AGNOMIN -- Architecture Agnostic Multi-Label Function Name Prediction
Yonatan Gizachew Achamyeleh, Tongtao Zhang, Joshua Hyunki Kim, Gabriel Garcia, Shih-Yuan Yu, Anton Kocheturov, Mohammad Abdullah Al Faruque
TL;DR
AGNOMIN tackles the problem of function name prediction in stripped binaries by proposing architecture-agnostic representations built from Feature-Enriched Hierarchical Graphs (FEHGs) that fuse Control Flow Graphs, Function Call Graphs, and PCode-derived features. A hierarchical graph neural network encodes these FEHGs into architecture-agnostic function embeddings, which are then decoded by a Renée-inspired, attention-enhanced multi-label decoder to predict semantic labels for function names. The approach demonstrates strong cross-architecture generalization and outperforms state-of-the-art methods on a large, multi-architecture ELF dataset, with notable gains in precision and recall and effective applicability to vulnerability remediation and patching across architectures. Practical validation in DARPA hackathon settings shows improved speed and accuracy for reverse engineers, supported by a Ghidra plugin release that enables broad adoption in real-world security workflows. Overall, AGNOMIN delivers a scalable, architecture-agnostic solution for function name prediction and cross-arch vulnerability remediation in stripped binaries, with robust generalization and practical tooling support.
Abstract
Function name prediction is crucial for understanding stripped binaries in software reverse engineering, a key step for \textbf{enabling subsequent vulnerability analysis and patching}. However, existing approaches often struggle with architecture-specific limitations, data scarcity, and diverse naming conventions. We present AGNOMIN, a novel architecture-agnostic approach for multi-label function name prediction in stripped binaries. AGNOMIN builds Feature-Enriched Hierarchical Graphs (FEHGs), combining Control Flow Graphs, Function Call Graphs, and dynamically learned \texttt{PCode} features. A hierarchical graph neural network processes this enriched structure to generate consistent function representations across architectures, vital for \textbf{scalable security assessments}. For function name prediction, AGNOMIN employs a Renée-inspired decoder, enhanced with an attention-based head layer and algorithmic improvements. We evaluate AGNOMIN on a comprehensive dataset of 9,000 ELF executable binaries across three architectures, demonstrating its superior performance compared to state-of-the-art approaches, with improvements of up to 27.17\% in precision and 55.86\% in recall across the testing dataset. Moreover, AGNOMIN generalizes well to unseen architectures, achieving 5.89\% higher recall than the closest baseline. AGNOMIN's practical utility has been validated through security hackathons, where it successfully aided reverse engineers in analyzing and patching vulnerable binaries across different architectures.