Compiler-Agnostic Function Detection in Binaries

D.A. Andriesse; J.M. Slowinska; H.J. Bos

doi:10.1109/EuroSP.2017.11

Compiler-Agnostic Function Detection in Binaries

D.A. Andriesse, J.M. Slowinska, H.J. Bos

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

We propose Nucleus, a novel function detection algorithm for binaries. In contrast to prior work, Nucleus is compiler-agnostic, and does not require any learning phase or signature information. Instead of scanning for signatures, Nucleus detects functions at the Control Flow Graph-level, making it inherently suitable for difficult cases such as non-contiguous or multi-entry functions. We evaluate Nucleus on a diverse set of 476 C and C ++ binaries, compiled with GCC, clang and Visual Studio for x86 and x64, at optimization levels O0-O3. We achieve consistently good performance, with a mean F-score of 0.95.

Original language	English
Title of host publication	Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017
Publisher	Institute of Electrical and Electronics Engineers, Inc.
Pages	177-189
Number of pages	13
ISBN (Electronic)	9781509057610
DOIs	https://doi.org/10.1109/EuroSP.2017.11
Publication status	Published - 28 Jun 2017
Event	2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017 - Paris, France Duration: 26 Apr 2017 → 28 Apr 2017

Conference

Conference	2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017
Country/Territory	France
City	Paris
Period	26/04/17 → 28/04/17

Keywords

Disassembly
function detection
reverse engineering
static analysis

Access to Document

10.1109/EuroSP.2017.11

Handle.net

Persistent link

Cite this

@inproceedings{f8e193bc4a584ee890cf350f242d8621,

title = "Compiler-Agnostic Function Detection in Binaries",

abstract = "We propose Nucleus, a novel function detection algorithm for binaries. In contrast to prior work, Nucleus is compiler-agnostic, and does not require any learning phase or signature information. Instead of scanning for signatures, Nucleus detects functions at the Control Flow Graph-level, making it inherently suitable for difficult cases such as non-contiguous or multi-entry functions. We evaluate Nucleus on a diverse set of 476 C and C ++ binaries, compiled with GCC, clang and Visual Studio for x86 and x64, at optimization levels O0-O3. We achieve consistently good performance, with a mean F-score of 0.95.",

keywords = "Disassembly, function detection, reverse engineering, static analysis",

author = "D.A. Andriesse and J.M. Slowinska and H.J. Bos",

year = "2017",

month = jun,

day = "28",

doi = "10.1109/EuroSP.2017.11",

language = "English",

pages = "177--189",

booktitle = "Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017",

publisher = "Institute of Electrical and Electronics Engineers, Inc.",

note = "2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017 ; Conference date: 26-04-2017 Through 28-04-2017",

}

Andriesse, DA, Slowinska, JM & Bos, HJ 2017, Compiler-Agnostic Function Detection in Binaries. in Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017., 7961979, Institute of Electrical and Electronics Engineers, Inc., pp. 177-189, 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017, Paris, France, 26/04/17. https://doi.org/10.1109/EuroSP.2017.11

Compiler-Agnostic Function Detection in Binaries. / Andriesse, D.A.; Slowinska, J.M.; Bos, H.J.

Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017. Institute of Electrical and Electronics Engineers, Inc., 2017. p. 177-189 7961979.

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Compiler-Agnostic Function Detection in Binaries

AU - Andriesse, D.A.

AU - Slowinska, J.M.

AU - Bos, H.J.

PY - 2017/6/28

Y1 - 2017/6/28

N2 - We propose Nucleus, a novel function detection algorithm for binaries. In contrast to prior work, Nucleus is compiler-agnostic, and does not require any learning phase or signature information. Instead of scanning for signatures, Nucleus detects functions at the Control Flow Graph-level, making it inherently suitable for difficult cases such as non-contiguous or multi-entry functions. We evaluate Nucleus on a diverse set of 476 C and C ++ binaries, compiled with GCC, clang and Visual Studio for x86 and x64, at optimization levels O0-O3. We achieve consistently good performance, with a mean F-score of 0.95.

AB - We propose Nucleus, a novel function detection algorithm for binaries. In contrast to prior work, Nucleus is compiler-agnostic, and does not require any learning phase or signature information. Instead of scanning for signatures, Nucleus detects functions at the Control Flow Graph-level, making it inherently suitable for difficult cases such as non-contiguous or multi-entry functions. We evaluate Nucleus on a diverse set of 476 C and C ++ binaries, compiled with GCC, clang and Visual Studio for x86 and x64, at optimization levels O0-O3. We achieve consistently good performance, with a mean F-score of 0.95.

KW - Disassembly

KW - function detection

KW - reverse engineering

KW - static analysis

UR - http://www.scopus.com/inward/record.url?scp=85026645253&partnerID=8YFLogxK

U2 - 10.1109/EuroSP.2017.11

DO - 10.1109/EuroSP.2017.11

M3 - Conference contribution

SP - 177

EP - 189

BT - Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017

PB - Institute of Electrical and Electronics Engineers, Inc.

T2 - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017

Y2 - 26 April 2017 through 28 April 2017

ER -

Compiler-Agnostic Function Detection in Binaries

Abstract

Conference

Keywords

Access to Document

Handle.net

Other files and links

Fingerprint

Cite this