Finding Substitutable Binary Code by Synthesizing Adapters

Vaibhav Sharma; Kesha Hietala; Stephen McCamant

doi:10.1109/TSE.2019.2931000

Finding Substitutable Binary Code by Synthesizing Adapters

Vaibhav Sharma, Kesha Hietala, Stephen McCamant

Computer Science and Engineering

Research output: Contribution to journal › Article › peer-review

Abstract

Independently developed codebases typically contain many segments of code that perform same or closely related operations (semantic clones). Finding functionally equivalent segments enables applications like replacing a segment by a more efficient or more secure alternative. Such related segments often have different interfaces, so some glue code (an adapter) is needed to replace one with the other. In previous work, we presented an algorithm that searches for replaceable code segments by attempting to synthesize an adapter between them from some finite family of adapters; it terminates if it finds no possible adapter. In this work, we compare binary symbolic execution-based adapter search with concrete adapter enumeration based on Intel's Pin framework, and explore the relation between size of adapter search space and total search time. We present examples of applying adapter synthesis for improving security of binary functions and switching between binary implementations of RC4. We present two large-scale evaluations: (1) we run adapter synthesis on more than 13,000 function pairs from the Linux C library, and (2) we reverse engineer fragments of ARM binary code by running more than a million adapter synthesis tasks. Our results confirm that several instances of adaptably equivalent binary functions exist in real-world code, and suggest that adapter synthesis can be applied for automatically replacing binary code with its adaptably equivalent variants.

Original language	English (US)
Article number	8776650
Pages (from-to)	1626-1643
Number of pages	18
Journal	IEEE Transactions on Software Engineering
Volume	47
Issue number	8
DOIs	https://doi.org/10.1109/TSE.2019.2931000
State	Published - Aug 1 2021

Bibliographical note

Funding Information:
This material is based on work supported by the National Science Foundation under Grant Number 1563920. This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA) under contract FA8750-15-C-0110. The views and/or findings contained in this article are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the US Government.

Publisher Copyright:
© 1976-2012 IEEE.

Keywords

Symbolic execution
binary analysis
equivalence checking
program synthesis

Publisher link

10.1109/TSE.2019.2931000

Find It

Find It at U of M Libraries

Cite this

@article{598d718e922e465c93fb7ad445c1e7d6,

title = "Finding Substitutable Binary Code by Synthesizing Adapters",

abstract = "Independently developed codebases typically contain many segments of code that perform same or closely related operations (semantic clones). Finding functionally equivalent segments enables applications like replacing a segment by a more efficient or more secure alternative. Such related segments often have different interfaces, so some glue code (an adapter) is needed to replace one with the other. In previous work, we presented an algorithm that searches for replaceable code segments by attempting to synthesize an adapter between them from some finite family of adapters; it terminates if it finds no possible adapter. In this work, we compare binary symbolic execution-based adapter search with concrete adapter enumeration based on Intel's Pin framework, and explore the relation between size of adapter search space and total search time. We present examples of applying adapter synthesis for improving security of binary functions and switching between binary implementations of RC4. We present two large-scale evaluations: (1) we run adapter synthesis on more than 13,000 function pairs from the Linux C library, and (2) we reverse engineer fragments of ARM binary code by running more than a million adapter synthesis tasks. Our results confirm that several instances of adaptably equivalent binary functions exist in real-world code, and suggest that adapter synthesis can be applied for automatically replacing binary code with its adaptably equivalent variants. ",

keywords = "Symbolic execution, binary analysis, equivalence checking, program synthesis",

author = "Vaibhav Sharma and Kesha Hietala and Stephen McCamant",

note = "Funding Information: This material is based on work supported by the National Science Foundation under Grant Number 1563920. This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA) under contract FA8750-15-C-0110. The views and/or findings contained in this article are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the US Government. Publisher Copyright: {\textcopyright} 1976-2012 IEEE.",

year = "2021",

month = aug,

day = "1",

doi = "10.1109/TSE.2019.2931000",

language = "English (US)",

volume = "47",

pages = "1626--1643",

journal = "IEEE Transactions on Software Engineering",

issn = "0098-5589",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "8",

}

TY - JOUR

T1 - Finding Substitutable Binary Code by Synthesizing Adapters

AU - Sharma, Vaibhav

AU - Hietala, Kesha

AU - McCamant, Stephen

N1 - Funding Information: This material is based on work supported by the National Science Foundation under Grant Number 1563920. This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA) under contract FA8750-15-C-0110. The views and/or findings contained in this article are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the US Government. Publisher Copyright: © 1976-2012 IEEE.

PY - 2021/8/1

Y1 - 2021/8/1

N2 - Independently developed codebases typically contain many segments of code that perform same or closely related operations (semantic clones). Finding functionally equivalent segments enables applications like replacing a segment by a more efficient or more secure alternative. Such related segments often have different interfaces, so some glue code (an adapter) is needed to replace one with the other. In previous work, we presented an algorithm that searches for replaceable code segments by attempting to synthesize an adapter between them from some finite family of adapters; it terminates if it finds no possible adapter. In this work, we compare binary symbolic execution-based adapter search with concrete adapter enumeration based on Intel's Pin framework, and explore the relation between size of adapter search space and total search time. We present examples of applying adapter synthesis for improving security of binary functions and switching between binary implementations of RC4. We present two large-scale evaluations: (1) we run adapter synthesis on more than 13,000 function pairs from the Linux C library, and (2) we reverse engineer fragments of ARM binary code by running more than a million adapter synthesis tasks. Our results confirm that several instances of adaptably equivalent binary functions exist in real-world code, and suggest that adapter synthesis can be applied for automatically replacing binary code with its adaptably equivalent variants.

AB - Independently developed codebases typically contain many segments of code that perform same or closely related operations (semantic clones). Finding functionally equivalent segments enables applications like replacing a segment by a more efficient or more secure alternative. Such related segments often have different interfaces, so some glue code (an adapter) is needed to replace one with the other. In previous work, we presented an algorithm that searches for replaceable code segments by attempting to synthesize an adapter between them from some finite family of adapters; it terminates if it finds no possible adapter. In this work, we compare binary symbolic execution-based adapter search with concrete adapter enumeration based on Intel's Pin framework, and explore the relation between size of adapter search space and total search time. We present examples of applying adapter synthesis for improving security of binary functions and switching between binary implementations of RC4. We present two large-scale evaluations: (1) we run adapter synthesis on more than 13,000 function pairs from the Linux C library, and (2) we reverse engineer fragments of ARM binary code by running more than a million adapter synthesis tasks. Our results confirm that several instances of adaptably equivalent binary functions exist in real-world code, and suggest that adapter synthesis can be applied for automatically replacing binary code with its adaptably equivalent variants.

KW - Symbolic execution

KW - binary analysis

KW - equivalence checking

KW - program synthesis

UR - http://www.scopus.com/inward/record.url?scp=85071562859&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85071562859&partnerID=8YFLogxK

U2 - 10.1109/TSE.2019.2931000

DO - 10.1109/TSE.2019.2931000

M3 - Article

SN - 0098-5589

VL - 47

SP - 1626

EP - 1643

JO - IEEE Transactions on Software Engineering

JF - IEEE Transactions on Software Engineering

IS - 8

M1 - 8776650

ER -

Finding Substitutable Binary Code by Synthesizing Adapters

Abstract

Bibliographical note

Keywords

Publisher link

Find It

Other files and links

Fingerprint

Cite this