Copy → Vulnerabilitywhichwas usedbyConfickerWorm
  • 29. 28Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2008-4520 (MS08-067) Distribution of patch Patch for netapi32.dll KB958644 Patch for netlogon.dll KB961853 Oct/2008 Jan/2009 TIME Patch distribution date differs three month a part 3 month
  • 30. 29Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential 1. Background  Software Similarity Calculation on Malware Analysis Field 2. A Survey on Similarity Calculation Method for Binary Executables  Overview  Taxonomy of Program Features  Challenges  Research Map 3. About My Research  Gapped Code Clone Detection in Binary Executables 4. State-of-the-Art Research  GitZ Outline of Today’s Talk : Similarity Calculation Method for Binary Executables
  • 31. 30Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential State-of-the-art Research Similarity of Binaries through re-Optimization (GitZ) “Similarity of Binaries through re-Optimization” (GitZ) [32] Yaniv David, Nimrod Partush, Eran Yahav, PLDI, June, 2017  Background/Motivation  Develop Cross-{compiler, optimization, architecture} binary code similarity method  Key Idea  Strands  Out-of-context re-optimization
  • 32. 31Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential State-of-the-art Research Similarity of Binaries through re-Optimization (GitZ)  System Overview  Step1: Split the basic block assembly to “strand”  Step2: Lift assembly to IR  Step3: Canonical  Step4: Normalization Basic block(top) and extracted strands (bottom)
  • 33. 32Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential State-of-the-art Research Similarity of Binaries through re-Optimization (GitZ)  System Overview  Step1: Split the basic block assembly to “strand”  Step2: Lift assembly to IR  Step3: Canonical  Step4: Normalization
  • 34. 33Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential State-of-the-art Research Similarity of Binaries through re-Optimization (GitZ)
  • 35. 34Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Questions?
  • 36. 35Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential [1]A. Walenstein and A. Lakhotia, “The Software Similarity Problem in Malware Analysis.” In Proceedings Dagstuhl Seminar 06301: Duplication, Redundancy, and Similarity in Software, 10 pp., Dagstuhl, Germany, July 2006. [2] Z. Wang, K. Pierce and S. McFarling, “BMAT -- A Binary Matching Tool for Stale Profile Propagation”, Journal of Instruction-Level Parallelism, 2, 2000. [3] H. Flake, “Structural Comparison of Executable Objects”, DIMVA 2004,161-173. [4] T. Dullien and R. Rolles “Graph-based comparison of Executable Objects” , SSTIC'05, Rennes, France, June 2005 . [5] G. Myles and C. Collberg, “k-gram Based Software Birthmarks”, In Proceedings of the 2005. ACM Symposium on Applied Computing, ACM, 314-318, 2005. [6] S. Choi, H. Park, H. Lim, and T. Han, “A Static Birthmark of Binary Executables Based on API Call Structure”, ASIAN, 2-16, 2007. [7]D. Gao, M. K. Reiter, and D. Song, ”BinHunt: Automatically Finding Semantic Differences in Binary Programs”, ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security , 238 – 255, Birmingham, UK, October, 2008. [8] A. Sæbjørnsen, J. Willcock, T. Panas, D. Quinlan and Z. Su “Detecting Code Clones in Binary Executables”, In Proceedings of the Eighteenth International. Symposium on Software Testing and Analysis, ISSTA. '09, pages 117–128, New York, NY, USA, 2009. Reference
  • 37. 36Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential [9] E. R. Jacobson, N. Rosenblum and B. P. Miller, “Labeling Library Functions in Stripped Binaries”, In Proceedings of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools, PASTE 2011, pp.1-8, 2011. [10] A. Hemel, K. T. Kalleberg and R. Vermaas, ” Finding Software License Violations Through Binary Code Clone Detection”, MSR ’11, Waikiki, Honolulu, HI, USA, May, 2011. [11] S. Cesare and Y. Xiang. ”Malware Variant Detection Using Similarity Search over Sets of Control Flow Graphs”, In Proceedings of the International Conference on Trust, Security and Privacy