Fine-Grained 1-Day Vulnerability Detection in Binaries via Patch Code Localization

TL;DR

This paper introduces PLocator, a novel method for accurately locating patch code in binaries to detect 1-day vulnerabilities, overcoming challenges posed by compiler variations and code similarities.

Contribution

The paper presents PLocator, a new approach leveraging stable control flow graph values to improve patch code localization in binaries for vulnerability detection.

Findings

Achieves 88.2% true positive rate with 12.9% false positive rate.

Outperforms state-of-the-art methods by 26.7% in TPR and 63.5% in FPR.

Effective across different compilers and optimization levels.

Abstract

1-day vulnerabilities in binaries have become a major threat to software security. Patch presence test is one of the effective ways to detect the vulnerability. However, existing patch presence test works do not perform well in practical scenarios due to the interference from the various compilers and optimizations, patch-similar code blocks, and irrelevant functions in stripped binaries. In this paper, we propose a novel approach named PLocator, which leverages stable values from both the patch code and its context, extracted from the control flow graph, to accurately locate the real patch code in the target function, offering a practical solution for real-world vulnerability detection scenarios. To evaluate the effectiveness of PLocator, we collected 73 CVEs and constructed two comprehensive datasets ($Dataset_{-irr}$ and $Dataset_{+irr}$), comprising 1,090 and 27,250 test cases at four compilation optimization levels and two compilers with three different experiments, i.e., Same, XO (cross-optimizations), and XC (cross-compilers). The results demonstrate that PLocator achieves an average TPR of 88.2% and FPR of 12.9% in a short amount of time, outperforming state-of-the-art approaches by 26.7% and 63.5%, respectively, indicating that PLocator is more practical for the 1-day vulnerability detection task.