SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code

Saed Alrabaee, Paria Shirani, Lingyu Wang, Mourad Debbabi

Research output: Contribution to conferencePaperpeer-review

4 Citations (Scopus)

Abstract

The capability of efficiently recognizing reused functions for binary code is critical to many digital forensics tasks, especially considering the fact that many modern malware typically contain a significant amount of functions borrowed from open source software packages. Such a capability will not only improve the efficiency of reverse engineering, but also reduce the odds of common libraries leading to false correlations between unrelated code bases. In this paper, we propose SIGMA, a technique for identifying reused functions in binary code by matching traces of a novel representation of binary code, namely, the Semantic Integrated Graph (SIG). The SIG s enhance and merge several existing concepts from classic program analysis, including control flow graph, register flow graph, and function call graph into a joint data structure. Such a comprehensive representation allows us to capture different semantic descriptors of common functionalities in a unified manner as graph traces, which can be extracted from binaries and matched to identify reused functions, actions, or open source software packages. Experimental results show that our approach yields promising results. Furthermore, we demonstrate the effectiveness of our approach through a case study using two malware known to share common functionalities, namely, Zeus and Citadel.

Original languageEnglish
PagesS61-S71
DOIs
Publication statusPublished - 2015
Externally publishedYes
Event2015 Digital Forensic Research Conference, DFRWS 2015 EU - Dublin, Ireland
Duration: Mar 23 2015Mar 26 2015

Conference

Conference2015 Digital Forensic Research Conference, DFRWS 2015 EU
Country/TerritoryIreland
CityDublin
Period3/23/153/26/15

Keywords

  • Binary program analysis
  • Digital forensics
  • Function identification
  • Malware forensics
  • Reverse engineering

ASJC Scopus subject areas

  • Information Systems

Fingerprint

Dive into the research topics of 'SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code'. Together they form a unique fingerprint.

Cite this