deepbindiff learning program wide code representations
play

DeepBinDiff : Learning Program-Wide Code Representations for Binary - PowerPoint PPT Presentation

Aug 29, 2022 •227 likes •507 views

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang Li, Jinghan Wang, and Heng Yin 1 Motivation Binary Code Differential Analysis quantitatively measure the similarity between two given

  1. DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang Li, Jinghan Wang, and Heng Yin 1

  2. Motivation Binary Code Differential Analysis ● quantitatively measure the similarity between two given binaries ● produce the fine-grained basic block level matching

  3. Motivation vulnerability analysis [ICSE’17] exploit generation plagiarism detection[FSE’14] [NDSS’11]

  4. Existing Techniques Static Approaches: Dynamic Approaches: Bindiff, Binslayer [PPREW’13], Tracelet iBinHunt [ISC’12] [PLDI’14], CoP [ASE’14], Pewny et.al. [SP’15], Blanket Execution [USENIX SEC’14] discovRE [NDSS’16], Esh [PLDI’16] BinSim [USENIX SEC’17] Slow runtime performance Inaccurate matching Poor code coverage

  5. Existing Techniques Learning-based Approaches: ● Genius [CCS’16] ○ traditional machine learning ○ function matching ● Gemini [CCS’17] ○ deep learning based approach ○ manually crafted features ○ function matching ● InnerEye [NDSS’19] ○ basic block comparison ○ instruction semantics by NLP ● Asm2vec [SP’19] ○ token and function semantic info by NLP ○ function matching

  6. Existing Techniques Limitations of Learning-based Approaches: ● No efficient binary diffing at basic block level ○ InnerEye takes 0.6ms to compare one pair of basic blocks ○ millions of basic block comparisons for binary diffing ● No program-wide dependency information ○ what if the two binaries contain multiple similar basic blocks ● Heavily rely on labeled training data ○ extreme diversity of binaries ○ overfitting problem

  7. Problem Definition Given two binaries p1 = (B1, E1) and p2 = (B2, E2), find the optimal basic block matching that maximizes:

  8. Problem Definition ● Our goal: Solve the binary diffing problem a. sim(mi) : leveraging both the token (opcode and operand) semantics and program-wide contextual info to calculate similarity b. M(p1,p2) : efficient basic block matching ● Assumptions ○ only stripped binaries ○ compiler optimization techniques applied ○ same architecture

  9. Our solution: DeepBinDiff program-wide contextual info learning Complete unsupervised learning approach semantic info learning efficient matching M calculate sim(mi)

  10. Learning Token Semantics ● Token semantic info ○ each instruction: opcode + potentially multiple operands ○ represented as token embeddings, learned by leveraging NLP technique ○ aggregated to generate feature vector for each basic block embedding for opcode TF-IDF model embeddings for operands

  11. Learning Token Semantics embedding for opcode cmp: [0.03, 0.16, 1.92, …] * embeddings for normalized operands 0.33 im: [0.62, -0.125, 0.76, …] TF-IDF model reg1: [1.5, 1.6, -0.92 …] || [2.12, 1.475, -0.16, …] weighted embedding [0.01, 0.0528, 0.63, …] embedding for instruction [0.01, 0.0528, 0.63, …2.12, 1.475, -0.16]

  12. Learning Semantics Info aggregation

  13. Learning Program-wide Contextual Info ● Program-wide contextual info ○ useful for differentiating similar basic blocks in different contexts ○ learned from inter-procedural CFG ○ leverage Text-associated DeepWalk algorithm (TADW) if str == ‘hello’ do if str == ‘hello’ do Basic Block A Basic Block B Basic Block A’ Basic Block B’

  14. Learning Program-wide Contextual Info ● Now that we have two ICFGs ○ merge two ICFGs into one ○ learning algorithm runs only once ○ embeddings can be comparable ○ boost the similarity ○ graph structure stays unchanged

  15. Learning Program-wide Contextual Info feature vector 0.053, 0.16, 0.032 … 0.12, 0.44, -0.009 … 0.411, -0.2206, 0.4 … 0.55, 0.656, 0.33 … 0.055, 0.004, -0.07 … TADW 0.07, -0.314, 0.305 … 0.335, -0.93, 0.1189 … algorithm -1.8e-06, 0.092, 0.06 ... 1 a basic block embeddings b 2 c d 3 ● contain both semantic info and contextual info merged graph ● used to calculate basic block similarity ● solve sim(mi)

