SAFE: Self-Attentive Function Embeddings for Binary Similarity

• Published in: Detection of Intrusions and Malware, and Vulnerability Assessment Vol. 11543; pp. 309 - 329
• Main Authors: Massarelli, Luca, Di Luna, Giuseppe Antonio, Petroni, Fabio, Baldoni, Roberto, Querzoni, Leonardo
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 2019; Springer International Publishing
• Series: Lecture Notes in Computer Science
• ISBN: 3030220370; 9783030220372
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-030-22038-9_15

The binary similarity problem consists in determining if two functions are similar by only considering their compiled form. Techniques for binary similarity have an immediate practical impact on several fields such as copyright disputes, malware analysis, vulnerability detection, etc. Current solutions compare functions by first transforming their binary code in multi-dimensional vector representations (embeddings), and then comparing vectors through simple and efficient geometric operations. In this paper we propose SAFE, a novel architecture for the embedding of functions based on a self-attentive neural network. SAFE works directly on disassembled binary functions, does not require manual feature extraction, is computationally more efficient than existing solutions, and is more general as it works on stripped binaries and on multiple architectures. We report the results from a quantitative and qualitative analysis that show how SAFE provides a noticeable performance improvement with respect to previous solutions. Furthermore, we show how clusters of our embedding vectors are closely related to the semantic of the implemented algorithms, paving the way for further interesting applications.