基于用户系统调用序列的二进制代码识别

doi:10.11772/j.issn.1001-9081.2023070992

《计算机应用》唯一官方网站 ›› 2024, Vol. 44 ›› Issue (7): 2160-2167.DOI: 10.11772/j.issn.1001-9081.2023070992

基于用户系统调用序列的二进制代码识别

黄海翔¹, 彭双和¹(), 钟子煜²

^1.北京交通大学计算机与信息技术学院，北京 100044
^2.香港科技大学理学院，香港 999077

收稿日期:2023-07-24 修回日期:2023-09-13 接受日期:2023-09-21 发布日期:2023-10-26 出版日期:2024-07-10
通讯作者: 彭双和
作者简介:黄海翔（1999—），男，江西九江人，硕士研究生，主要研究方向：二进制逆向分析、漏洞挖掘；
钟子煜（1999—），男，江西九江人，硕士研究生，主要研究方向：运筹优化、机器学习。
第一联系人：彭双和（1974—），女，湖南衡阳人，副教授，博士，主要研究方向：可信计算、二进制逆向分析；
基金资助:
国家自然科学基金资助项目(62272028)

Binary code identification based on user system call sequences

Haixiang HUANG¹, Shuanghe PENG¹(), Ziyu ZHONG²

^1.College of Computer and Information Technology，Beijing Jiaotong University，Beijing 100044，China
^2.Faculty of Science，the Hong Kong University of Science and Technology，Hong Kong 999077，China

Received:2023-07-24 Revised:2023-09-13 Accepted:2023-09-21 Online:2023-10-26 Published:2024-07-10
Contact: Shuanghe PENG
About author:HUANG Haixiang， born in 1999， M. S. candidate. His research interests include binary reverse analysis， vulnerability mining.
ZHONG Ziyu， born in 1999， M. S. candidate. His research interests include operations research optimization， machine learning.
First author contact:PENG Shuanghe， born in 1974， Ph. D.， associate professor. Her research interests include trusted computing， binary reverse analysis.
Supported by:
National Natural Science Foundation of China(62272028)

摘要/Abstract

摘要：

针对编译优化、跨编译器、混淆等带来的二进制代码相似性识别准确率低的问题，提出并实现了一种基于用户系统调用序列的识别方案UstraceDiff。首先，基于Intel Pin框架设计了一个动态分析插桩工具，动态提取二进制代码的用户系统调用序列及参数；其次，通过序列对齐获得被分析的2个二进制代码的系统调用序列的公有序列，并设计了一个有效参数表用于筛选出有效系统调用参数；最后，为评估二进制代码的相似性，提出一种算法利用公有序列及有效参数，计算它们的同源度。使用Coreutils数据集在4种不同的编译条件下对UstraceDiff进行了评估。实验结果表明，相较于Bindiff和DeepBinDiff，UstraceDiff对于同源程序识别的平均准确率分别提高了35.1个百分点和55.4个百分点，对于非同源程序的区分效果也更好。

关键词: 代码识别, 动态分析, 系统调用, 程序溯源, 二进制相似性分析

Abstract:

In order to solve the low accuracy problem of binary code identification caused by compilation optimization， cross-compiler， obfuscation， etc.， UstraceDiff， an identification scheme based on user system call sequences， was proposed. First， to extract the sequences of user system calls and parameters of the binary codes， a dynamic binary instrumentation tool based on Intel Pin framework was designed. Second， the common sequences of system call sequences of two compared binary codes were obtained through sequence alignment， and a valid parameter table was designed to filter out valid system call parameters. Finally， an algorithm was proposed to evaluate the similarity of binary codes by combining the common sequences and valid parameters to calculate the homology score. UstraceDiff was evaluated by using the Coreutils dataset under four different compilation conditions. The results show that the average accuracy of UstraceDiff for homologous program identification is 35.1 percentage points and 55.4 percentage points higher than those of Bindiff and DeepBinDiff respectively， and the distinction effect for non-homologous programs of UstraceDiff is also better.