  16. Code Diffing: k -hop greedy matching ● Goal: Given two input binaries p1 and p2, find optimal matching M(p1,p2) . Initially, matching_set = {(a, 1)} find k -hop neighbors of a matching pair ● ref: ‘hello’ ref: ‘hello’ ○ 1hn(a) = {b,c} a 1 ○ 1hn(1) = {2,3} ● use basic block embeddings to calculate similarities among 1hn(a) and 1hn(1) b c 2 find most similar pair (must be above a threshold), ● put it into matching_set ● run the process iteratively d 3 ● use linear assignment algorithm for unmatched ones

  17. Evaluation ● Dataset ○ C binaries: Coreutils, Diffutils, Findutils ■ Multiple versions (5 for Coreutils, 4 for Diffutils, and 3 for Findutils) ■ 4 different compiler optimization levels (O0, O1, O2 and O3) ■ ○ C++ binaries: 2 popular open-source projects (10 binaries) ■ contain plenty of virtual functions ■ 3 versions for each project, compile with default optimization levels ■ ○ Case study 2 real-world vulnerabilities in OpenSSL ■ ● The most comprehensive evaluation for cross-version and cross-optimization-level binary diffing.

  18. Evaluation ● Baseline techniques ○ De-facto commercial tool BinDiff ■ ○ State-of-the-art techniques Asm2Vec + k -hop ■ InnerEye + k -hop ■ ● only used to evaluate a subset of binaries ○ Our tool without contextual info DeepBinDiff-ctx ■

  19. Evaluation - Cross-version diffing ● Outperform the de facto commercial tool by 23% and 7% in recall and precision ● Outperform state-of-the-art technique by 11% and 22% in recall and precision ● Contextual info is proven to be very useful

  20. Evaluation - Cross-version diffing

  21. Evaluation - Cross-optimization level diffing ● Outperform the de facto commercial tool by 28% and 5% in recall and precision ● Outperform state-of-the-art technique by 18% and 19% in recall and precision

  22. Evaluation - Cross-optimization level diffing

  23. Evaluation - Case study handle function inlining

  24. Evaluation - Case study handle basic block insertion/deletion

  25. Discussion - Compiler Optimizations ● Instruction scheduling ○ choose not to use sequential info ● Instruction replacement ○ NLP technique to distill semantic info ● block reordering ○ treat ICFG as undirected graph when matching ● function inlining ○ generate random walks across function boundaries ○ avoid function level matching ○ k-hop matching is done upon ICFG rather than CFG ● register allocation ○ register name normalization

  26. Summary ● A novel unsupervised program-wide code representation learning technique ● k -hop greedy matching algorithm for efficient matching ● Comprehensive evaluation against state-of-the-art techniques and the de facto commercial tool

  27. Summary Open source project: https://github.com/deepbindiff/DeepBinDiff THANK YOU!

Recommend

LEARNING REPRESENTATIONS OF SOURCE CODE FROM STRUCTURE & CONTEXT by Dylan Bourgeois

LEARNING REPRESENTATIONS OF SOURCE CODE FROM STRUCTURE & CONTEXT by Dylan Bourgeois

M.Sc. Thesis Defense 08.04.2019 LEARNING REPRESENTATIONS OF SOURCE CODE FROM STRUCTURE & CONTEXT by Dylan Bourgeois Supervised by Pr. Pierre Vandergheynst Michal Defferrard Pr. Jure Leskovec Dr. Michele Catasta 1 Introduction 2 Code:

786 views • 78 slides
Residential Energy Code Support Impact Jeffrey Friedrich Program Manager Residential Energy Code

Residential Energy Code Support Impact Jeffrey Friedrich Program Manager Residential Energy Code

Residential Energy Code Support Impact Jeffrey Friedrich Program Manager Residential Energy Code Support Program Overview of Program Code Compliance Does not seek to change codes Missouri has no state-wide energy code

431 views • 25 slides
Compiler Construction Lecture 12: Intermediate representations and three-address code

Compiler Construction Lecture 12: Intermediate representations and three-address code

Compiler Construction Lecture 12: Intermediate representations and three-address code 2020-02-18 Michael Engel Overview Intro to Intermediate representations Classification of IRs Graphical IRs: from parse tree to AST

982 views • 26 slides
Learning and Evaluating Contextual Embedding of Source Code Aditya Kanade 1 2 , Petros Maniatis 2

Learning and Evaluating Contextual Embedding of Source Code Aditya Kanade 1 2 , Petros Maniatis 2

Learning and Evaluating Contextual Embedding of Source Code Aditya Kanade 1 2 , Petros Maniatis 2 , Gogul Balakrishnan 2 , Kensen Shi 2 1 Indian Institute of Science 2 Google Brain General-Purpose Representations of Source Code Success of

252 views • 14 slides
6. Graphics MULTIMEDIA & GRAPHICS Graphics covers wide range of pictorial representations.

