SLIDE 1
SAFE: Self Attentive Function Embedding for Binary Similarity
Luca Massarelli
Who am I?
PhD Student @ Sapienza University of Rome Exploring how to leverage Artificial Intelligence to improve security!
SAFE: Self Attentive Function Embedding for Binary Similarity Luca - - PowerPoint PPT Presentation
SAFE: Self Attentive Function Embedding for Binary Similarity Luca - - PowerPoint PPT Presentation
SAFE: Self Attentive Function Embedding for Binary Similarity Luca Massarelli PhD Student @ Sapienza University of Rome Who am I? Exploring how to leverage Artificial Intelligence to improve security! Reverse Engineering is painful
SLIDE 2
SLIDE 3
Reverse Engineering is painfulβ¦
Image Credit: G. A. Di Luna
SLIDE 4
Binary Similarity Problem
SLIDE 5
App ppli licatio ions
- Vulnerability Detection
- Library Function Identification
- Malware Hunting
SLIDE 6
Existing Commercial Solutions
IDA F.L.I.R.T. DIAPHORA
SLIDE 7
Mai ain Lim imit itatio ions
Not Scalable (BinDiff - Diaphora) Require an extact copy of the function (IDA F.L.I.R.T. - YARA) Analyst have to write rule (YARA)
SLIDE 8
A few word about recompilation
Easy to do! Effective
SLIDE 9
How to create new efficient and effective solutions?
SLIDE 10
SLIDE 11
EMBEDDINGS!!
Representation of words, sentences or documents using vector!
IDEA BORROWED FROM Natural Language Processing
πΆπ½ππ΅ππ = π€1 = [ 0.17 , 0. 19 , β¦ , 0.21] πΆπ½ππ΅ππ½πΉπ = π€2 = [ 0.16 , 0. 23 , β¦ , 0.20] ππ½π πΆπ½ππ΅ππ, πΆπ½ππ΅ππ½πΉπ = < π€1, π€2 > = 0.9
SLIDE 12
Word2Vec Model
- The embedding of each word is computed with an unsupervised
algorithm that consider the context in od the word.
SLIDE 13
Word2Vec Model
- Words relationship can be retrieved from the embeddings:
πππ βΆ π₯ππππ = ππππ βΆ ? ? ? π€2π₯ πππ β π€2π₯ ππππ + π€2π₯ π₯ππππ = π₯2π€(ππ£πππ)
SLIDE 14
Word2Vec Model For ASM
We can do the same with assembly code! ππ£π‘β π ππ βΆ πππ π ππ = ππ£π‘β π ππ¦ βΆ ? ? ?
pop rax
SLIDE 15
How we ag aggregate instruction embeddings to function embeddings?
SLIDE 16
Structured Self Attentive Model
SLIDE 17
The Full Pipeline
SLIDE 18
Creating the dataset
- This is easy!!!
- We compile 11 different
projects with different compilers and optimization!
- β¦ and we disassemble
everithing!
SLIDE 19
It works!!
- AUC:
- SAFE: 0.99
- I2v_attention: 0.96
- Gemini (MFE): 0.95
- We tested SAFE on different
task!
SLIDE 20
Function Search Engine!
- We tested SAFE as a function search
engine!
- We try to retrieve from a knowledge
base similar function to the query!
SLIDE 21
Semantic Classification
- We try to classify functions
to 4 different semantic classes using embeddings!
- Math
- String
- Encryption
- Sorting
SLIDE 22
Semantic Classification Visualization
Embeddings are clustered in the space according to their semantic!
(S) Sorting (E) Encryption (SM) String Manipulation (M) Math
classifier flagged
- classifier
flags confirmed
- fier flags
confirmed final files find files
SLIDE 23
Applications
IDENTIFICATION OF AN ENCRYPTION FUNCTION INSIDE A MALWARE! IDENTIFICATION OF A VULNERABLE FUNCTIONS INSIDE A FIRMWARE! YARASAFE β USING SAFE INSIDE YARA
SLIDE 24
TeslaCrypt Ransomware
- We disassemble the sample with IDA and we used our
semantic classifier to analyze every function!
- The Classifier founds seven functions that has
encryption semantic!
- 6 of them were effectively performing encryption!!
Sample:3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370 Detected Functions: 0x41e900, 0x420ec0, 0x4210a0,0x4212c0, 0x421665,0x421900, 0x4219c0
SLIDE 25
Function Detected At 0x41E900
SHA1 Constant
SLIDE 26
Possible improvent: Detecting Suspicious functionality inside a firmware
SLIDE 27
Spotting Vulnerability in COTS software
- We develop a tool: YARASAFE, to
simplify this process!
SLIDE 28
YARA-SAFE
SLIDE 29
YARA-SAFE Rule
import "safe" rule Heartbleed { condition: safe.similarity("[0.094, β¦. , 0.0597]") > 0.97 }
SLIDE 30
Rule - Creation
SLIDE 31
DEMO!!
SLIDE 32