Unleashing the hidden power of compiler optimization on binary code difference: an empirical study

Xiaolei Ren, Michael Ho, Jiang Ming, Yu Lei, Li Li

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

36 Citations (Scopus)

Abstract

Hunting binary code difference without source code (i.e., binary diffing) has compelling applications in software security. Due to the high variability of binary code, existing solutions have been driven towards measuring semantic similarities from syntactically different code. Since compiler optimization is the most common source contributing to binary code differences in syntax, testing the resilience against the changes caused by different compiler optimization settings has become a standard evaluation step for most binary diffing approaches. For example, 47 top-venue papers in the last 12 years compared different program versions compiled by default optimization levels (e.g.,-Ox in GCC and LLVM). Although many of them claim they are immune to compiler transformations, it is yet unclear about their resistance to non-default optimization settings. Especially, we have observed that adversaries explored non-default compiler settings to amplify malware differences. This paper takes the first step to systematically studying the effectiveness of compiler optimization on binary code differences. We tailor search-based iterative compilation for the auto-tuning of binary code differences. We develop BinTuner to search near-optimal optimization sequences that can maximize the amount of binary code differences. We run BinTuner with GCC 10.2 and LLVM 11.0 on SPEC benchmarks (CPU2006 & CPU2017), Coreutils, and OpenSSL. Our experiments show that at the cost of 279 to 1,881 compilation iterations, BinTuner can find custom optimization sequences that are substantially better than the general-Ox settings. BinTuner's outputs seriously undermine prominent binary diffing tools' comparisons. In addition, the detection rate of the IoT malware variants tuned by BinTuner falls by more than 50%. Our findings paint a cautionary tale for security analysts that attackers have a new way to mutate malware code cost-effectively, and the research community needs to step back to reassess optimization-resistance evaluations.

Original languageEnglish
Title of host publicationProceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation
EditorsStephen N. Freund, Eran Yahav
Place of PublicationNew York NY USA
PublisherAssociation for Computing Machinery (ACM)
Pages142-157
Number of pages16
ISBN (Electronic)9781450383912
DOIs
Publication statusPublished - 2021
EventACM SIGPLAN Conference on Programming Language Design and Implementation 2021 - Online, Canada
Duration: 20 Jun 202125 Jun 2021
Conference number: 42nd

Conference

ConferenceACM SIGPLAN Conference on Programming Language Design and Implementation 2021
Abbreviated titlePLDI 2021
Country/TerritoryCanada
Period20/06/2125/06/21

Keywords

  • Binary Code Difference
  • Compiler Optimization

Cite this