<p>The large-scale deployment of IoT devices has led to widespread use of stripped firmware binaries, where function names are removed, leaving many functions anonymous. This obscures program semantics and heightens security risks by hiding vulnerabilities. Recovering meaningful function names is thus crucial for reverse engineering and security analysis. Existing approaches treat naming as an isolated prediction task or rely on static, limited calling contexts, struggling with deep call chains and severe semantic loss. To overcome this, we propose <b>SemFlow</b>, a call-graph-driven, hierarchical semantic propagation method. SemFlow reframes naming as an iterative process that progressively resolves anonymity by leveraging the call graph’s structure: it first recovers bottom-layer functions with richer context and propagates their names upward as semantic anchors to enrich context for mid- and top-layer functions. We evaluate SemFlow on real-world binaries across four architectures (x86-64, x86-32, ARM, MIPS) and four optimization levels (O0–O3). Results show consistent superiority over the state-of-the-art SYMGEN: F1 scores improve by up to 13.4% (x86-64), 20.3% (x86-32), 34.3% (ARM), and 158.5% (MIPS). Notably, on mid-layer anonymous functions—where semantic scarcity is most acute—SemFlow achieves an average F1 gain of 162.7%, demonstrating the effectiveness of hierarchical semantic propagation in mitigating context loss in deep call chains.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A method for function name recovery in binaries via hierarchical semantic propagation

  • Debao Kong,
  • Yangyang Geng,
  • Wei Guo,
  • Chaojie Wei,
  • Haowen Chen,
  • Fang Jing,
  • Liupeng He,
  • Xueman Kong,
  • Qiang Wei

摘要

The large-scale deployment of IoT devices has led to widespread use of stripped firmware binaries, where function names are removed, leaving many functions anonymous. This obscures program semantics and heightens security risks by hiding vulnerabilities. Recovering meaningful function names is thus crucial for reverse engineering and security analysis. Existing approaches treat naming as an isolated prediction task or rely on static, limited calling contexts, struggling with deep call chains and severe semantic loss. To overcome this, we propose SemFlow, a call-graph-driven, hierarchical semantic propagation method. SemFlow reframes naming as an iterative process that progressively resolves anonymity by leveraging the call graph’s structure: it first recovers bottom-layer functions with richer context and propagates their names upward as semantic anchors to enrich context for mid- and top-layer functions. We evaluate SemFlow on real-world binaries across four architectures (x86-64, x86-32, ARM, MIPS) and four optimization levels (O0–O3). Results show consistent superiority over the state-of-the-art SYMGEN: F1 scores improve by up to 13.4% (x86-64), 20.3% (x86-32), 34.3% (ARM), and 158.5% (MIPS). Notably, on mid-layer anonymous functions—where semantic scarcity is most acute—SemFlow achieves an average F1 gain of 162.7%, demonstrating the effectiveness of hierarchical semantic propagation in mitigating context loss in deep call chains.