Semantic Learning and Emulation Based Cross-platform Binary Vulnerability Seeker

TL;DR

BinSeeker is a novel cross-platform binary vulnerability seeker that combines semantic learning and emulation to accurately identify vulnerable functions with high speed, outperforming existing tools in accuracy and efficiency.

Contribution

This paper introduces BinSeeker, a new approach integrating semantic learning and emulation for precise binary vulnerability detection across platforms.

Findings

Achieves higher MRR (0.65) than state-of-the-art tools.

Attains 93.33% top-5 accuracy in vulnerability ranking.

Operates with an average detection time of 0.27 seconds.

Abstract

Clone detection is widely exploited for software vulnerability search. The approaches based on source code analysis cannot be applied to binary clone detection because the same source code can produce significantly different binaries. In this paper, we present BinSeeker, a cross-platform binary seeker that integrates semantic learning and emulation. With the help of the labeled semantic flow graph, BinSeeker can quickly identify M candidate functions that are most similar to the vulnerability from the target binary. The value of M is relatively large so this semantic learning procedure essentially eliminates those functions that are very unlikely to have the vulnerability. Then, semantic emulation is conducted on these M candidates to obtain their dynamic signature sequences. By comparing signature sequences, BinSeeker produces top-N functions that exhibit most similar behavior to that of the vulnerability. With fast filtering of semantic learning and accurate comparison of semantic emulation, BinSeeker seeks vulnerability precisely with little overhead. The experiments on six widely used programs with fifteen known CVE vulnerabilities demonstrate that BinSeeker outperforms three state-of-the-art tools Genius, Gemini and CACompare. Regarding search accuracy, BinSeeker achieves an MRR value of 0.65 in the target programs, whereas the MRR values by Genius, Gemini and CACompare are 0.17, 0.07 and 0.42, respectively. If we consider ranking a function with the targeted vulnerability in the top-5 as accurate, BinSeeker achieves the accuracy of 93.33 percent, while the accuracy of the other three tools is merely 33.33, 13.33 and 53.33 percent, respectively. Such accuracy is achieved with 0.27s on average to determine whether the target binary function contains a known vulnerability, and the time for the other three tools are 1.57s, 0.15s and 0.98s, respectively.