检索结果-内蒙古大学图书馆

COMPUTER 2013年第8期46卷 60-68页

作者： Liu, Kaiping Tan, Hee Beng Kuan Chen, Xu Nanyang Technol Univ Temasek Labs Singapore 639798 Singapore Nanyang Technol Univ Sch Elect & Elect Engn Informat Engn Div Singapore 639798 Singapore Chinese Acad Sci Inst Comp Technol Beijing Peoples R China

Static and dynamic analysis of binary code can provide useful information to security researchers without access to assembly code. However, these approaches currently require separate tools, forcing users to perform d... 详细信息

关键词： binary codes Assembly Memory Management Software Engineering Malware binary Executables binary code analysis Static analysis Dynamic analysis

来源：评论

学校读者我要写书评

暂无评论

On the Role of Pre-trained Embeddings in binary code analysis 19

On the Role of Pre-trained Embeddings in Binary Code Analysi...

引用

19th ACM Asia Conference on Computer and Communications Security (ACM AsiaCCS)

作者： Maier, Alwin Weissberg, Felix Rieck, Konrad Max Planck Inst Solar Syst Res Gottingen Germany Tech Univ Berlin Berlin Germany BIFOLD Berlin Germany

ISBN: (纸本)9798400704826

Deep learning has enabled remarkable progress in binary code analysis. In particular, pre-trained embeddings of assembly code have become a gold standard for solving analysis tasks, such as measuring code similarity or recognizing functions. These embeddings are capable of learning a vector representation from unlabeled code. In contrast to natural language processing, however, label information is not scarce for many tasks in binary code analysis. For example, labeled training data for function boundaries, optimization levels, and argument types can be easily derived from debug information provided by a compiler. Consequently, the main motivation of embeddings does not transfer directly to binary code analysis. In this paper, we explore the role of pre-trained embeddings from a critical perspective. To this end, we systematically evaluate recent embeddings for assembly code on five downstream tasks using a corpus of 1.2 million functions from the Debian distribution. We observe that several embeddings perform similarly when sufficient labeled data is available, and that differences reported in prior work are hardly noticeable. Surprisingly, we find that end-to-end learning without pre-training performs best on average, which calls into question the need for specialized embeddings. By varying the amount of labeled data, we eventually derive guidelines for when embeddings offer advantages and when end-to-end learning is preferable for binary code analysis.

关键词： Transfer learning binary code analysis

来源：评论

学校读者我要写书评

暂无评论

FUNPROBE: Probing Functions from binary code through Probabilistic analysis 2023

FUNPROBE: Probing Functions from Binary Code through Probabi...

引用

31st ACM Joint Meeting of the European Software Engineering Conference / Symposium on the Foundations-of-Software-Engineering (ESEC/FSE)

作者： Kim, Soomin Kim, Hyungseok Cha, Sang Kil Korea Adv Inst Sci & Technol SoftSec Lab Seoul South Korea

ISBN: (纸本)9798400703270

Current function identification techniques have been mostly focused on a specific set of binaries compiled for a specific CPU architecture. While recent deep-learning-based approaches theoretically can handle binaries from different architectures, they require significant computation resources for training and inference, making their use less practical. Furthermore, due to the lack of interpretability of such models, it is fundamentally difficult to gain insight from them. Hence, in this paper, we propose FUNPROBE, an efficient system for identifying functions from binaries using probabilistic inference. In particular, we identify 16 architecture-neutral hints for function identification, and devise an effective method to combine them in a probabilistic framework. We evaluate our tool on a large dataset consisting of 19,872 real-world binaries compiled for six major CPU architectures. The results are promising. FUNPROBE shows the best accuracy compared to five state-of-the-art tools we tested, while it takes only 6 seconds on average to analyze a single binary. Notably, FUNPROBE is 6x faster on average in identifying functions than XDA, a state-of-the-art deep-learning tool that leverages GPU in its inference phase.

关键词： binary code analysis function identification probabilistic analysis

来源：评论

学校读者我要写书评

暂无评论

Advanced Reverse Engineering Techniques for binary code Security Retrofitting and analysis

Advanced Reverse Engineering Techniques for Binary Code Secu...

