VulMatch: Binary-level Vulnerability Detection Through Signature

TL;DR

VulMatch is a binary-level vulnerability detection method that extracts precise vulnerability signatures from binary code, outperforming existing tools and providing explainable results, applicable to real-world software and firmware.

Contribution

VulMatch introduces a novel approach to detect vulnerabilities by extracting binary signatures with source code support, improving accuracy and explainability over prior methods.

Findings

VulMatch significantly outperforms baseline tools Asm2vec and Palmtree.

It detects fine-grained vulnerabilities that other tools struggle with.

VulMatch successfully finds vulnerabilities in real-world firmware scenarios.

Abstract

Similar vulnerability repeats in real-world software products because of code reuse, especially in wildly reused third-party code and libraries. Detecting repeating vulnerabilities like 1-day and N-day vulnerabilities is an important cyber security task. Unfortunately, the state-of-the-art methods suffer from poor performance because they detect patch existence instead of vulnerability existence and infer the vulnerability signature directly from binary code. In this paper, we propose VulMatch to extract precise vulnerability-related binary instructions to generate the vulnerability-related signature. VulMatch detects vulnerability existence based on binary signatures. Unlike previous approaches, VulMatch accurately locates vulnerability-related instructions by utilizing source and binary codes. Our experiments were conducted using over 1000 vulnerable instances across seven open-source projects. VulMatch significantly outperformed the baseline tools Asm2vec and Palmtree. Besides the performance advantages over the baseline tools, VulMatch offers a better feature by providing explainable reasons during vulnerability detection. Our empirical studies demonstrate that VulMatch detects fine-grained vulnerability that the state-of-the-art tools struggle with. Our experiment on commercial firmware demonstrates VulMatch is able to find vulnerabilities in real-world scenario.