1-to-1 or 1-to-n? Investigating the effect of function inlining on binary similarity analysis
It addresses a critical bottleneck in binary analysis for security and software engineering, though it is incremental as it builds on existing methods to highlight and mitigate inlining effects.
The paper investigates how function inlining affects binary similarity analysis, revealing that it leads to 1-to-n or n-to-n mapping problems, causing performance losses such as 30% in code search and 40% in vulnerability detection, with existing strategies recovering only 60% of inlined functions.
Binary similarity analysis is critical to many code-reuse-related issues and "1-to-1" mechanism is widely applied, where one function in a binary file is matched against one function in a source file or binary file. However, we discover that function mapping is a more complex problem of "1-to-n" or even "n-to-n" due to the existence of function inlining. In this paper, we investigate the effect of function inlining on binary similarity analysis. We first construct 4 inlining-oriented datasets for four similarity analysis tasks, including code search, OSS reuse detection, vulnerability detection, and patch presence test. Then, we further study the extent of function inlining, the performance of existing works under function inlining, and the effectiveness of existing inlining-simulation strategies. Results show that the proportion of function inlining can reach nearly 70%, while most existing works neglect it and use "1-to-1" mechanism. The mismatches cause a 30% loss in performance during code search and a 40% loss during vulnerability detection. Moreover, two existing inlining-simulation strategies can only recover 60% of the inlined functions. We discover that inlining is usually cumulative when optimization increases. Conditional inlining and incremental inlining are suggested to design low-cost and high-coverage inlining-simulation strategies.