SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code

The capability of e ciently recognizing reused functions for binary code is critical to many digital forensics tasks, especially considering the fact that many modern malware typically contain a signi cant amount of functions borrowed from open source software packages. Such a capability will not only improve the e ciency of reverse engineering, but also reduce the odds of common libraries leading to false correlations between unrelated code bases. In this paper, we propose SIGMA, a technique for identifying reused functions in binary code by matching traces of a novel representation of binary code, namely, the Semantic Integrated Graph (SIG). The SIGs enhance and merge several existing concepts from classic program analysis, including control ow graph, register ow graph, and function call graph into a joint data structure. Such a comprehensive representation allows us to capture di erent semantic descriptors of common functionalities in a uni ed manner as graph traces, which can be extracted from binaries and matched to identify reused functions, actions, or open source software packages. Experimental results show that our approach yields promising results. Furthermore, we demonstrate the e ectiveness of our approach through a case study using two malware known to share common functionalities, namely, Zeus and Citadel.