引用

作者： Wang, Shuai PennState University Libraries

学位级别：Doctor of Philosophy

In software security, many techniques and applications depend on binary code reverse engineering, i.e., analyzing and retrofitting executables with the source code unavailable. Despite the fact that many security hardening techniques rely heavily on reverse engineering, modern binary disassembling and reconstruction techniques still cannot adequately fulfill many of the requirements. In particular, no reverse engineering tool can disassemble an executable into assembly code which can be reassembled back in a fully automated manner, especially when the processed objects are Commercial-Off-The-Shelf (COTS) binaries with most symbol and relocation information stripped. Due to the lack of support for direct reassembling, existing binary instrumentation tools leverage patch or replica-based rewriting techniques to guarantee the correct functionality of the instrumented outputs, which usually incur high execution slowdown and binary code size *** present Uroboros, a tool that can disassemble legacy executables to the extent that the generated code can be assembled back to working binaries without manual effort. The key technique proposed in Uroboros is named reassembleable disassembling, in which we develop a set of methods to precisely recover each component of a binary executable, including code, data and meta-information. In particular, Uroboros is the first to be capable of not only recovering the assembly program, but enabling reassembling of the disassembled output with the correct functionality. We further extend Uroboros into a general purpose binary instrumentation platform with a rich set of binary instrumentation APIs and utilities. Our evaluation on widely-used program binaries shows that Uroboros can provide support for reassembly and instrumentation on legacy binary executables with better performance, lower labor cost, and a broader scope of *** addition, we build advanced binary analysis and instrumentation applications for security pur

关键词： reverse engineering software security binary code analysis

来源：评论

学校读者我要写书评

暂无评论

Identifying runtime libraries in statically linked linux binaries

引用

FUTURE GENERATION COMPUTER SYSTEMS-THE INTERNATIONAL JOURNAL OF ESCIENCE 2025年 164卷

作者： Carrillo-Mondejar, Javier Rodriguez, Ricardo J. Univ Zaragoza Dept Informat & Ingn Sistemas Zaragoza Spain Aragon Inst Engn Res I3A Aragon Spain

Vulnerabilities in unpatched applications can originate from third-party dependencies in statically linked applications, as they must be relinked each time to take advantage of libraries that have been updated to fix any vulnerability. Despite this, malware binaries are often statically linked to ensure they run on target platforms and to complicate malware analysis. In this sense, identification of libraries in malware analysis becomes crucial to help filter out those library functions and focus on malware function analysis. In this paper, we introduce MANTILLA, a system for identifying runtime libraries in statically linked Linux-based binaries. Our system is based on radare2 to identify functions and extract their features (independent of the underlying architecture of the binary) through static binary analysis and on the K-nearest neighbors supervised machine learning model and a majority rule to predict final values. MANTILLA is evaluated on a dataset consisting of binaries built for different architectures (MIPSeb, ARMel, Intel x86, and Intel x86-64) and different runtime libraries (uClibc, glibc, and musl), achieving very high accuracy. We also evaluate it in two case studies. First, using a dataset of binary files belonging to the binutils collection and second, using an IoT malware dataset. In both cases, good accuracy results are obtained both in terms of runtime library detection (94.4% and 95.5%, respectively) and architecture identification (100% and 98.6%, respectively).

关键词： binary code analysis Statically linked binaries Runtime library identification IoT Malware

来源：评论

学校读者我要写书评

暂无评论

GENES ISP: code analysis platform

GENES ISP: code analysis platform

引用

Ivannikov Ispras Open Conference (ISPRAS)

作者： Sargsyan, Sevak Vardanyan, Vahagn Aslanyan, Hayk Harutunyan, Mariam Mehrabyan, Matevos Sargsyan, Karen Hovahannisyan, Hripsime Movsisyan, Hovhannes Hakobyan, Jivan Kurmangaleev, Shamil Russian Armenian Slavon Univ Yerevan Armenia ISP RAS Moscow Russia

