Comparing One with Many -- Solving Binary2source Function Matching Under Function Inlining

TL;DR

This paper introduces O2NMatcher, a novel method for binary2source function matching that accounts for function inlining by generating source function sets, improving matching accuracy over existing 1-to-1 approaches.

Contribution

The paper proposes a new approach to handle inlined functions in binary2source matching by predicting inlined call sites and constructing source function sets, surpassing state-of-the-art methods.

Findings

Increases matching performance by 6% over existing methods.

Effectively predicts inlined call sites in uncompilable projects.

Outperforms all current state-of-the-art binary2source matching techniques.

Abstract

Binary2source function matching is a fundamental task for many security applications, including Software Component Analysis (SCA). The "1-to-1" mechanism has been applied in existing binary2source matching works, in which one binary function is matched against one source function. However, we discovered that such mapping could be "1-to-n" (one query binary function maps multiple source functions), due to the existence of function inlining. To help conduct binary2source function matching under function inlining, we propose a method named O2NMatcher to generate Source Function Sets (SFSs) as the matching target for binary functions with inlining. We first propose a model named ECOCCJ48 for inlined call site prediction. To train this model, we leverage the compilable OSS to generate a dataset with labeled call sites (inlined or not), extract several features from the call sites, and design a compiler-opt-based multi-label classifier by inspecting the inlining correlations between different compilations. Then, we use this model to predict the labels of call sites in the uncompilable OSS projects without compilation and obtain the labeled function call graphs of these projects. Next, we regard the construction of SFSs as a sub-tree generation problem and design root node selection and edge extension rules to construct SFSs automatically. Finally, these SFSs will be added to the corpus of source functions and compared with binary functions with inlining. We conduct several experiments to evaluate the effectiveness of O2NMatcher and results show our method increases the performance of existing works by 6% and exceeds all the state-of-the-art works.