{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T02:22:16Z","timestamp":1775874136777,"version":"3.50.1"},"reference-count":56,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2023,12,23]],"date-time":"2023-12-23T00:00:00Z","timestamp":1703289600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Key Research and Development Program of China","award":["2022YFB3103904"],"award-info":[{"award-number":["2022YFB3103904"]}]},{"DOI":"10.13039\/100007515","name":"National Natural Science Youth Foundation","doi-asserted-by":"crossref","award":["62002342"],"award-info":[{"award-number":["62002342"]}],"id":[{"id":"10.13039\/100007515","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["61931019"],"award-info":[{"award-number":["61931019"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2024,2,29]]},"abstract":"<jats:p>Third-party libraries (TPLs) are extensively utilized by developers to expedite the software development process and incorporate external functionalities. Nevertheless, insecure TPL reuse can lead to significant security risks. Existing methods, which involve extracting strings or conducting function matching, are employed to determine the presence of TPL code in the target binary. However, these methods often yield unsatisfactory results due to the recurrence of strings and the presence of numerous similar non-homologous functions. Furthermore, the variation in C\/C++ binaries across different optimization options and architectures exacerbates the problem. Additionally, existing approaches struggle to identify specific pieces of reused code in the target binary, complicating the detection of complex reuse relationships and impeding downstream tasks. And, we call this issue the poor interpretability of TPL detection results.<\/jats:p>\n          <jats:p>\n            In this article, we observe that TPL reuse typically involves not just isolated functions but also areas encompassing several adjacent functions on the Function Call Graph (FCG). We introduce LibAM, a novel Area Matching framework that connects isolated functions into function areas on FCG and detects TPLs by comparing the similarity of these function areas, significantly mitigating the impact of different optimization options and architectures. Furthermore, LibAM is the first approach capable of detecting the exact reuse areas on FCG and offering substantial benefits for downstream tasks. To validate our approach, we compile the first TPL detection dataset for C\/C++ binaries across various optimization options and architectures. Experimental results demonstrate that LibAM outperforms all existing TPL detection methods and provides interpretable evidence for TPL detection results by identifying exact reuse areas. We also evaluate LibAM\u2019s scalability on large-scale, real-world binaries in IoT firmware and generate a list of potential vulnerabilities for these devices. Our experiments indicate that the Area Matching framework performs exceptionally well in the TPL detection task and holds promise for other binary similarity analysis tasks. Last but not least, by analyzing the detection results of IoT firmware, we make several interesting findings, for instance, different target binaries always tend to reuse the same code area of TPL. The datasets and source code used in this article are available at\n            <jats:ext-link xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\" xlink:href=\"https:\/\/github.com\/Siyuan-Li201\/LibAM\">https:\/\/github.com\/Siyuan-Li201\/LibAM<\/jats:ext-link>\n            .\n          <\/jats:p>","DOI":"10.1145\/3625294","type":"journal-article","created":{"date-parts":[[2023,9,26]],"date-time":"2023-09-26T08:03:11Z","timestamp":1695715391000},"page":"1-35","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":18,"title":["LibAM: An Area Matching Framework for Detecting Third-Party Libraries in Binaries"],"prefix":"10.1145","volume":"33","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-4096-1209","authenticated-orcid":false,"given":"Siyuan","family":"Li","sequence":"first","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-7909-2576","authenticated-orcid":false,"given":"Yongpan","family":"Wang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-4729-7778","authenticated-orcid":false,"given":"Chaopeng","family":"Dong","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4385-8261","authenticated-orcid":false,"given":"Shouguo","family":"Yang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1353-7838","authenticated-orcid":false,"given":"Hong","family":"Li","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6900-0672","authenticated-orcid":false,"given":"Hao","family":"Sun","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9915-8312","authenticated-orcid":false,"given":"Zhe","family":"Lang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-8051-9705","authenticated-orcid":false,"given":"Zuxin","family":"Chen","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6445-1746","authenticated-orcid":false,"given":"Weijie","family":"Wang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3720-7403","authenticated-orcid":false,"given":"Hongsong","family":"Zhu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2745-7521","authenticated-orcid":false,"given":"Limin","family":"Sun","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences and School of Cyber Security, University of Chinese Academy of Sciences, China"}]}],"member":"320","published-online":{"date-parts":[[2023,12,23]]},"reference":[{"key":"e_1_3_1_2_2","unstructured":"2023. conan. (2023). Retrieved from https:\/\/conan.io\/"},{"key":"e_1_3_1_3_2","unstructured":"2023. Vcpkg. (2023). Retrieved from https:\/\/vcpkg.io\/"},{"key":"e_1_3_1_4_2","unstructured":"2023. github. (2023). Retrieved from https:\/\/github.com\/"},{"key":"e_1_3_1_5_2","unstructured":"2023. Sourceforge. (2023). Retrieved from https:\/\/sourceforge.net\/"},{"key":"e_1_3_1_6_2","article-title":"Research on third-party libraries in android apps: A taxonomy and systematic literature review","author":"Zhan Xian","year":"2021","unstructured":"Xian Zhan, Tianming Liu, Lingling Fan, Li Li, Sen Chen, Xiapu Luo, and Yang Liu. 2021. Research on third-party libraries in android apps: A taxonomy and systematic literature review. IEEE Transactions on Software Engineering 48, 10 (2021), 4181--4213.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_1_7_2","unstructured":"Synopsys. 