DVul-WLG: Graph Embedding Network Based on Code Similarity for Cross-Architecture Firmware Vulnerability Detection

Hao Sun; Yanjun Tong; Jing Zhao; Zhaoquan Gu

doi:10.1007/978-3-030-91356-4_17

DVul-WLG: Graph Embedding Network Based on Code Similarity for Cross-Architecture Firmware Vulnerability Detection

Hao Sun
, Yanjun Tong
, Jing Zhao^*
, Zhaoquan Gu

^*Corresponding author for this work

Dalian University of Technology
Guangzhou University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

Vulnerabilities in the firmware of embedded devices have led to many IoT security incidents. Embedded devices have multiple architectures and the firmware source code of embedded devices is difficult to obtain, which makes it difficult to detect firmware vulnerabilities. In this paper, we propose a neural network model called DVul-WLG for cross-architecture firmware vulnerability detection. This model analyzes the similarity between the binary function of the vulnerability and the binary function of the firmware to determine whether the firmware contains the vulnerability. The similarity between functions is calculated by comparing the features of the attribute control flow graph (ACFG) of the functions. DVul-WLG uses Word2vec, LSTM (Long Short-Term Memory) and an improved graph convolutional neural network (GCN) to extract the features of ACFG. This model embeds instructions of different architectures into the same space through canonical correlation analysis (CCA), and expresses instructions of different architectures in the form of intermediate vectors. In this way, the heterogeneity of architectures can be ignored when comparing cross-architecture similarity. We compared DVul-WLG with the advanced method FIT and the basic method Gemini through experiments. Experiments show that DVul-WLG has a higher AUC (Area Under the Curve) value. We also detected vulnerabilities in the real firmware. The accuracy of DVul-WLG is 89%, while FIT and Gemini are 78% and 73%, respectively.

Original language	English
Title of host publication	Information Security - 24th International Conference, ISC 2021, Proceedings
Editors	Joseph K. Liu, Sokratis Katsikas, Weizhi Meng, Willy Susilo, Rolly Intan
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	320-337
Number of pages	18
ISBN (Print)	9783030913557
DOIs	https://doi.org/10.1007/978-3-030-91356-4_17
State	Published - 2021
Externally published	Yes
Event	24th International Conference on Information Security, ISC 2021 - Virtual, Online Duration: 10 Nov 2021 → 12 Nov 2021

Publication series

Name	Lecture Notes in Computer Science
Volume	13118 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	24th International Conference on Information Security, ISC 2021
City	Virtual, Online
Period	10/11/21 → 12/11/21

Keywords

Binary code similarity
Graph embedding
Vulnerability detection

Access to Document

10.1007/978-3-030-91356-4_17

Cite this

Sun, H., Tong, Y., Zhao, J., & Gu, Z. (2021). DVul-WLG: Graph Embedding Network Based on Code Similarity for Cross-Architecture Firmware Vulnerability Detection. In J. K. Liu, S. Katsikas, W. Meng, W. Susilo, & R. Intan (Eds.), Information Security - 24th International Conference, ISC 2021, Proceedings (pp. 320-337). (Lecture Notes in Computer Science; Vol. 13118 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-91356-4_17

Sun, Hao ; Tong, Yanjun ; Zhao, Jing et al. / DVul-WLG : Graph Embedding Network Based on Code Similarity for Cross-Architecture Firmware Vulnerability Detection. Information Security - 24th International Conference, ISC 2021, Proceedings. editor / Joseph K. Liu ; Sokratis Katsikas ; Weizhi Meng ; Willy Susilo ; Rolly Intan. Springer Science and Business Media Deutschland GmbH, 2021. pp. 320-337 (Lecture Notes in Computer Science).

@inproceedings{23f6cc8237be4b12b5f79e9b4d006d58,

title = "DVul-WLG: Graph Embedding Network Based on Code Similarity for Cross-Architecture Firmware Vulnerability Detection",

abstract = "Vulnerabilities in the firmware of embedded devices have led to many IoT security incidents. Embedded devices have multiple architectures and the firmware source code of embedded devices is difficult to obtain, which makes it difficult to detect firmware vulnerabilities. In this paper, we propose a neural network model called DVul-WLG for cross-architecture firmware vulnerability detection. This model analyzes the similarity between the binary function of the vulnerability and the binary function of the firmware to determine whether the firmware contains the vulnerability. The similarity between functions is calculated by comparing the features of the attribute control flow graph (ACFG) of the functions. DVul-WLG uses Word2vec, LSTM (Long Short-Term Memory) and an improved graph convolutional neural network (GCN) to extract the features of ACFG. This model embeds instructions of different architectures into the same space through canonical correlation analysis (CCA), and expresses instructions of different architectures in the form of intermediate vectors. In this way, the heterogeneity of architectures can be ignored when comparing cross-architecture similarity. We compared DVul-WLG with the advanced method FIT and the basic method Gemini through experiments. Experiments show that DVul-WLG has a higher AUC (Area Under the Curve) value. We also detected vulnerabilities in the real firmware. The accuracy of DVul-WLG is 89\%, while FIT and Gemini are 78\% and 73\%, respectively.",

keywords = "Binary code similarity, Graph embedding, Vulnerability detection",

author = "Hao Sun and Yanjun Tong and Jing Zhao and Zhaoquan Gu",

note = "Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; 24th International Conference on Information Security, ISC 2021 ; Conference date: 10-11-2021 Through 12-11-2021",