Key words: code identification, dynamic analysis, system call, program traceability, binary code similarity analysis

中图分类号:

TP313

黄海翔, 彭双和, 钟子煜. 基于用户系统调用序列的二进制代码识别[J]. 计算机应用, 2024, 44(7): 2160-2167.

Haixiang HUANG, Shuanghe PENG, Ziyu ZHONG. Binary code identification based on user system call sequences[J]. Journal of Computer Applications, 2024, 44(7): 2160-2167.

图/表 11

参考文献 23

1	FLAKE H. Structural comparison of executable objects ［C］// Proceedings of the 2004 International Conference on Detection of Intrusions and Malware & Vulnerability Assessment. Ulm： Gesellschaft für Informatik， 2004： 161-173.
2	DING S H H， FUNG B C M， CHARLAND P. Asm2Vec： boosting static representation robustness for binary clone search against code obfuscation and compiler optimization ［C］// Proceedings of the 2019 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2019： 472-489.
3	JIN X， PEI K， WON J Y， et al. SymLM： predicting function names in stripped binaries via context-sensitive execution-aware code embeddings ［C］// Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York： ACM， 2022： 1631-1645.
4	王泰彦，潘祖烈，于璐，等.基于预训练汇编指令表征的二进制代码相似性检测方法［J］.计算机科学， 2023， 50（4）： 288-297.
	WANG T Y， PAN Z L， YU L， et al. Binary code similarity detection method based on pre-training assembly instruction representation ［J］. Computer Science， 2023， 50（4）： 288-297.
5	夏冰，庞建民，周鑫，等.二进制代码相似性搜索研究进展［J］.计算机应用， 2022， 42（4）： 985-998.
	XIA B， PANG J M， ZHOU X， et al. Research progress on binary code similarity search ［J］. Journal of Computer Applications， 2022， 42（4）： 985-998.
6	HAQ I U， CABALLERO J. A survey of binary code similarity ［J］. ACM Computing Surveys， 2021， 54（3）： No. 51.
7	MARCELLI A， GRAZIANO M， UGARTE-PEDRERO X， et al. How machine learning is solving the binary function similarity problem ［C］// Proceedings of the 31st USENIX Security Symposium. Berkley： USENIX Association， 2022： 2099-2116.
8	MINK J， BENKRAOUDA H， YANG L， et al. Everybody’s got ML， tell me what else you have： practitioners’ perception of ML-based security tools and explanations ［C］// Proceedings of the 2023 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2023： 2068-2085.
9	WANG S， WU D. In-memory fuzzing for binary code similarity analysis ［C］// Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. Piscataway： IEEE， 2017： 319-330.
10	KARGÉN U， SHAHMEHRI N. Towards robust instruction-level trace alignment of binary code ［C］// Proceedings of the 2017 32nd IEEE/ACM International Conference on Automated Software Engineering. Piscataway： IEEE， 2017： 342-352.
11	SALVADOR S， CHAN P. Toward accurate dynamic time warping in linear time and space ［J］. Intelligent Data Analysis， 2007， 11（5）： 561-580.
12	MING J， XU D， JIANG Y， et al. BinSim： trace-based semantic binary diffing via system call sliced segment equivalence checking ［C］// Proceedings of the 26th USENIX Security Symposium. Berkley： USENIX Association， 2017： 253-270.
13	DAVID Y， PARTUSH N， YAHAV E. Similarity of binaries through re-optimization ［C］// Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation. New York： ACM， 2017： 79-94.
14	Y-C JHI， WANG X， JIA X， et al. Value-based program characterization and its application to software plagiarism detection ［C］// Proceedings of the 2011 33rd International Conference on Software Engineering. New York： ACM， 2011： 756-765.
15	TIAN Z， ZHENG Q， LIU T， et al. DKISB： dynamic key instruction sequence birthmark for software plagiarism detection ［C］// Proceedings of the 2013 IEEE 10th International Conference on High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing. Piscataway： IEEE， 2013： 619-627.
16	TIAN Z， ZHENG Q， LIU T， et al. Software plagiarism detection with birthmarks based on dynamic key instruction sequences ［J］. IEEE Transactions on Software Engineering， 2015， 41（12）： 1217-1235.
17	DAVID Y， YAHAV E. Tracelet-based code search in executables ［J］. ACM SIGPLAN Notices， 2014， 49（6）： 349-360.
18	HU Y， ZHANG Y， LI J， et al. Cross-architecture binary semantics understanding via similar code comparison ［C］// Proceedings of the 2016 IEEE 23rd International Conference on Software Analysis， Evolution， and Reengineering. Piscataway： IEEE， 2016： 57-67.
19	WANG X， Y-C JHI， ZHU S C， et al. Detecting software theft via system call based birthmarks ［C］// Proceedings of the 2009 Annual Computer Security Applications Conference. Piscataway： IEEE， 2009： 149-158.
20	C-K LUK， COHN R， MUTH R， et al. Pin： building customized program analysis tools with dynamic instrumentation ［J］. ACM SIGPLAN Notices， 2005， 40（6）： 190-200.
21	CONDRET. Radare2 user guide ［EB/OL］. （2020-03-03）［2023-04-10］. .
22	DUAN Y， LI X， WANG J， et al. DeepBinDiff： learning program-wide code representations for binary diffing ［C/OL］// Proceedings of the 26th Network and Distributed System Security Symposium. Reston： Internet Society， 2020［2023-07-01］. .
23	KIM S-W， GIL J-M. Research paper classification systems based on TF-IDF and LDA schemes ［J］. Human-centric Computing and Information Sciences， 2019， 9： No. 30.