in Computing and Communications(TrustCom), 2011. [12] J. Jang, D. Brumley and S. Venkataraman,“BitShred: Feature Hashing Malware for Scalable Triage and Semantic Analysis”, CCS’11, October 17–21, 2011, Chicago, Illinois, USA. [13] J. Ming, M. Pang, D. Gao, ”iBinHunt: Binary Hunting with Inter-Procedural Control Flow”, In Proceedings of the 15th Annual International Conference on Information Security and Cryptology, Seoul, Korea, November, 2012 [14] B. H. Ng and A Prakash, “Exposé : Discovering Potential Binary Code Re-Use”, COMPSAC, IEEE 37th Annual, pp. 492–501, 2013 [15] W. M. Khoo, A. Mycroft and R. Anderson, “Rendezvous: A Search Engine for Binary Code”, In: Proceedings of the 10th Working Conference on Mining Software Repositories, MSR 2013, pp.329-338, 2013 Reference
  • 38. 37Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential [16] M. Bourquin, A King and E Robbins, ”BinSlayer: accurate comparison of binary executables”, PPREW ’13, Jan, 2013,Rome, Italy, [17] J. Jang, M. Woo and D. Brumley, “Towards Automatic Software Lineage Inference”, In the Proceedings of the 22nd USENIX Security Symposium, August, 2013, Washington, D.C., USA [18] M. Xu, L. Wu, S. Qi, J. Xu, H. Zhang, Y. Ren and N. Zheng, ”A similarity metric method of obfuscated malware using function-call graph” , Journal in Computer Virology archive Volume 9 Issue 1, February 2013, Pages 35-47. [19] A. Lakhotia, M. D. Preda and R. Giacobazzi “Fast Location of Similar Code Fragments Using Semantic ‘Juice’”, PPREW ’13 Jan 26, 2013, Rome, Italy. [20] Y. David, E. Yahav, “Tracelet-Based Code Search in Executables”, PLDI ’14, June, 2014, Edinburgh, United Kingdom. [21] L. Luo, J Ming, D. Wu, P. Liu, S. Zhu “Semantics-based obfuscation-resilient binary code similarity comparison with applications to software plagiarism detection”, SIGSOFT FSE, 2014, 389-400. [22] J. Pewnyy, F. Schustery, C. Rossowz, L. Bernhardy and T. Holz, “Leveraging Semantic Signatures for Bug Search in Binary Programs”, ACSAC December 8-12, 2014, New Orleans, LA, USA [23] M. R. Farhadi, B. C. M. Fung, P. Charland and M. Debbabi “BinClone: Detecting Code Clones in Malware”, SERE 2014, 78-87. [24] J. Pewny, B. Garmany, R. Gawlik, C. Rossow, T. Holz,“Cross-Architecture Bug Search in Binary Executables”, In Proceedings of the 2015 IEEE Symposium on Security and Privacy, Pages 709-724 Reference
  • 39. 38Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential [25] S. Alrabaee, P. Shirani, L. Wang and M. Debbabi, “SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code”, Digital Investigation 12, S61- S71, 2015 [26] Y. David, N. Partush and E. Yahav, ”Statistical Similarity of Binaries”, In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, Pages 266-280, 2016 [27] S. H. H. Ding, B. C. M. Fung and P. Charland, “Kam1n0: MapReduce-based Assembly Clone Search for Reverse Engineering”, KDD ’16 August , 2016, San Francisco, CA, USA [28] M. Chandramohan, Y. Xue, Z. Xu, Y. Liu, C. Y. Cho and T. H. B. Kuan, “BinGo: Cross-Architecture Cross-OS Binary Search”, FSE’16, November , 2016, Seattle, WA, USA [29] S. Eschweiler, K. Yakdan, E. Gerhards-Padilla, “discovRE: Efficient Cross-Architecture Identification of Bugs in Binary Code”, NDSS ’16, February 2016, San Diego, CA, USA [30] [31] Q. Fengy, R. Zhouy, C. Xuy, Y. Chengy, B. Testay, and H. Yin, “Scalable Graph-based Bug Search for Firmware Images”, CCS’16, October, 2016, Vienna, Austria [32] Y. David, N. Partush and E. Yahav, “Similarity of Binaries through re-Optimization”, In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation , Pages 79-94, 2017 Reference
  • 40. 39Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential [33] H. Huang, A. M. Youssef and M. Debbabi, “BinSequence: Fast, Accurate and Scalable Binary Code Reuse Detection”, ASIA CCS ’17, April 02-06, 2017, Abu Dhabi, United Arab Emirates [34] Q. Feng, M. Wang , M. Zhang, R. Zhou, A. Henderson and Heng Yin, “Extracting Conditional Formulas for Cross-Platform Bug Search”, ASIA CCS ’17, April 02-06, 2017, Abu Dhabi, United Arab Emirates Reference