Zhenhao Luo (College of Computer, National University of Defense Technology), Pengfei Wang (College of Computer, National University of Defense Technology), Baosheng Wang (College of Computer, National University of Defense Technology), Yong Tang (College of Computer, National University of Defense Technology), Wei Xie (College of Computer, National University of Defense Technology), Xu Zhou (College of Computer,…

Code reuse is widespread in software development. It brings a heavy spread of vulnerabilities, threatening software security. Unfortunately, with the development and deployment of the Internet of Things (IoT), the harms of code reuse are magnified. Binary code search is a viable way to find these hidden vulnerabilities. Facing IoT firmware images compiled by different compilers with different optimization levels from different architectures, the existing methods are hard to fit these complex scenarios. In this paper, we propose a novel intermediate representation function model, which is an architecture-agnostic model for cross-architecture binary code search. It lifts binary code into microcode and preserves the main semantics of binary functions via complementing implicit operands and pruning redundant instructions. Then, we use natural language processing techniques and graph convolutional networks to generate function embeddings. We call the combination of a compiler, architecture, and optimization level as a file environment, and take a divide-and-conquer strategy to divide a similarity calculation problem of $C_N^2$ cross-file-environment scenarios into N-1 embedding transferring sub-problems. We propose an entropy-based adapter to transfer function embeddings from different file environments into the same file environment to alleviate the differences caused by various file environments. To precisely identify vulnerable functions, we propose a progressive search strategy to supplement function embeddings with fine-grained features to reduce false positives caused by patched functions. We implement a prototype named VulHawk and conduct experiments under seven different tasks to evaluate its performance and robustness. The experiments show VulHawk outperforms Asm2Vec, Asteria, BinDiff, GMN, PalmTree, SAFE, and Trex.

View More Papers

Detection and Resolution of Control Decision Anomalies

Prof. Kang Shin (Kevin and Nancy O'Connor Professor of Computer Science, and the Founding Director of the Real-Time Computing Laboratory (RTCL) in the Electrical Engineering and Computer Science Department at the University of Michigan)

Read More

Death By A Thousand COTS: Disrupting Satellite Communications using...

Frederick Rawlins, Richard Baker and Ivan Martinovic (University of Oxford) Presenter: Frederick Rawlins

Read More

Access Your Tesla without Your Awareness: Compromising Keyless Entry...

Xinyi Xie (Shanghai Fudan Microelectronics Group Co., Ltd.), Kun Jiang (Shanghai Fudan Microelectronics Group Co., Ltd.), Rui Dai (Shanghai Fudan Microelectronics Group Co., Ltd.), Jun Lu (Shanghai Fudan Microelectronics Group Co., Ltd.), Lihui Wang (Shanghai Fudan Microelectronics Group Co., Ltd.), Qing Li (State Key Laboratory of ASIC & System, Fudan University), Jun Yu (State Key…

Read More

An Exploratory study of Malicious Link Posting on Social...

Muhammad Hassan, Mahnoor Jameel, Masooda Bashir (University of Illinois at Urbana Champaign)

Read More