Files
logseq/pages/ICSE2023-REVIEW-1123.md
T
2025-06-05 22:07:12 +02:00

4.6 KiB

full-title:: Are We There Yet? Filling the Gap Between Binary Similar Analysis and Binary Software Composition Analysis type:: REVIEWS year:: 2023 venue:: ICSE status:: DONE external-links:: #1123 - ICSE 2023 (hotcrp.com) file:: icse2023-paper1123.pdf

  • Paper summary

    • The paper surveys existing solutions for Software Composition Analysis (SCA) and Binary Similarity Analysis (BSA). The survey aims to investigate the adoption of "out-of-the-box" BSA solutions to support Binary Code SCA. The performed study identified some limitations of existing tools, and three strategies have been introduced to enhance the effectiveness of BSA techniques in supporting BSCA. According to the performed experiments, the developed pipeline outperforms existing commercial BSCA tools.
  • Strengths

    • Relevant problem
    • Encouraging evaluation results
    • Availability of an appendix including a replication package
  • Weaknesses

    • The paper is not always easy to read
    • Lack of an explanatory example that might easy the understanding of the peculiar aspects of the proposed solution
  • Comments for the authors

    • Significance and Soundness: The paper aims to address a significant problem, which is very much related to the management of software security. Overall the article is well-written and structured. I only missed illustrative examples that might replace lengthy parts of the paper while increasing the readability of the technical sections. I have one doubt concerning the assumption that taking functions as components during the identification phases of the proposed approach is practical and beneficial. For instance, it might be possible to have different components implementing functions that accidentally have the same name, which might introduce some inaccuracies.
    • Version identification represents a crucial part of the proposed approach. However, I failed to understand how this has been successfully implemented. The authors refer to Fig. 7 for showing some improvements, even though the reader does not have elements to understand from qualitative and quantitative points of view how they have been achieved. This is one of the cases when an illustrative example can help the reading of the paper.
    • Verifiability and Transparency: The submission includes an online appendix available at https://sites.google.com/view/bsa2bsca/home/artifact It contains the source code and the datasets of the performed study.
    • Presentation: The paper is overall well-structured, even though not always easy to read. The technical parts are not always easy to read and are missing some illustrative examples that might simplify the reading of the submission.
  • Question for authors

    • Q1: Can you clarify why the assumption that taking functions as components during the identification phases of the proposed approach does not introduce inaccuracies during the identification phases?
    • Q2: Can you clarify how the version identification problem has been addressed?
  • NOTES

    • Software Composition Analysis (SCA)
      • Given a piece of source code or an APK, SCA can extract certain components from the input software and match them with open source software libraries.
    • Binary Code SCA (BSCA)
      • It is challenging.
    • Binary Similarity Analysis (BSA)
      • It can decide the similarity of two executables.
      • De facto BSA techniques are based on deep learning techniques, which analyze large-scale executables with high precision.
    • ((635ed78d-51f5-4fa1-9fc5-c8792fe0ba02))
      • ==Non si capisce una mazza!!!!==
    • Software composition analysis (SCA) facilitates identifying potential use of third-party and open-source software (OSS) components
    • ((635ed9b2-f4e7-4a1d-accd-a7c6a0ea5656))
    • ((63626d96-50c9-47bd-8cf2-88ad64962f91))
    • ((63626def-d7c8-462d-b5c1-25b8004f2151))
    • ==THE GOAL IS==
      • ((63626e3d-aa14-4765-965c-4f083001d53e))
      • ((63626f8a-156d-4221-a4d7-6a294731413d))
        • IN PARTICULAR:
          • ((63626ffb-64b4-4ada-869a-3f5dceb7523d))
          • ((6362700f-5e6a-48d0-9b0d-3af87c0a4a9e))
          • ((6362702b-57c3-4781-bd4f-f65dbb18d4d9))
    • ((63627110-f7e5-428f-8622-18063c812521))
      • Covered or uncovered?
    • ((63627c28-fdf8-49e3-acd4-43717d5bda68))
      • ((63628218-3b82-4e56-8819-1f8409b52987))
        • Then it is challenging to sustaint that each function would have a match with s corresponding reusable open-source component.
    • #+BEGIN_IMPORTANT The difference between BSCA and BSA is unclear to me while reading the introduction seciton. #+END_IMPORTANT
    • #+BEGIN_IMPORTANT How component versions are inferred/recognized? #+END_IMPORTANT