6. Graphics MULTIMEDIA & GRAPHICS Graphics covers wide range of pictorial representations.

10/12/2016 CHAPTER 6. Graphics MULTIMEDIA & GRAPHICS Graphics covers wide range of pictorial representations. Uses for computer graphics include: U f t hi i l d Buttons Charts Diagrams Animated images g 2 1

470 views • 20 slides
Deep Learning over Big Code for Program Analysis and Synthesis Swarat Chaudhuri, Vijay

Deep Learning over Big Code for Program Analysis and Synthesis Swarat Chaudhuri, Vijay

Deep Learning over Big Code for Program Analysis and Synthesis Swarat Chaudhuri, Vijay Murali, Chris Jermaine Programming is hard Program synthesis, debugging, verification, repair Can we automate these processes? Decades of prior

1.59k views • 143 slides
Concepts Introduced in Chapter 6 types of intermediate code representations translation of

Concepts Introduced in Chapter 6 types of intermediate code representations translation of

Concepts Introduced in Chapter 6 types of intermediate code representations translation of declarations arithmetic expressions boolean expressions flow-of-control statements backpatching 1 EECS 665 Compiler Construction

420 views • 40 slides
Concepts Introduced in Chapter 6 types of intermediate code representations translation of

Concepts Introduced in Chapter 6 types of intermediate code representations translation of

Concepts Introduced in Chapter 6 types of intermediate code representations translation of declarations arithmetic expressions boolean expressions flow-of-control statements backpatching 1 EECS 665 Compiler Construction

637 views • 48 slides
I-tutorial Learning of Invariant Representations in Sensory Cortex tomaso poggio CBMM McGovern

I-tutorial Learning of Invariant Representations in Sensory Cortex tomaso poggio CBMM McGovern

The Center for Brains, Minds and Machines I-tutorial Learning of Invariant Representations in Sensory Cortex tomaso poggio CBMM McGovern Institute, BCS, LCSL, CSAIL MIT I-theory Learning of Invariant Representations in Sensory Cortex

518 views • 40 slides
I-tutorial Learning of Invariant Representations in Sensory Cortex tomaso poggio CBMM McGovern

I-tutorial Learning of Invariant Representations in Sensory Cortex tomaso poggio CBMM McGovern

The Center for Brains, Minds and Machines I-tutorial Learning of Invariant Representations in Sensory Cortex tomaso poggio CBMM McGovern Institute, BCS, LCSL, CSAIL MIT I-theory Learning of Invariant Representations in Sensory Cortex

537 views • 50 slides
Lorentzian Distance Learning for Hyperbolic Representations Marc Law, Renjie Liao , Jake Snell,

Lorentzian Distance Learning for Hyperbolic Representations Marc Law, Renjie Liao , Jake Snell,

Lorentzian Distance Learning for Hyperbolic Representations Marc Law, Renjie Liao , Jake Snell, Richard Zemel June 13, 2019 University of Toronto, Vector Institute 1 Introduction: Hyperbolic Representations Manifolds with constant curvature:

968 views • 13 slides
Finding Latent Code Errors via Machine Learning over Program Executions Yuriy Brun Michael D.

Finding Latent Code Errors via Machine Learning over Program Executions Yuriy Brun Michael D.