ISBN: (纸本)9781665412919

In this paper we present a novel code analysis platform referred as "GENESISP". Its aim is to collect vast database of open source software and apply several integrated analyses. This analysis allows to understand relations within source and binary code, as well as detect existing defects. All the analyses are compatible with each other and can be combined, which provides more robust possibilities. In the first stage the framework tries to collect, process and store software related data into database. Various open source resources are used for that purpose. For open source software, we collect and store: source and binary code, debug information, build dependencies, linker commands, confirmed CVE and their possible fixes, etc. For operating systems distributions, we additionally store the list of available software packages. In the second stage the tool performs various analysis: source code clone detection, binary code clone detection, source/binary fragments search, statically linked libraries identification in binaries, unfixed CVE search, source and binary code matching, patch analysis, etc. We provide web interface for convenient use of the provided analyses. Beside it, there is an interactive terminal which enables users to query the database and combine the results of different analysis. We were able to find number of confirmed CVE in mainstream versions of different open source software, which proves the effectiveness of proposed platform.

关键词： GENESISP code analysis code clones patch analysis code query binary code analysis vulnerability detection

来源：评论

学校读者我要写书评

暂无评论

Compiler-provenance identification in obfuscated binaries using vision transformers

引用

FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION 2024年 49卷

作者： Khan, Wasif Alrabaee, Saed Al-kfairy, Mousa Tang, Jie Choo, Kim-Kwang Raymond United Arab Emirates Univ Informat Syst Secur Al Ain 15551 U Arab Emirates Zayed Univ Coll Technol Innovat Abu Dhabi U Arab Emirates Tsinghua Univ Dept Comp Sci Beijing Peoples R China Univ Texas San Antonio Dept Informat Syst & Cyber Secur San Antonio TX USA United Arab Emirates Univ Big Data Analyt Ctr Al Ain 15551 U Arab Emirates United Arab Emirates Univ Coll IT Cybersecur Res Grp Ctr Al Ain 15551 U Arab Emirates

Extracting compiler-provenance-related information (e.g., the source of a compiler, its version, its optimization settings, and compiler-related functions) is crucial for binary-analysis tasks such as function fingerprinting, detecting code clones, and determining authorship attribution. However, the presence of obfuscation techniques has complicated the efforts to automate such extraction. In this paper, we propose an efficient and resilient approach to provenance identification in obfuscated binaries using advanced pre-trained computer-vision models. To achieve this, we transform the program binaries into images and apply a two-layer approach for compiler and optimization prediction. Extensive results from experiments performed on a large-scale dataset show that the proposed method can achieve an accuracy of over 98 % for both obfuscated and deobfuscated binaries.

关键词： Reverse engineering Compiler provenance binary code analysis Malware analysis

来源：评论

学校读者我要写书评

暂无评论

FOSSIL: A Resilient and Efficient System for Identifying FOSS Functions in Malware Binaries

引用

ACM TRANSACTIONS ON PRIVACY AND SECURITY 2018年第2期21卷 1–34页

作者： Alrabaee, Saed Shirani, Paria Wang, Lingyu Debbabi, Mourad Concordia Univ Secur Res Ctr CIISE Montreal PQ H3G 1M8 Canada

Identifying free open-source software (FOSS) packages on binaries when the source code is unavailable is important for many security applications, such as malware detection, software infringement, and digital forensics. This capability enhances both the accuracy and the efficiency of reverse engineering tasks by avoiding false correlations between irrelevant code bases. Although the FOSS package identification problem belongs to the field of software engineering, conventional approaches rely strongly on practical methods in data mining and database searching. However, various challenges in the use of these methods prevent existing function identification approaches from being effective in the absence of source code. To make matters worse, the introduction of obfuscation techniques, the use of different compilers and compilation settings, and software refactoring techniques has made the automated detection of FOSS packages increasingly difficult. With very few exceptions, the existing systems are not resilient to such techniques, and the exceptions are not sufficiently efficient. To address this issue, we propose FOSSIL, a novel resilient and efficient system that incorporates three components. The first component extracts the syntactical features of functions by considering opcode frequencies and applying a hidden Markov model statistical test. The second component applies a neighborhood hash graph kernel to random walks derived from control-flow graphs, with the goal of extracting the semantics of the functions. The third component applies z-score to the normalized instructions to extract the behavior of instructions in a function. The components are integrated using a Bayesian network model, which synthesizes the results to determine the FOSS function. The novel approach of combining these components using the Bayesian network has produced stronger resilience to code obfuscation. We evaluate our system on three datasets, including real-world projects whose use of

