file:: [icse2023-paper1123_1666614286724_0.pdf](../assets/icse2023-paper1123_1666614286724_0.pdf) file-path:: ../assets/icse2023-paper1123_1666614286724_0.pdf - BSCA solutions ls-type:: annotation hl-page:: 1 hl-color:: green id:: 635ed6e9-5ab5-494e-920d-d197bad4a0ef - binary similarity analysis (BSA), ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 635ed6fa-e494-4bb0-a747-301dac2e3822 hl-stamp:: 1667159806055 - Software composition analysis (SCA ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 635ed702-0585-45ec-a36c-3681491f925c - binary code SCA (BSCA) ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 635ed718-a954-446b-b442-890d08b54afd - This study explores bridging the gap between state-of-theart (SOTA) BSA and BSCA. We build the first comprehensive benchmark dataset with considerable manual effort. Then, we establish our BSCA pipeline, by extending the SOTA SCA solution. Particularly, we concretize the key procedure of BSCA, namely matching a binary component with OSS, with six SOTA BSA techniques. Evaluation using our benchmark dataset reveals that simply employing BSA in BSCA exhibits less desirable accuracy, as BSCA faces unique challenges. With manual inspection on the failed cases, we propose three enhancements, whose combination improves the F1 score of BSCA for nearly 30% and outperforms SOTA commercial BSCA software. We discuss several open challenges and potential solutions to augment BSCA solutions. ls-type:: annotation hl-page:: 1 hl-color:: yellow id:: 635ed78d-51f5-4fa1-9fc5-c8792fe0ba02 - localizing potentially vulnerable or outdated OSS components, reducing risk factors, and leading to healthy open source usage ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 635ed9b2-f4e7-4a1d-accd-a7c6a0ea5656 hl-stamp:: 1667394892119 - in many real-world, securitysensitive scenarios, input software’s source code is not always availabl ls-type:: annotation hl-page:: 1 hl-color:: green id:: 63626d65-b79c-4e25-99f3-12539b9dd086 - when performing SCA over commercial offthe-shelf (COTS) software, the primarily available information is the program binary code. ls-type:: annotation hl-page:: 1 hl-color:: green id:: 63626d70-8c68-445d-b883-7f453bccbb4b - binary software composition analysis (BSCA) becomes a demanding, yet underexplored field [5, 8]. ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 63626d75-cec4-406e-bc61-1cd6960be676 - BSA quantifies the similarity between two binary code samples, which forms the basis of various important software engineering and security applications. ls-type:: annotation hl-page:: 1 hl-color:: green id:: 63626d87-d918-4004-b56b-640591b7fc45 - BSA promotes malware analysis by comparing suspicious code with known malware families to determine if it is malicious ls-type:: annotation hl-page:: 1 hl-color:: green id:: 63626d8e-389f-4d6d-bc46-59de09eb9cdb - BSA also helps discover code clones and algorithm plagiarism in executable ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 63626d96-50c9-47bd-8cf2-88ad64962f91 - “binary code matching. ls-type:: annotation hl-page:: 1 hl-color:: green id:: 63626d9e-9553-40b2-b621-0263752f8aac - advanced BSA solutions have been extensively using deep neural networks (DNNs) and its enabled representative learning and large language models (LLMs)-based embedding ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 63626def-d7c8-462d-b5c1-25b8004f2151 - BSA and SCA/BSCA, two conceptually similar fields, exhibit a notable difference in the technical solution; ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 63626e1b-2f36-4b4f-833a-265f5ea2189a - this paper aims to provide a systematic understanding and study applying SOTA BSA solutions in the field of BSCA. ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 63626e3d-aa14-4765-965c-4f083001d53e - each executable contains reuse relations with 12.6 production OSS libraries on average ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 63626e99-4840-47d9-a492-27cb3c6ce474 - SOTA BSA solutions ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 63626eae-3afb-43c1-a8d9-2527f8b60466 - composition searc ls-type:: annotation hl-page:: 2 hl-color:: green id:: 63626ed9-b973-4a1e-923e-552a97e55f11 - We find that BSCA has distinct requirement than standard BSA, for which the latter case may overly emphasize the necessity of precisely extracting program semantics ls-type:: annotation hl-page:: 2 hl-color:: purple id:: 63626f5c-a03a-4594-9fba-2809976fd577 - identifying the exact version of OSS libraries is very challenging. ls-type:: annotation hl-page:: 2 hl-color:: purple id:: 63626f73-9dc0-4ebe-83f8-4a63dc6e375e - e design three low-cost and highly effective enhancement strategies from different perspectives to enhance BSA for BSCA ls-type:: annotation hl-page:: 2 hl-color:: purple id:: 63626f8a-156d-4221-a4d7-6a294731413d - We aim to assess advanced BSA solutions in their usage of BSCA, a highly demanding yet under-explored application field. ls-type:: annotation hl-page:: 2 hl-color:: purple id:: 63626ffb-64b4-4ada-869a-3f5dceb7523d - We conduct the first comprehensive study in bridging BSA solutions to BSCA ls-type:: annotation hl-page:: 2 hl-color:: purple id:: 6362700f-5e6a-48d0-9b0d-3af87c0a4a9e - we design three enhancement strategies, where each of them (and their combination) can significantly enhance the effectiveness of BSA solutions in BSCA, outperforming the commercial BSCA software. ls-type:: annotation hl-page:: 2 hl-color:: purple id:: 6362702b-57c3-4781-bd4f-f65dbb18d4d9 - Software Composition Analysis (SCA) ls-type:: annotation hl-page:: 2 hl-color:: green id:: 6362705c-d05f-4d67-af6a-d0ceb83c69b3 - developers can address security risks from known vulnerabilities and license issues ls-type:: annotation hl-page:: 2 hl-color:: green id:: 636270d2-a302-4eb2-8c7f-2cac399441f0 - uncovered ls-type:: annotation hl-page:: 2 hl-color:: red id:: 63627110-f7e5-428f-8622-18063c812521 - inary executables (i.e., BSCA ls-type:: annotation hl-page:: 2 hl-color:: green id:: 63627131-f61c-457a-a71d-0ed14c5b43d2 - ① Component Dissection. ls-type:: annotation hl-page:: 2 hl-color:: green id:: 63627164-d2fa-4229-9846-75f75668e2a2 - ② Component Search. ls-type:: annotation hl-page:: 2 hl-color:: green id:: 63627167-8a28-4c2c-a405-c2f93324124d - we need to decide the similarity between c and records in Doss ls-type:: annotation hl-page:: 2 hl-color:: purple id:: 6362717a-fd45-4734-82f6-da677d33ce8d - A component c, however, should not be matched to any ossi ∈ Doss if it is a user-written code; user-written code is referred to as “custom code” in Fig. 1. ls-type:: annotation hl-page:: 2 hl-color:: purple id:: 6362718f-9831-4de6-8ba4-46809a7c8b2c - ③ Valuable Information Identification. ls-type:: annotation hl-page:: 2 hl-color:: green id:: 63627196-cd1c-4a2b-ad71-132ab73a5ffd - the mapping rules are often assumed to be available in a “valuable information database” ls-type:: annotation hl-page:: 3 hl-color:: purple id:: 636271d1-7f3f-4935-89b8-c167197e4d14 - 2) SCA metrics: ls-type:: annotation hl-page:: 3 hl-color:: blue id:: 636271d4-9a00-47e5-a3c1-5e61d3f07448 hl-stamp:: 1667396068531 - 1) SCA Overview: ls-type:: annotation hl-page:: 2 hl-color:: blue id:: 636271e2-35d3-4164-8683-854daf41e7b4 - we need to prepare a ground-truth dataset R∗ from input software to benchmark SCA techniques. ls-type:: annotation hl-page:: 3 hl-color:: green id:: 6362720c-e7cd-4749-b499-bdb465e55f6a - it becomes much harder for executable files compiled from C/C++ programs, where most meta information is absent. In fact, one of our contributions in this work is to build a comprehensive real-world dataset for BSCA benchmark; ls-type:: annotation hl-page:: 3 hl-color:: purple id:: 63627249-50ea-4133-8ebb-caec8f275abd - reverse engineering Android apps is deemed as much simpler comparing with decompiling x86 executables compiled from C/C++ code. ls-type:: annotation hl-page:: 3 hl-color:: green id:: 63627285-44e3-47fd-a84a-50c53e204a6b - he available information in launching SCA for Android APKs is richer. ls-type:: annotation hl-page:: 3 hl-color:: green id:: 6362728d-64e4-4137-837c-8ebb55ac28e8 - Decompiling C/C++ executable is much harder, and recovering those high-level information (e.g., class inheritance dependencies) is not well