Towards Architecture-Independent Function Call Analysis for IoT Malware
摘要
IoT malware is often created by modifying publicly available source code, resulting in numerous variants. Analyzing the functionality of these variants has become increasingly important. Function Call Sequence Graph (FCSG) have been proposed to represent internal function calls in binaries, offering a promising approach for functional analysis. However, the structure of FCSGs is highly sensitive to CPU architecture and compiler optimization, hindering cross-architecture analysis. In this paper, we propose a method for generating architecture-independent FCSGs by removing obstructive functions—such as initialization routines and architecture-specific functions—that are not called in the source code but appear in conventional FCSGs. Our method removes, on average, 97.4% of such functions across binaries compiled for Arm, i586, and MIPS architectures with different optimization levels. Furthermore, we show that the resulting FCSGs better reflect the similarity of the original source code, as measured by graph- and string-based similarity metrics. These results demonstrate the potential of our method to improve the robustness and consistency of IoT malware functional analysis across diverse architectures.