Black-box Attacks Against Neural Binary Function Detection

TL;DR

This paper reveals vulnerabilities in neural binary function detection models, demonstrating that they are susceptible to both inadvertent and deliberate adversarial attacks, especially due to their focus on syntactic features.

Contribution

The paper introduces a scalable black-box attack methodology exposing the fragility of current neural binary analysis models like XDA and DeepDi.

Findings

Current neural binary analysis models are vulnerable to adversarial attacks.

Inadvertent instruction sequences can cause misclassifications.

Adversarial attacks can be exploited to deceive neural function boundary detectors.

Abstract

Binary analyses based on deep neural networks (DNNs), or neural binary analyses (NBAs), have become a hotly researched topic in recent years. DNNs have been wildly successful at pushing the performance and accuracy envelopes in the natural language and image processing domains. Thus, DNNs are highly promising for solving binary analysis problems that are typically hard due to a lack of complete information resulting from the lossy compilation process. Despite this promise, it is unclear that the prevailing strategy of repurposing embeddings and model architectures originally developed for other problem domains is sound given the adversarial contexts under which binary analysis often operates. In this paper, we empirically demonstrate that the current state of the art in neural function boundary detection is vulnerable to both inadvertent and deliberate adversarial attacks. We proceed from the insight that current generation NBAs are built upon embeddings and model architectures intended to solve syntactic problems. We devise a simple, reproducible, and scalable black-box methodology for exploring the space of inadvertent attacks - instruction sequences that could be emitted by common compiler toolchains and configurations - that exploits this syntactic design focus. We then show that these inadvertent misclassifications can be exploited by an attacker, serving as the basis for a highly effective black-box adversarial example generation process. We evaluate this methodology against two state-of-the-art neural function boundary detectors: XDA and DeepDi. We conclude with an analysis of the evaluation data and recommendations for how future research might avoid succumbing to similar attacks.