addressed yet [64]. ls-type:: annotation hl-page:: 3 hl-color:: green id:: 636272a4-f642-488a-a357-9201eb25f73a - BSA decides how similar they are. The similarity is usually a score ranging from 0 to 1. ls-type:: annotation hl-page:: 3 hl-color:: purple id:: 636272c4-f501-4c90-a143-f726c78eed5f - Overall, given two pieces of code ls-type:: annotation hl-page:: 3 hl-color:: purple id:: 636272ca-4811-4c8b-b2a1-7edf777e65c7 - we can merely find six tools(i.e., BAT [43], OSSPolice [36], FIBER [79], B2SFinder [76], CodeCMR [75] and XLIR [40]) aiming at B2S. ls-type:: annotation hl-page:: 3 hl-color:: green id:: 636272e6-03a5-4fb7-a414-2ba0b36d7122 - 1) binary-to-binary ls-type:: annotation hl-page:: 3 hl-color:: blue id:: 636272ee-e2b1-4c01-88fd-4e7b7881b288 - 2) binary-to-source ls-type:: annotation hl-page:: 3 hl-color:: blue id:: 636272f2-f3bc-4239-bd15-c89b4a8b2800 - Advantages of B2S for BSCA. ls-type:: annotation hl-page:: 3 hl-color:: blue id:: 6362733e-9f93-436b-93fd-683ffa272c2c - BSCA is envisioned to analyze hundreds of OSS projects with various dependencies and compilation toolchains required. Therefore, compiling all OSS projects requires enormous resources and considerable manual effort. ls-type:: annotation hl-page:: 3 hl-color:: purple id:: 6362736b-3a5c-4db4-aaca-c79adcc712c7 - Hence, it appears a dilemma to use either B2B or B2S in BSCA ls-type:: annotation hl-page:: 3 hl-color:: purple id:: 6362739d-1e52-41b0-9a25-2a1b9c35cbb7 - Motivation. There is a high demand of performing accurate and dependable BSCA, envisioning the practical need of analyzing closed-source software and track any (unsafe or outdated) opensource component brought into executabl ls-type:: annotation hl-page:: 3 hl-color:: green id:: 63627962-5888-4a42-9e69-abbc078fc211 - we believe that the academy and our community lack a systematic and in-depth understanding to calibrate the technical solution and uncover the best practical of performing BSCA. This motivates our study in this paper. ls-type:: annotation hl-page:: 4 hl-color:: green id:: 63627979-8692-4bf9-9992-6af06fb92945 - assembly functions should form the “components” in an executable. ls-type:: annotation hl-page:: 4 hl-color:: green id:: 63627c1a-c4ad-4bf6-9c5b-47f1d5d57f9e - unctions as the components ls-type:: annotation hl-page:: 4 hl-color:: yellow id:: 63627c28-fdf8-49e3-acd4-43717d5bda68 - ① Component Dissection ls-type:: annotation hl-page:: 4 hl-color:: blue id:: 63627c9f-ab5f-458d-84aa-1233f293c510 - ② Component Identification ls-type:: annotation hl-page:: 4 hl-color:: blue id:: 63627ca2-6780-4444-b80e-12f28afec187 - a Clustering-based detection, ls-type:: annotation hl-page:: 4 hl-color:: green id:: 63627d1c-e4b0-4b42-9320-f2a6d957bc33 - b Similarity-based detection ls-type:: annotation hl-page:: 4 hl-color:: green id:: 63627d27-7585-4a78-83d2-4a8380fcf26d - de facto SCA methods are primarily based on similarity-based detections. ls-type:: annotation hl-page:: 4 hl-color:: green id:: 63627d45-e617-4450-aeeb-faf13e7e16e4 - ③ Valuable Information Identification ls-type:: annotation hl-page:: 4 hl-color:: blue id:: 63627d5a-9a24-443e-a609-1b5f81224aec - whereas the component identification phase iterate over functions in the input executable and query the databas ls-type:: annotation hl-page:: 4 hl-color:: green id:: 63627dca-7da3-4692-b293-e353c51004a0 - Selection of B2B solutions ls-type:: annotation hl-page:: 5 hl-color:: green id:: 63627e68-12b6-456a-8350-334e6e118c26 - CommercialB ls-type:: annotation hl-page:: 5 hl-color:: red id:: 63627ec4-67be-43d6-ad30-5d42827adbc0 - SAFE and PalmTree ls-type:: annotation hl-page:: 5 hl-color:: green id:: 63627eda-1065-4980-9ee8-8d660ab2ff3a - redundancy elimination and code segmentation to reduce the size of the database without undermining the accuracy. ls-type:: annotation hl-page:: 5 hl-color:: green id:: 63627f03-310b-46fe-bc7a-4772afcefd21 - storing only one copy of such unchanged functions across all versions is sufficient ls-type:: annotation hl-page:: 5 hl-color:: green id:: 63627f13-5155-4a55-9ab6-c1b87739c4fe - Redundancy Elimination ls-type:: annotation hl-page:: 5 