Cross-Inlining Binary Function Similarity Detection
Ang Jia, Ming Fan, Xi Xu, Wuxia Jin, Haijun Wang, Ting Liu
TL;DR
This work tackles cross-inlining binary function similarity detection, where standard semantic matching fails due to inlined code blending multiple functions. It introduces CI-Detector, a pattern-based ensemble that uses Attributed CFGs (ACFGs) and Graph Neural Networks to learn cross-inlining semantics, with separate models for Leaf-, Root-, and Internal-Inlining patterns and a max-combination strategy for final similarity. A large cross-inlining dataset is built from 51 projects across 9 compilers, 4 optimizations, and 6 architectures, enabling robust labeling via bridge functions. Experiments show CI-Detector achieving an average precision of 0.81 and recall of 0.97, outperforming state-of-the-art approaches, and it provides significant practical impact for security analyses and code-reuse investigations. The work also releases the dataset and code to support reproducibility and further research.
Abstract
Binary function similarity detection plays an important role in a wide range of security applications. Existing works usually assume that the query function and target function share equal semantics and compare their full semantics to obtain the similarity. However, we find that the function mapping is more complex, especially when function inlining happens. In this paper, we will systematically investigate cross-inlining binary function similarity detection. We first construct a cross-inlining dataset by compiling 51 projects using 9 compilers, with 4 optimizations, to 6 architectures, with 2 inlining flags, which results in two datasets both with 216 combinations. Then we construct the cross-inlining function mappings by linking the common source functions in these two datasets. Through analysis of this dataset, we find that three cross-inlining patterns widely exist while existing work suffers when detecting cross-inlining binary function similarity. Next, we propose a pattern-based model named CI-Detector for cross-inlining matching. CI-Detector uses the attributed CFG to represent the semantics of binary functions and GNN to embed binary functions into vectors. CI-Detector respectively trains a model for these three cross-inlining patterns. Finally, the testing pairs are input to these three models and all the produced similarities are aggregated to produce the final similarity. We conduct several experiments to evaluate CI-Detector. Results show that CI-Detector can detect cross-inlining pairs with a precision of 81% and a recall of 97%, which exceeds all state-of-the-art works.