Finding Latent Code Errors via Machine Learning over Program Executions Yuriy Brun Michael D. Ernst University of Southern Massachusetts Institute California of Technology Bubble Sort // Return a sorted copy of the argument double[]

390 views • 38 slides
Learning text representations from character-level data Grzegorz Chrupa la Department of

Learning text representations from character-level data Grzegorz Chrupa la Department of

Learning text representations from character-level data Grzegorz Chrupa la Department of Communication and Information Sciences Tilburg University CLIN 2013 Chrupa la (UvT) Text representations CLIN 2013 1 / 19 Text representations

221 views • 19 slides
Glenn County County-wide Energy Project A potential county-wide program for the application of

Glenn County County-wide Energy Project A potential county-wide program for the application of

Glenn County County-wide Energy Project A potential county-wide program for the application of solar energy as a power source and critical infrastructure upgrades of equipment to reduce energy usage and maintenance costs. August 1, 2017 830

893 views • 9 slides
Learning with Partially Ordered Representations Jonathan Rawski Department of Linguistics IACS

Learning with Partially Ordered Representations Jonathan Rawski Department of Linguistics IACS

Learning with Partially Ordered Representations Jonathan Rawski Department of Linguistics IACS Research Award Presentation August 11, 2018 The Main Idea Learning is eased when attributes of elements of sequences structure the space of

537 views • 29 slides
Code Games Or How I Learned to Stop Worrying and Love to Code Jacob Wilkins Topics Learning New

Code Games Or How I Learned to Stop Worrying and Love to Code Jacob Wilkins Topics Learning New

Code Games Or How I Learned to Stop Worrying and Love to Code Jacob Wilkins Topics Learning New Languages Esolangs Code Puzzles Code Golf Actual Computer Games Code Games | May 2017 | 2/19 New Languages Learning a new programming language

560 views • 19 slides
Unsupervised Le Learning of Video Representations using LS LSTMs Srivastava et al. University

Unsupervised Le Learning of Video Representations using LS LSTMs Srivastava et al. University

Unsupervised Le Learning of Video Representations using LS LSTMs Srivastava et al. University of Toronto Presented by Shyam Tailor The Overall Idea Take a sequence of images and encode into a fixed size latent representation Decode

210 views • 20 slides
Strategic Oil & Gas Ltd. Site Wide Monitoring Program Cameron Hills, NWT Presented: February

Strategic Oil & Gas Ltd. Site Wide Monitoring Program Cameron Hills, NWT Presented: February

Strategic Oil & Gas Ltd. Site Wide Monitoring Program Cameron Hills, NWT Presented: February 20, 2019 Agenda Overview of Strategics Desired Outcomes for Technical Session Orientation to Site Wide Monitoring Program (SWMP)

377 views • 11 slides
presentation The +|- Code School program 1) GENERAL PRESENTATION Global definition of The +|-

presentation The +|- Code School program 1) GENERAL PRESENTATION Global definition of The +|-

presentation The +|- Code School program 1) GENERAL PRESENTATION Global definition of The +|- Code Program Conception of The +|- Code Program The +|- Code Program from its origin to 2018 2) EMOTIONAL INTELLIGENCE Definition

765 views • 31 slides
Learning Graph Representations for Video Understanding Xiaolong Wang Carnegie Mellon University

Learning Graph Representations for Video Understanding Xiaolong Wang Carnegie Mellon University

Learning Graph Representations for Video Understanding Xiaolong Wang Carnegie Mellon University Computer Vision Dog He et al. Mask R-CNN. ICCV 2017. Gler et al. DensePose: Dense Human Pose Estimation In The Wild. CVPR 2018. Deep Learning

941 views • 64 slides
Graphs and their representations After this lesson, you should be able to define the

Graphs and their representations After this lesson, you should be able to define the

Review Re A E C F B D Graphs and their representations After this lesson, you should be able to define the major terminology relating to graphs implement a graph in code, using various conventions https :// www.google.com /

567 views • 22 slides
Neural Networks Representations Fall 2017 Learning in the net Problem: Given a collection of

Neural Networks Representations Fall 2017 Learning in the net Problem: Given a collection of

Neural Networks Representations Fall 2017 Learning in the net Problem: Given a collection of input-output pairs, learn the function Learning for classification x 2 x 1 When the net must learn to classify.. Learning for classification x

960 views • 91 slides
Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code assembler de. . object*code on* linker bels* executable *how* Sean Barker 1 Linking Schematic Executable*file Object*file main:*****

390 views • 4 slides
CS7015 (Deep Learning) : Lecture 10 Learning Vectorial Representations Of Words Mitesh M. Khapra

CS7015 (Deep Learning) : Lecture 10 Learning Vectorial Representations Of Words Mitesh M. Khapra

CS7015 (Deep Learning) : Lecture 10 Learning Vectorial Representations Of Words Mitesh M. Khapra Department of Computer Science and Engineering Indian Institute of Technology Madras 1/1 Mitesh M. Khapra CS7015 (Deep Learning) : Lecture 10

1.06k views • 73 slides

More recommend