2022. Synopsys 2022 open source security and risk analysis report. (2022). Retrieved from https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/open-source-security-risk-analysis.html"},{"key":"e_1_3_1_8_2","unstructured":"2009. Cisco settles FSF GPL lawsuit. (2009). Retrieved from http:\/\/arstechnica.com\/information-technology\/2009\/05\/cisco-settles-fsf-gpl-lawsuit-appoints-compliance-officer"},{"key":"e_1_3_1_9_2","unstructured":"2015. VMware sued for failure to comply with Linux license. (2015). Retrieved from https:\/\/www.zdnet.com\/article\/vmware-sued-for-failure-to-comply-with-linuxs-license\/"},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134048"},{"key":"e_1_3_1_11_2","doi-asserted-by":"publisher","DOI":"10.1145\/3533767.3534366"},{"key":"e_1_3_1_12_2","unstructured":"2023. CVE. (2023). Retrieved from https:\/\/cve.mitre.org\/"},{"key":"e_1_3_1_13_2","unstructured":"2023. NVD. (2023). Retrieved from https:\/\/nvd.nist.gov\/"},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/2889160.2889178"},{"key":"e_1_3_1_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978333"},{"key":"e_1_3_1_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.38"},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2018.8330204"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3293882.3330563"},{"key":"e_1_3_1_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3416582"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00150"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/1985441.1985453"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2019.00100"},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00084"},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER48275.2020.9054845"},{"key":"e_1_3_1_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3524842.3528442"},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00083"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3486860"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/3446371"},{"key":"e_1_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510627"},{"issue":"1","key":"e_1_3_1_30_2","first-page":"2","article-title":"Overview of the RANSAC algorithm","volume":"4","author":"Derpanis Konstantinos G.","year":"2010","unstructured":"Konstantinos G. Derpanis. 2010. Overview of the RANSAC algorithm. Image Rochester NY 4, 1 (2010), 2\u20133.","journal-title":"Image Rochester NY"},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134018"},{"key":"e_1_3_1_32_2","unstructured":"2023. IDA Pro. (2023). Retrieved from https:\/\/hex-rays.com\/IDA-pro\/"},{"key":"e_1_3_1_33_2","unstructured":"2023. annoy. (2023). Retrieved from https:\/\/github.com\/spotify\/annoy"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/3269206.3271788"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2012.257"},{"key":"e_1_3_1_36_2","article-title":"The Research of Line Matching Algorithm Under the Improved Homograph Matrix Constraint Condition","author":"Wang Weixi","year":"2012","unstructured":"Weixi Wang. 2012. The Research of Line Matching Algorithm Under the Improved Homograph Matrix Constraint Condition. The International Archives of the Photogrammetry, Remote Sensing and Spatical Information Sciences, XXXIX-B3 (2012), 345--350.","journal-title":"The International Archives of the Photogrammetry, Remote Sensing and Spatical Information Sciences"},{"key":"e_1_3_1_37_2","unstructured":"2023. Binwalk. (2023). Retrieved from https:\/\/www.kali.org\/tools\/binwalk\/"},{"key":"e_1_3_1_38_2","unstructured":"Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis"},{"key":"e_1_3_1_39_2","first-page":"887","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security 18)","author":"Zhang Hang","year":"2018","unstructured":"Hang Zhang and Zhiyun Qian. 2018. Precise and accurate patch presence test for binaries. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18). 887\u2013902."},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417240"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3052995"},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.49"},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484593"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484587"},{"key":"e_1_3_1_45_2","first-page":"1165","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security 20)","unstructured":"Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, Feng Li, Binghong Liu, Yang Liu, Wei Huo, Wei Zou, and Wenchang Shi. 2020. \\(\\lbrace\\) MVP \\(\\rbrace\\) : Detecting Vulnerabilities using \\(\\lbrace\\) Patch-Enhanced \\(\\rbrace\\) Vulnerability Signatures. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20). 1165\u20131182."},{"key":"e_1_3_1_46_2","first-page":"253","volume-title":"Proceedings of the 26th USENIX Security Symposium (USENIX Security 17)","author":"Ming Jiang","year":"2017","unstructured":"Jiang Ming, Dongpeng Xu, Yufei Jiang, and Dinghao Wu. 2017. \\(\\lbrace\\) BinSim \\(\\rbrace\\) : Trace-based Semantic Binary Diffing via System Call Sliced Segment Equivalence Checking. In Proceedings of the 26th USENIX Security Symposium (USENIX Security 17). 253\u2013270."},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397361"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1145\/3062341.3062387"},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER50967.2021.00028"},{"key":"e_1_3_1_50_2","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950350"},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58951-6_15"},{"key":"e_1_3_1_52_2","article-title":"Neural code comprehension: A learnable representation of code semantics","author":"Ben-Nun Tal","year":"2018","unstructured":"Tal Ben-Nun, Alice Shoshana Jakobovits, and Torsten Hoefler. 2018. Neural code comprehension: A learnable representation of code semantics. Advances in Neural Information Processing Systems 31 (2018), 3589--3601.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134018"},{"key":"e_1_3_1_54_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5466"},{"key":"e_1_3_1_55_2","unstructured":"Zhenhao Luo Pengfei Wang Baosheng Wang Yong Tang Wei Xie Xu Zhou Danjun Liu and Kai Lu. 2023. VulHawk: Cross-architecture vulnerability detection with entropy-based binary code search. NDSS."},{"key":"e_1_3_1_56_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-22038-9_15"},{"key":"e_1_3_1_57_2","doi-asserted-by":"publisher","DOI":"10.1145\/3197231.3197248"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3625294","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3625294","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:32Z","timestamp":1750178192000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3625294"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,12,23]]},"references-count":56,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2024,2,29]]}},"alternative-id":["10.1145\/3625294"],"URL":"https:\/\/doi.org\/10.1145\/3625294","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,12,23]]},"assertion":[{"value":"2023-05-16","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-09-09","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-12-23","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}