Revisiting Binary Code Similarity Analysis using Interpretable Feature Engineering and Lessons Learned

TL;DR

This paper systematically studies basic features in binary code similarity analysis using interpretable models, revealing that simple features can match deep learning approaches and emphasizing the importance of binary compilation and analysis tools.

Contribution

It provides the first systematic analysis of interpretable features in BCSA, sharing source code and benchmarks to facilitate future research.

Findings

Simple interpretable models can match deep learning performance

Binary compilation and analysis tools significantly impact BCSA results

Public release of source code and benchmarks to support reproducibility

Abstract

Binary code similarity analysis (BCSA) is widely used for diverse security applications, including plagiarism detection, software license violation detection, and vulnerability discovery. Despite the surging research interest in BCSA, it is significantly challenging to perform new research in this field for several reasons. First, most existing approaches focus only on the end results, namely, increasing the success rate of BCSA, by adopting uninterpretable machine learning. Moreover, they utilize their own benchmark, sharing neither the source code nor the entire dataset. Finally, researchers often use different terminologies or even use the same technique without citing the previous literature properly, which makes it difficult to reproduce or extend previous work. To address these problems, we take a step back from the mainstream and contemplate fundamental research questions for BCSA. Why does a certain technique or a certain feature show better results than the others? Specifically, we conduct the first systematic study on the basic features used in BCSA by leveraging interpretable feature engineering on a large-scale benchmark. Our study reveals various useful insights on BCSA. For example, we show that a simple interpretable model with a few basic features can achieve a comparable result to that of recent deep learning-based approaches. Furthermore, we show that the way we compile binaries or the correctness of underlying binary analysis tools can significantly affect the performance of BCSA. Lastly, we make all our source code and benchmark public and suggest future directions in this field to help further research.