BYTEWEIGHT: Learning to recognize functions in binary code

Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, David Brumley

Research output: Chapter in Book/Report/Conference proceedingConference contribution

86 Scopus citations

Abstract

Function identification is a fundamental challenge in reverse engineering and binary program analysis. For instance, binary rewriting and control flow integrity rely on accurate function detection and identification in binaries. Although many binary program analyses assume functions can be identified a priori, identifying functions in stripped binaries remains a challenge. In this paper, we propose BYTEWEIGHT, a new automatic function identification algorithm. Our approach automatically learns key features for recognizing functions and can therefore easily be adapted to different platforms, new compilers, and new optimizations. We evaluated our tool against three well-known tools that feature function identification: IDA, BAP, and Dyninst. Our data set consists of 2, 200 binaries created with three different compilers, with four different optimization levels, and across two different operating systems. In our experiments with 2, 200 binaries, we found that BYTE-WEIGHT missed 44, 621 functions in comparison with the 266, 672 functions missed by the industry-leading tool IDA. Furthermore, while IDA misidentified 459, 247 functions, BYTEWEIGHT misidentified only 43, 992 functions.

Original languageEnglish (US)
Title of host publicationProceedings of the 23rd USENIX Security Symposium
PublisherUSENIX Association
Pages845-860
Number of pages16
ISBN (Electronic)9781931971157
StatePublished - Jan 1 2014
Externally publishedYes
Event23rd USENIX Security Symposium - San Diego, United States
Duration: Aug 20 2014Aug 22 2014

Publication series

NameProceedings of the 23rd USENIX Security Symposium

Conference

Conference23rd USENIX Security Symposium
CountryUnited States
CitySan Diego
Period8/20/148/22/14

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'BYTEWEIGHT: Learning to recognize functions in binary code'. Together they form a unique fingerprint.

  • Cite this

    Bao, T., Burket, J., Woo, M., Turner, R., & Brumley, D. (2014). BYTEWEIGHT: Learning to recognize functions in binary code. In Proceedings of the 23rd USENIX Security Symposium (pp. 845-860). (Proceedings of the 23rd USENIX Security Symposium). USENIX Association.