hide
Free keywords:
-
Abstract:
The proliferation of IoT-devices is turning different kinds of embedded systems into
another relevant target for malware developers. Consequently, recent botnets are providing clients for multiple host architectures, making the clustering of malware samples a non-trivial task. While several approaches exist for statically comparing binaries of the same architecture, there are no proposed methods to compare binaries across different architectures.
Based on previous approaches for cross-architecture bug identification, we present
CrossDiff, a tool to compare executable binaries compiled for ARM, MIPS, PowerPC
and x86. CrossDiff detects functions in the input executables and translates their instructions into a common intermediate representation. Then, by pairwise comparing
functions based on features at IR-level and analyzing module-level properties we
compute a similarity score for pairs of binaries. Finally, we evaluate this approach
and the stages of the pipeline on the SPEC CPU2006 dataset with a build matrix that
iterates over different architectures, compilers, languages and optimization flags.