Probabilistic Naming of Functions in Stripped Binaries

James Patrick-Evans; Lorenzo Cavallaro; Johannes Kinder

doi:10.1145/3427228.3427265

Probabilistic Naming of Functions in Stripped Binaries

James Patrick-Evans, Lorenzo Cavallaro, Johannes Kinder

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

8 Citations (Scopus)

152 Downloads (Pure)

Abstract

Debugging symbols in binary executables carry the names of functions and global variables. When present, they greatly simplify the process of reverse engineering, but they are almost always removed (stripped) for deployment. We present the design and implementation of punstrip, a tool which combines a probabilistic fingerprint of binary code based on high-level features with a probabilistic graphical model to learn the relationship between function names and program structure. As there are many naming conventions and developer styles, functions from different applications do not necessarily have the exact same name, even if they implement the exact same functionality. We therefore evaluate punstrip across three levels of name matching: exact; an approach based on natural language processing of name components; and using Symbol2Vec, a new embedding of function names based on random walks of function call graphs. We show that our approach is able to recognize functions compiled across different compilers and optimization levels and then demonstrate that punstrip can predict semantically similar function names based on code structure. We evaluate our approach over open source C binaries from the Debian Linux distribution and compare against the state of the art.

Original language	English
Title of host publication	Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020
Pages	373-385
Number of pages	13
ISBN (Electronic)	9781450388580
DOIs	https://doi.org/10.1145/3427228.3427265
Publication status	Published - 7 Dec 2020

Publication series

Name	ACM International Conference Proceeding Series

Access to Document

10.1145/3427228.3427265

desylLicence: Unspecified

Cite this

@inbook{7af10363e4214a73a7d6fe1f32abd34d,

title = "Probabilistic Naming of Functions in Stripped Binaries",

abstract = "Debugging symbols in binary executables carry the names of functions and global variables. When present, they greatly simplify the process of reverse engineering, but they are almost always removed (stripped) for deployment. We present the design and implementation of punstrip, a tool which combines a probabilistic fingerprint of binary code based on high-level features with a probabilistic graphical model to learn the relationship between function names and program structure. As there are many naming conventions and developer styles, functions from different applications do not necessarily have the exact same name, even if they implement the exact same functionality. We therefore evaluate punstrip across three levels of name matching: exact; an approach based on natural language processing of name components; and using Symbol2Vec, a new embedding of function names based on random walks of function call graphs. We show that our approach is able to recognize functions compiled across different compilers and optimization levels and then demonstrate that punstrip can predict semantically similar function names based on code structure. We evaluate our approach over open source C binaries from the Debian Linux distribution and compare against the state of the art.",

author = "James Patrick-Evans and Lorenzo Cavallaro and Johannes Kinder",

year = "2020",

month = dec,

day = "7",

doi = "10.1145/3427228.3427265",

language = "English",

series = "ACM International Conference Proceeding Series",

pages = "373--385",

booktitle = "Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020",

}

Probabilistic Naming of Functions in Stripped Binaries. / Patrick-Evans, James; Cavallaro, Lorenzo; Kinder, Johannes.
Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020. 2020. p. 373-385 3427265 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

TY - CHAP

T1 - Probabilistic Naming of Functions in Stripped Binaries

AU - Patrick-Evans, James

AU - Cavallaro, Lorenzo

AU - Kinder, Johannes

PY - 2020/12/7

Y1 - 2020/12/7

N2 - Debugging symbols in binary executables carry the names of functions and global variables. When present, they greatly simplify the process of reverse engineering, but they are almost always removed (stripped) for deployment. We present the design and implementation of punstrip, a tool which combines a probabilistic fingerprint of binary code based on high-level features with a probabilistic graphical model to learn the relationship between function names and program structure. As there are many naming conventions and developer styles, functions from different applications do not necessarily have the exact same name, even if they implement the exact same functionality. We therefore evaluate punstrip across three levels of name matching: exact; an approach based on natural language processing of name components; and using Symbol2Vec, a new embedding of function names based on random walks of function call graphs. We show that our approach is able to recognize functions compiled across different compilers and optimization levels and then demonstrate that punstrip can predict semantically similar function names based on code structure. We evaluate our approach over open source C binaries from the Debian Linux distribution and compare against the state of the art.

AB - Debugging symbols in binary executables carry the names of functions and global variables. When present, they greatly simplify the process of reverse engineering, but they are almost always removed (stripped) for deployment. We present the design and implementation of punstrip, a tool which combines a probabilistic fingerprint of binary code based on high-level features with a probabilistic graphical model to learn the relationship between function names and program structure. As there are many naming conventions and developer styles, functions from different applications do not necessarily have the exact same name, even if they implement the exact same functionality. We therefore evaluate punstrip across three levels of name matching: exact; an approach based on natural language processing of name components; and using Symbol2Vec, a new embedding of function names based on random walks of function call graphs. We show that our approach is able to recognize functions compiled across different compilers and optimization levels and then demonstrate that punstrip can predict semantically similar function names based on code structure. We evaluate our approach over open source C binaries from the Debian Linux distribution and compare against the state of the art.

UR - http://www.scopus.com/inward/record.url?scp=85098061283&partnerID=8YFLogxK

U2 - 10.1145/3427228.3427265

DO - 10.1145/3427228.3427265

M3 - Conference paper

T3 - ACM International Conference Proceeding Series

SP - 373

EP - 385

BT - Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020

ER -

Probabilistic Naming of Functions in Stripped Binaries

Abstract

Publication series

Access to Document

Other files and links

Fingerprint

Cite this