Cross-Inlining Binary Function Similarity Detection

TL;DR

This paper introduces CI-Detector, a pattern-based model that effectively detects cross-inlining binary function similarities by leveraging attributed CFGs and GNNs, outperforming existing methods in precision and recall.

Contribution

The paper systematically investigates cross-inlining function similarity detection and proposes a novel pattern-based GNN model, CI-Detector, for improved accuracy.

Findings

Achieved 81% precision and 97% recall in detecting cross-inlining pairs.

Constructed a comprehensive cross-inlining dataset with 216 configurations.

Identified three common cross-inlining patterns that challenge existing detection methods.

Abstract

Binary function similarity detection plays an important role in a wide range of security applications. Existing works usually assume that the query function and target function share equal semantics and compare their full semantics to obtain the similarity. However, we find that the function mapping is more complex, especially when function inlining happens. In this paper, we will systematically investigate cross-inlining binary function similarity detection. We first construct a cross-inlining dataset by compiling 51 projects using 9 compilers, with 4 optimizations, to 6 architectures, with 2 inlining flags, which results in two datasets both with 216 combinations. Then we construct the cross-inlining function mappings by linking the common source functions in these two datasets. Through analysis of this dataset, we find that three cross-inlining patterns widely exist while existing work suffers when detecting cross-inlining binary function similarity. Next, we propose a pattern-based model named CI-Detector for cross-inlining matching. CI-Detector uses the attributed CFG to represent the semantics of binary functions and GNN to embed binary functions into vectors. CI-Detector respectively trains a model for these three cross-inlining patterns. Finally, the testing pairs are input to these three models and all the produced similarities are aggregated to produce the final similarity. We conduct several experiments to evaluate CI-Detector. Results show that CI-Detector can detect cross-inlining pairs with a precision of 81% and a recall of 97%, which exceeds all state-of-the-art works.