关键词： Security Information Systems binary code analysis malicious code analysis function fingerprinting free software packages

来源：评论

学校读者我要写书评

暂无评论

Return Instruction Classification in binary code Using Machine Learning

引用

INTERNATIONAL JOURNAL OF SOFTWARE ENGINEERING AND KNOWLEDGE ENGINEERING 2022年第9期32卷 1419-1452页

作者： Qiu, Jing Geng, Xiaoxu Dong, Feng Zhejiang A&F Univ Hangzhou 311300 Peoples R China Harbin Univ Sci & Technol Harbin 1500010 Peoples R China

binary code analysis is vital in source code unavailable cases, such as malware analysis and software vulnerability mining. Its first step could be function identification. Most function identification methods are based on function prologs/epilogs. However, functions may not have standard prologs/epilogs. To identify these functions, we need to use other methods. One approach is to identify return instructions first and then identify the start of a function. Currently, the multi-layer perceptron model is exploited to identify and validate a return instruction at a specific location. On this basis, a new approach is proposed to improve accuracy and provide more details. Specifically, a return instruction is classified into three classes: (1) false return instruction, (2) true return instruction inner a function but not the last instruction, and (3) true return instruction at the end of a function. The evaluation is performed on 5782 real-world binaries. Meanwhile, common classifiers including fully connected neural network, Two-layer Bidirectional Recurrent Neural Network (TBRNN), Two-layer Bidirectional Gate Recurrent Unit (TBGRU), Two-layer Bidirectional Long Short-term Memory Network (TBLSTM), Decision Tree, Random Forest, XGBoost, and Support Vector Machine (SVM) are evaluated on the same data set. The result shows that TBLSTM achieves an accuracy of 99.78%, which is higher than that of other classifiers in the evaluation, including the state-of-the-art tool IDA Pro 7.7.

关键词： Return instruction classification function identification binary code analysis reverse engineering machine learning

来源：评论

学校读者我要写书评

暂无评论

Approach for estimating similarity between procedures in differently compiled binaries

引用

INFORMATION AND SOFTWARE TECHNOLOGY 2015年第Feb.期58卷 259-271页

作者： Stojanovic, Sasa Radivojevic, Zaharije Cvetanovic, Milos Univ Belgrade Sch Elect Engn Belgrade 11000 Serbia

Context: Detection of an unauthorized use of a software library is a clone detection problem that in case of commercial products has additional complexity due to the fact that only binary code is available. Objective: The goal of this paper is to propose an approach for estimating the level of similarity between the procedures originating from different binary codes. The assumption is that the clones in the binary codes come from the use of a common software library that may be compiled with different toolsets. Method: The approach uses a set of software metrics adapted from the high level languages and it also extends the set with new metrics that take into account syntactical changes that are introduced by the usage of different toolsets and optimizations. Moreover, the approach compares metric values and introduces transformers and formulas that can use training data for production of measure of similarities between the two procedures in binary codes. The approach has been evaluated on programs from STAMP benchmark and BusyBox tool, compiled with different toolsets in different modes. Results: The experiments with programs from STAMP benchmark show that detecting the same procedures recall can be up to 1.44 times higher using new metrics. Knowledge about the used compiling toolset can bring up to 2.28 times improvement in recall. The experiment with BusyBox tool shows 43% recall for 43% precision. Conclusion: The most useful newly proposed metrics are those that consider the frequency of arithmetic instructions, the number and frequency of occurrences for instructions, and the number of occurrences for target addresses in calls. The best way to combine the results of comparing metrics is to use a geometric mean or when previous knowledge is available, to use an arithmetic mean with appropriate transformer. (C) 2014 Elsevier B.V. All rights reserved.

关键词： Software clone Clone detection Semantic clone Software metric binary code analysis

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：