year = "2021",

doi = "10.1007/978-3-030-91356-4\_17",

language = "英语",

isbn = "9783030913557",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "320--337",

editor = "Liu, \{Joseph K.\} and Sokratis Katsikas and Weizhi Meng and Willy Susilo and Rolly Intan",

booktitle = "Information Security - 24th International Conference, ISC 2021, Proceedings",

address = "德国",

}

Sun, H, Tong, Y, Zhao, J & Gu, Z 2021, DVul-WLG: Graph Embedding Network Based on Code Similarity for Cross-Architecture Firmware Vulnerability Detection. in JK Liu, S Katsikas, W Meng, W Susilo & R Intan (eds), Information Security - 24th International Conference, ISC 2021, Proceedings. Lecture Notes in Computer Science, vol. 13118 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 320-337, 24th International Conference on Information Security, ISC 2021, Virtual, Online, 10/11/21. https://doi.org/10.1007/978-3-030-91356-4_17

DVul-WLG: Graph Embedding Network Based on Code Similarity for Cross-Architecture Firmware Vulnerability Detection. / Sun, Hao; Tong, Yanjun; Zhao, Jing et al.
Information Security - 24th International Conference, ISC 2021, Proceedings. ed. / Joseph K. Liu; Sokratis Katsikas; Weizhi Meng; Willy Susilo; Rolly Intan. Springer Science and Business Media Deutschland GmbH, 2021. p. 320-337 (Lecture Notes in Computer Science; Vol. 13118 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - DVul-WLG

T2 - 24th International Conference on Information Security, ISC 2021

AU - Sun, Hao

AU - Tong, Yanjun

AU - Zhao, Jing

AU - Gu, Zhaoquan

PY - 2021

Y1 - 2021

N2 - Vulnerabilities in the firmware of embedded devices have led to many IoT security incidents. Embedded devices have multiple architectures and the firmware source code of embedded devices is difficult to obtain, which makes it difficult to detect firmware vulnerabilities. In this paper, we propose a neural network model called DVul-WLG for cross-architecture firmware vulnerability detection. This model analyzes the similarity between the binary function of the vulnerability and the binary function of the firmware to determine whether the firmware contains the vulnerability. The similarity between functions is calculated by comparing the features of the attribute control flow graph (ACFG) of the functions. DVul-WLG uses Word2vec, LSTM (Long Short-Term Memory) and an improved graph convolutional neural network (GCN) to extract the features of ACFG. This model embeds instructions of different architectures into the same space through canonical correlation analysis (CCA), and expresses instructions of different architectures in the form of intermediate vectors. In this way, the heterogeneity of architectures can be ignored when comparing cross-architecture similarity. We compared DVul-WLG with the advanced method FIT and the basic method Gemini through experiments. Experiments show that DVul-WLG has a higher AUC (Area Under the Curve) value. We also detected vulnerabilities in the real firmware. The accuracy of DVul-WLG is 89%, while FIT and Gemini are 78% and 73%, respectively.

AB - Vulnerabilities in the firmware of embedded devices have led to many IoT security incidents. Embedded devices have multiple architectures and the firmware source code of embedded devices is difficult to obtain, which makes it difficult to detect firmware vulnerabilities. In this paper, we propose a neural network model called DVul-WLG for cross-architecture firmware vulnerability detection. This model analyzes the similarity between the binary function of the vulnerability and the binary function of the firmware to determine whether the firmware contains the vulnerability. The similarity between functions is calculated by comparing the features of the attribute control flow graph (ACFG) of the functions. DVul-WLG uses Word2vec, LSTM (Long Short-Term Memory) and an improved graph convolutional neural network (GCN) to extract the features of ACFG. This model embeds instructions of different architectures into the same space through canonical correlation analysis (CCA), and expresses instructions of different architectures in the form of intermediate vectors. In this way, the heterogeneity of architectures can be ignored when comparing cross-architecture similarity. We compared DVul-WLG with the advanced method FIT and the basic method Gemini through experiments. Experiments show that DVul-WLG has a higher AUC (Area Under the Curve) value. We also detected vulnerabilities in the real firmware. The accuracy of DVul-WLG is 89%, while FIT and Gemini are 78% and 73%, respectively.

KW - Binary code similarity

KW - Graph embedding

KW - Vulnerability detection

UR - https://www.scopus.com/pages/publications/85121869477

U2 - 10.1007/978-3-030-91356-4_17

DO - 10.1007/978-3-030-91356-4_17

M3 - 会议稿件

AN - SCOPUS:85121869477

SN - 9783030913557

T3 - Lecture Notes in Computer Science

SP - 320

EP - 337

BT - Information Security - 24th International Conference, ISC 2021, Proceedings

A2 - Liu, Joseph K.

A2 - Katsikas, Sokratis

A2 - Meng, Weizhi

A2 - Susilo, Willy

A2 - Intan, Rolly

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 10 November 2021 through 12 November 2021

ER -

Sun H, Tong Y, Zhao J, Gu Z. DVul-WLG: Graph Embedding Network Based on Code Similarity for Cross-Architecture Firmware Vulnerability Detection. In Liu JK, Katsikas S, Meng W, Susilo W, Intan R, editors, Information Security - 24th International Conference, ISC 2021, Proceedings. Springer Science and Business Media Deutschland GmbH. 2021. p. 320-337. (Lecture Notes in Computer Science). doi: 10.1007/978-3-030-91356-4_17

DVul-WLG: Graph Embedding Network Based on Code Similarity for Cross-Architecture Firmware Vulnerability Detection

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this