%rax	系统调用名	%rdi	%rsi	%rdx
0	sys_read	fd	0	1
1	sys_write	fd	0	1
2	sys_open	0	1	1
3	sys_close	fd	0	0

%rax	系统调用名	%rdi	%rsi	%rdx
0	sys_read	fd	0	1
1	sys_write	fd	0	1
2	sys_open	0	1	1
3	sys_close	fd	0	0

编译环境	Bindiff7	Radiff2	IMF-SIM	DeepBinDiff	UstraceDiff
平均值	34.9	37.4	74.0	24.1	98.0
gcc5	39.8	37.3	70.4	31.7	94.4
gcc9	44.3	40.6		24.7	94.4
clang16	41.5	45.8		19.6	99.3
ollvm（clang4）	34.0	42.2	77.5	23.5	99.3
ollvm -bcf	27.3	27.7		29.9	99.8
ollvm -sub	23.5	41.0		23.2	99.3
ollvm -fla	33.8	27.3		16.2	99.3

编译环境	Bindiff7	Radiff2	IMF-SIM	DeepBinDiff	UstraceDiff
平均值	34.9	37.4	74.0	24.1	98.0
gcc5	39.8	37.3	70.4	31.7	94.4
gcc9	44.3	40.6		24.7	94.4
clang16	41.5	45.8		19.6	99.3
ollvm（clang4）	34.0	42.2	77.5	23.5	99.3
ollvm -bcf	27.3	27.7		29.9	99.8
ollvm -sub	23.5	41.0		23.2	99.3
ollvm -fla	33.8	27.3		16.2	99.3

同源情况	编译器类型	Bindiff7	Radiff2	DeepBinDiff	UstraceDiff
同源	gcc	93.5	69.4	69.3	97.8
	clang	87.6	81.6	59.2	99.8
	平均	90.6	75.5	64.3	98.8
非同源	gcc	60.7	21.0	46.7	32.0
	clang	60.5	21.1	43.3	26.4
	平均	60.6	21.1	45.0	29.2

