In recent years, binary analysis gained traction as a fundamental approach to inspect software and guarantee its security. Due to the exponential increase of devices running software, much research is now moving towards new autonomous solutions based on deep learning models, as they have been showing state-of-the-art performances in solving binary analysis problems. One of the hot topics in this context is binary similarity, which consists in determining if two functions in assembly code are compiled from the same source code. However, it is unclear how deep learning models for binary similarity behave in an adversarial context. In this paper, we study the resilience of binary similarity models against adversarial examples, showing that they are susceptible to both targeted and untargeted attacks (w.r.t. similarity goals) performed by black-box and white-box attackers. In more detail, we extensively test three current state-of-the-art solutions for binary similarity against two black-box greedy attacks, including a new technique that we call Spatial Greedy, and one white-box attack in which we repurpose a gradient-guided strategy used in attacks to image classifiers.

翻译：近年来，二进制分析作为检查软件并保障其安全性的基础方法获得了广泛关注。由于运行软件的设备呈指数级增长，大量研究正转向基于深度学习模型的新型自主解决方案，这些方案在解决二进制分析问题中展现了最先进的性能。该领域的热点问题之一是二进制相似性，即判断汇编代码中的两个函数是否由同一源代码编译而来。然而，用于二进制相似性的深度学习模型在对抗环境中的表现尚不清楚。本文研究了二进制相似性模型对对抗样本的鲁棒性，结果表明，这些模型易受到黑盒和白盒攻击者实施的有目标与无目标（针对相似性目标）攻击的影响。具体而言，我们针对当前三种最先进的二进制相似性解决方案，广泛测试了两种黑盒贪心攻击（包括一种我们称为空间贪心的新技术）以及一种白盒攻击（其中我们重新利用了一种用于图像分类器攻击的梯度引导策略）。