When Coding Style Survives Compilation: De-anonymizing Programmers from Executable Binaries

TL;DR

This paper demonstrates that machine learning techniques can effectively de-anonymize programmers from executable binaries, even after obfuscation and stripping, raising privacy concerns for developers.

Contribution

It introduces a novel approach combining decompilation and stylistic features for binary authorship attribution, achieving high accuracy and robustness against obfuscation.

Findings

Achieved up to 96% attribution accuracy on Google Code Jam data.

Robust to obfuscation, compiler optimizations, and stripped binaries.

Effective on real-world code from GitHub and hacker forums.

Abstract

The ability to identify authors of computer programs based on their coding style is a direct threat to the privacy and anonymity of programmers. While recent work found that source code can be attributed to authors with high accuracy, attribution of executable binaries appears to be much more difficult. Many distinguishing features present in source code, e.g. variable names, are removed in the compilation process, and compiler optimization may alter the structure of a program, further obscuring features that are known to be useful in determining authorship. We examine programmer de-anonymization from the standpoint of machine learning, using a novel set of features that include ones obtained by decompiling the executable binary to source code. We adapt a powerful set of techniques from the domain of source code authorship attribution along with stylistic representations embedded in assembly, resulting in successful de-anonymization of a large set of programmers. We evaluate our approach on data from the Google Code Jam, obtaining attribution accuracy of up to 96% with 100 and 83% with 600 candidate programmers. We present an executable binary authorship attribution approach, for the first time, that is robust to basic obfuscations, a range of compiler optimization settings, and binaries that have been stripped of their symbol tables. We perform programmer de-anonymization using both obfuscated binaries, and real-world code found "in the wild" in single-author GitHub repositories and the recently leaked Nulled.IO hacker forum. We show that programmers who would like to remain anonymous need to take extreme countermeasures to protect their privacy.