Expose: Discovering Potential Binary Code Re-use

The use of third-party libraries in deployed applications can potentially put an organization´s intellectual property at risk due to licensing restrictions requiring disclosure or distribution of the resulting software. Binary applications that are statically linked to buggy version(s) of a library can also provide malware with entry points into an organization. While many organizations have policies to restrict the use of third-party software in applications, determining whether an application uses a restricted library can be difficult when it is distributed as binary code. Compiler optimizations, function inlining, and lack of symbols in binary code make the task challenging for automated techniques. On the other hand, semantic analysis techniques are relatively slow. Given a library and a set of binary applications, we propose Expose, a tool that combines symbolic execution using a theorem prover, and function-level syntactic matching techniques to achieve both performance and high quality rankings of applications. Higher rankings indicate a higher likelihood of re-using the library´s code. Expose ranked applications that used two libraries at or near the top, out of 2,927 and 128 applications respectively. Expose detected one application that was not detected by another scanner to use some functions in one of the libraries. In addition, Expose ranked applications correctly for different versions of a library, and when different compiler options were used. Expose analyzed 97.68% and 99.48% of the applications within five and 10 minutes respectively.