Table of Contents
Fetching ...

StriderSPD: Structure-Guided Joint Representation Learning for Binary Security Patch Detection

Qingyuan Li, Chenchen Yu, Chuanyi Li, Xin-Cheng Wen, Cheryl Lee, Cuiyun Gao, Bin Luo

TL;DR

StriderSPD tackles the challenge of detecting security patches in closed-source binaries by jointly representing assembly-code structure and pseudo-code semantics. It introduces a structure-guided neural network that fuses a graph branch (CFG-based) with an LLM branch (pseudo-code) via adapters and cross-attention, trained with a two-stage strategy to balance the two branches. A cross-project, cross-domain benchmark with 1,720 patches demonstrates that StriderSPD outperforms multiple baselines and generalizes across several foundation models, achieving an accuracy of 0.854 and F1 of 0.885 while maintaining low inference costs. The work provides a practical path for robust binary SPD in real-world, proprietary software and highlights the value of integrating structural and semantic signals in binary analysis.

Abstract

Vulnerabilities severely threaten software systems, making the timely application of security patches crucial for mitigating attacks. However, software vendors often silently patch vulnerabilities with limited disclosure, where Security Patch Detection (SPD) comes to protect software assets. Recently, most SPD studies have targeted Open-Source Software (OSS), yet a large portion of real-world software is closed-source, where patches are distributed as binaries without accessible source code. The limited binary SPD approaches often lift binaries to abstraction levels, i.e., assembly code or pseudo-code. However, assembly code is register-based instructions conveying limited semantics, while pseudo-code lacks parser-compatible grammar to extract structure, both hindering accurate vulnerability-fix representation learning. In addition, previous studies often obtain training and testing data from the same project for evaluation, which fails to reflect closed-source conditions. To alleviate the above challenges, we propose \textbf{\textit{StriderSPD}}, a \underline{Str}ucture-gu\underline{ide}d joint \underline{r}epresentation \underline{SPD} framework of binary code that integrates a graph branch into a large language model (LLM), leveraging structural information to guide the LLM in identifying security patches. Our novel design of the adapters in the graph branch effectively aligns the representations between assembly code and pseudo-code at the LLM's token level. We further present a two-stage training strategy to address the optimization imbalance caused by the large parameter disparity between StriderSPD's two branches, which enables proper branch fitting. To enable more realistic evaluation, we construct a binary SPD benchmark that is disjoint from prior datasets in both projects and domains and extensively evaluate StriderSPD on this benchmark.

StriderSPD: Structure-Guided Joint Representation Learning for Binary Security Patch Detection

TL;DR

StriderSPD tackles the challenge of detecting security patches in closed-source binaries by jointly representing assembly-code structure and pseudo-code semantics. It introduces a structure-guided neural network that fuses a graph branch (CFG-based) with an LLM branch (pseudo-code) via adapters and cross-attention, trained with a two-stage strategy to balance the two branches. A cross-project, cross-domain benchmark with 1,720 patches demonstrates that StriderSPD outperforms multiple baselines and generalizes across several foundation models, achieving an accuracy of 0.854 and F1 of 0.885 while maintaining low inference costs. The work provides a practical path for robust binary SPD in real-world, proprietary software and highlights the value of integrating structural and semantic signals in binary analysis.

Abstract

Vulnerabilities severely threaten software systems, making the timely application of security patches crucial for mitigating attacks. However, software vendors often silently patch vulnerabilities with limited disclosure, where Security Patch Detection (SPD) comes to protect software assets. Recently, most SPD studies have targeted Open-Source Software (OSS), yet a large portion of real-world software is closed-source, where patches are distributed as binaries without accessible source code. The limited binary SPD approaches often lift binaries to abstraction levels, i.e., assembly code or pseudo-code. However, assembly code is register-based instructions conveying limited semantics, while pseudo-code lacks parser-compatible grammar to extract structure, both hindering accurate vulnerability-fix representation learning. In addition, previous studies often obtain training and testing data from the same project for evaluation, which fails to reflect closed-source conditions. To alleviate the above challenges, we propose \textbf{\textit{StriderSPD}}, a \underline{Str}ucture-gu\underline{ide}d joint \underline{r}epresentation \underline{SPD} framework of binary code that integrates a graph branch into a large language model (LLM), leveraging structural information to guide the LLM in identifying security patches. Our novel design of the adapters in the graph branch effectively aligns the representations between assembly code and pseudo-code at the LLM's token level. We further present a two-stage training strategy to address the optimization imbalance caused by the large parameter disparity between StriderSPD's two branches, which enables proper branch fitting. To enable more realistic evaluation, we construct a binary SPD benchmark that is disjoint from prior datasets in both projects and domains and extensively evaluate StriderSPD on this benchmark.
Paper Structure (31 sections, 7 equations, 5 figures, 7 tables)

This paper contains 31 sections, 7 equations, 5 figures, 7 tables.

Figures (5)

  • Figure 1: Motivating example of the patch fixing CVE-2018-16643.
  • Figure 2: Overview of StriderSPD.
  • Figure 3: Accuracy and F1 score of StriderSPD compared with the best baseline across different optimization levels.
  • Figure 4: Training and validation loss curves under joint training.
  • Figure 5: Case study of the patch fixing CVE-2017-13725.