BContext2Name: Naming Functions in Stripped Binaries with Multi-Label Learning and Neural Networks

Abstract

Conducting binary function naming helps reverse engineers understand the internal workings of the code and perform malicious code analysis without accessing the source code. However, the loss of debugging information poses the challenge of insufficient high-level semantic information description for stripping binary code function naming. Meanwhile, the existing binary function naming scheme has one function label for only one sample. The long-tail effect of function labels for a single sample makes the machine learning-based prediction models face the challenge. To obtain a function correlation label and improve the propensity score of uncommon tail labels, we propose a multi-label learning-based binary function naming model BContext2Name. This model automatically generates relevant labels for binary function naming by function context information with the help of PfastreXML model. The experimental results show that BContext2Name can enrich function labels and alleviate the long-tail effect that exists for a single sample class. To obtain high-level semantics of binary functions, we align pseudocode and basic blocks based on disassembly and decompilation, identify concrete or abstract values of API parameters by variable tracking, and construct API-enhanced control flow graphs. Finally, a seq2seq neural network translation model with attention mechanism is constructed between function multi-label learning and enhanced control flow graphs. Experiments on the dataset reveal that the F1 values of the BContext2Name model improve by 3.55% and 15.23% over the state-of-the-art XFL and Nero, respectively. This indicates that function multi-label learning can provide accurate labels for binary functions and can help reverse analysts understand the inner working mechanism of binary code. Code and data for this evaluation are available at https://github.com/CSecurityZhongYuan/BContext2Name.