RouAlign: Cross-Version Function Alignment and Routine Recovery with Graphlet Edge Embedding - ICT Systems Security and Privacy Protection Access content directly
Conference Papers Year : 2020

RouAlign: Cross-Version Function Alignment and Routine Recovery with Graphlet Edge Embedding

Abstract

Reverse engineering is labor-intensive work to understand the inner implementation of a program, and is necessary for malware analysis, vulnerability hunting, etc. Cross-version function identification and subroutine matching would greatly release manpower by indicating the known parts coming from different binary programs. Existing approaches mainly focus on function recognition ignoring the recovery of the relationships between functions, which makes the researchers hard to locate the calling routine they are interested in.In this paper, we propose a method using graphlet edge embedding to abstract high-level topology features of function call graphs and recover the relationships between functions. With the recovery of function relationships, we reconstruct the calling routine of the program and then infer the specific functions in it. We implement a prototype model called RouAlign, which can automatically align the trunk routine of assembly codes. We evaluated RouAlign on 65 groups of real-world programs, with over two million functions. RouAlign outperforms state-of-the-art binary comparing solutions by over 35% with a high precision of 92% on average in pairwise function recognition.
Fichier principal
Vignette du fichier
497034_1_En_11_Chapter.pdf (549.82 Ko) Télécharger le fichier
Origin : Files produced by the author(s)

Dates and versions

hal-03440839 , version 1 (22-11-2021)

Licence

Attribution

Identifiers

Cite

Can Yang, Jian Liu, Mengxia Luo, Xiaorui Gong, Baoxu Liu. RouAlign: Cross-Version Function Alignment and Routine Recovery with Graphlet Edge Embedding. 35th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), Sep 2020, Maribor, Slovenia. pp.155-170, ⟨10.1007/978-3-030-58201-2_11⟩. ⟨hal-03440839⟩
41 View
36 Download

Altmetric

Share

Gmail Facebook X LinkedIn More