Obfuscation-Resilient Semantic Functionality Identification Through Program Simulation.

Figuring out whether a particular semantic functionality exists in a binary program is challenging. While pattern-matching-based detection is susceptible to syntactic changes of the code, formal equivalence proofs quickly hit complexity limitations in practice. In this paper, we present SIMID, a novel approach to semantic detection of functionality based on observation of input-output behavior of functions during simulated program execution. An evaluation with 4259 functions from 31 binary programs demonstrates that the approach has high detection accuracy across various compilers and even computing architectures (x86-64 and ARM64) as well as in the presence of state-of-the-art obfuscations such as code virtualization. Analysis complexity is low enough for practical use cases.