hl-color:: blue id:: 63627f2f-f423-4af8-9576-fe854ccb202c - Code Segmentation ls-type:: annotation hl-page:: 5 hl-color:: blue id:: 63627f34-30ba-4750-ad5c-6a38021011c6 - Component Identification. ls-type:: annotation hl-page:: 5 hl-color:: blue id:: 63627f54-e4ce-4ebc-8805-ec05cbe313d8 - When using B2S, we save the effort of compiling OSS projects. ls-type:: annotation hl-page:: 7 hl-color:: green id:: 63627ff7-8506-476d-9c03-f6d28207f5dd - BSCA solutions (i.e., BAT and CommercialA) manifest high accuracy, with the achieved F1 scores over 0.4 across all settings ls-type:: annotation hl-page:: 7 hl-color:: green id:: 63628073-a2b7-4ae9-9b39-69677e460626 - By observing the missing constant−1 (i.e., 0xffffffff of Fig. 3(c)), we could treat function Unref as similar but not reused. ls-type:: annotation hl-page:: 7 hl-color:: green id:: 63628120-1b3f-4bb5-91e8-1833a296edeb - Centris ls-type:: annotation hl-page:: 7 hl-color:: green id:: 63628130-fc84-43c2-a89f-e597084d4cc2 - 1.45 ls-type:: annotation hl-page:: 7 hl-color:: green id:: 63628138-f050-4def-bee6-b27c1563520c - BSA solutions are designed to find similar semantics rather than reuse relations. ls-type:: annotation hl-page:: 7 hl-color:: green id:: 6362815c-e55c-4910-bbe0-27bfc5fdb519 - function-level matching ls-type:: annotation hl-page:: 8 hl-color:: green id:: 63628199-6ef9-4561-9363-4b3a5bd72a7f - BSA tools aim at detecting the similarity between pieces of arbitrary assembly function ls-type:: annotation hl-page:: 8 hl-color:: yellow id:: 63628218-3b82-4e56-8819-1f8409b52987 hl-stamp:: 1667400219191 - matching every OSS functions may not be needed. Rather, strings may offer a short-cut to match OSS projects, which often use strings to encode OSS names, vendors, and even version information. ls-type:: annotation hl-page:: 8 hl-color:: green id:: 63628244-94ec-4cdc-aba9-198bd7e3cb73 - IDA pro ls-type:: annotation hl-page:: 8 hl-color:: green id:: 6362824b-3f48-47e5-bcd8-76e3a4b8956c - match(f ) has at least one element ls-type:: annotation hl-page:: 8 hl-color:: green id:: 6362827a-3a39-4d91-beee-a7557e757fd6 - BSA solutions to identify functions of different versions, we rely on string-level signatures to rank the most likely version for each identified OSS project ls-type:: annotation hl-page:: 9 hl-color:: green id:: 63628330-e831-4455-824b-7727afd3a45a - string-level signature ls-type:: annotation hl-page:: 10 hl-color:: green id:: 6362833d-0aca-48c8-9b32-6d9aa93d6288 - functions with potentially high distinguishability ls-type:: annotation hl-page:: 10 hl-color:: green id:: 63628341-6221-4a48-a03f-59fac3c41e2a - object file layouts ls-type:: annotation hl-page:: 10 hl-color:: green id:: 63628346-2e00-484c-a5b2-c221679e02fb - signature-based SCA ls-type:: annotation hl-page:: 10 hl-color:: green id:: 63628360-07c0-4bd8-ac80-9f6ab05992a2 - unction-level granularity matching ls-type:: annotation hl-page:: 10 hl-color:: green id:: 63628373-ac39-44e5-8263-41accb27d85c - Although we have spent tremendous efforts on labeling the ground truth of the reuse relations, ls-type:: annotation hl-page:: 10 hl-color:: green id:: 6362839b-041c-49eb-bff1-843a1894c897 - Binary Software Composition Analysis ls-type:: annotation hl-page:: 10 hl-color:: blue id:: 636283cb-ff7d-4eb6-8187-b53aa90f53ae - they discard semantic knowledge and cannot work when the OSS project has few unique strings ls-type:: annotation hl-page:: 10 hl-color:: green id:: 636283e1-06c2-46ac-b965-8ca3fac83342 - Binary Similarity Analysis ls-type:: annotation hl-page:: 10 hl-color:: blue id:: 636283ec-de12-44aa-a6ed-c646892a9bb9 - BSCA, a critical application widely needed in security and software re-engineering tasks ls-type:: annotation hl-page:: 10 hl-color:: green id:: 63628406-8417-428b-b2d9-a3bdfd368877 - were incapable in version identification ls-type:: annotation hl-page:: 10 hl-color:: yellow id:: 63628422-490c-49fb-b91d-e53699218c2e - We then proposed optimization tactics from three aspects, which largely improved the accuracy of OSS identification with moderate cost ls-type:: annotation hl-page:: 10 hl-color:: yellow id:: 6362842c-c66a-4391-a7aa-159b922d3e5d