基于用户系统调用序列的二进制代码识别

Binary code identification based on user system call sequences

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 23

相关文章 15

编辑推荐

Metrics

评估方式	Bindiff7	Radiff2	DeepBinDiff	UstraceDiff
两种编译器的同源程序	66.3	55.8	27.0	95.7
两种编译器的非同源程序	44.0	30.6	19.2	29.9

评估方式	Bindiff7	Radiff2	IMF-SIM	DeepBinDiff	UstraceDiff
平均	60.2	54.7	64.7	55.3	99.8
无混淆 vs bcf混淆	48.4	40.9	51.3	57.2	99.8
无混淆 vs sub混淆	96.2	83.9	77.9	87.6	99.8
无混淆 vs fla混淆	36.0	39.3	64.9	21.1	99.8

[1]	雷靖玮, 伊鹏, 陈祥, 王亮, 毛明. 基于系统调用和数据溯源的PDF文档检测模型[J]. 《计算机应用》唯一官方网站, 2022, 42(12): 3831-3840.
[2]	蔡梦娟, 陈兴蜀, 金鑫, 赵成, 殷明勇. 基于硬件虚拟化的虚拟机进程代码分页式度量方法[J]. 计算机应用, 2018, 38(2): 305-309.
[3]	李津津, 贾晓启, 杜海超, 王利朋. 基于虚拟化技术的有效提高系统可用性的方法[J]. 计算机应用, 2017, 37(4): 986-992.
[4]	赵成, 陈兴蜀, 金鑫. 基于硬件虚拟化的虚拟机文件完整性监控[J]. 计算机应用, 2017, 37(2): 388-391.
[5]	周敏, 周安民, 刘亮, 贾鹏, 谭翠江. 组件拒绝服务漏洞自动挖掘技术[J]. 计算机应用, 2017, 37(11): 3288-3293.
[6]	周登元, 李清宝, 张擂, 孔维亮. 基于虚拟机监控器的Windows剪贴板操作监控[J]. 计算机应用, 2016, 36(2): 511-515.
[7]	代伟, 刘智, 刘益和. 基于地址完整性检查的函数指针攻击检测[J]. 计算机应用, 2015, 35(2): 424-429.
[8]	吴瀛江建慧. 基于进程轨迹最小熵长度的系统调用异常检测[J]. 计算机应用, 2012, 32(12): 3439-3444.
[9]	马博袁丁. 基于Linux驱动级内核访问监控技术研究与实现[J]. 计算机应用, 2009, 29(09): 2369-2374.
[10]	何志范明钰. 基于HSC的进程隐藏检测技术[J]. 计算机应用, 2008, 28(7): 1772-1775.
[11]	赵文刚钟乐海张娅杨金邹海洋. 模糊窗口Markov链在IDS中的应用[J]. 计算机应用, 2008, 28(6): 1398-1400.
[12]	张军苏璞睿冯登国 . 基于系统调用的入侵检测系统设计与实现[J]. 计算机应用, 2006, 26(9): 2137-2139.
[13]	蒋世忠; 杨进; 张英. 基于免疫原理与粗糙集理论的入侵检测方法[J]. 计算机应用, 2006, 26(5): 1077-1080.
[14]	钱丽萍;汪立东. 一种评测应用程序实际性能开销的方法[J]. 计算机应用, 2006, 26(5): 1180-1182.
[15]	朱国强;刘真;李宗伯. 对计算机系统中程序行为的分析和研究[J]. 计算机应用, 2005, 25(12): 2739-2741.

评估方式	Bindiff7	Radiff2	DeepBinDiff	UstraceDiff
同名程序	68.5	27.1	58.6	72.5
非同名程序	57.4	20.1	43.2	24.0

评估方式	Bindiff7	Radiff2	DeepBinDiff	UstraceDiff
同名程序	68.5	27.1	58.6	72.5
非同名程序	57.4	20.1	43.2	24.0