{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T01:05:34Z","timestamp":1760058334703,"version":"build-2065373602"},"reference-count":101,"publisher":"Association for Computing Machinery (ACM)","issue":"OOPSLA1","license":[{"start":{"date-parts":[[2025,4,9]],"date-time":"2025-04-09T00:00:00Z","timestamp":1744156800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Program. Lang."],"published-print":{"date-parts":[[2025,4,9]]},"abstract":"<jats:p>It becomes an essential requirement to identify cryptographic functions in binaries due to their widespread application in modern software. The technology fundamentally supports numerous software security analyses, such as malware analysis, blockchain forensics, etc. Unfortunately, the existing methods still struggle to strike a balance between analysis accuracy, efficiency, and code coverage, which hampers their practical application. \n \n In this paper, we propose BinCrypto, a method of emulation-based code similarity analysis on the interval domain, to identify cryptographic functions in binary files. It produces accurate results because it relies on the behavior-related code features collected during emulation. On the other hand, the emulation is performed in a path-insensitive manner, where the emulated values are all represented as intervals. As such, it is able to analyze every basic block only once, accomplishing the identification efficiently, and achieve complete block coverage simultaneously. We conduct the experiments with nine real-world cryptographic libraries. The results show that BinCrypto achieves the average accuracy of 83.2%, nearly twice that of WheresCrypto, the state-of-the-art method. BinCrypto is also able to successfully complete the tasks, including statically-linked library analysis, cross-library analysis, obfuscated code analysis, and malware analysis, demonstrating its potential for practical applications.<\/jats:p>","DOI":"10.1145\/3720415","type":"journal-article","created":{"date-parts":[[2025,4,9]],"date-time":"2025-04-09T13:48:26Z","timestamp":1744206506000},"page":"28-56","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Binary Cryptographic Function Identification via Similarity Analysis with Path-Insensitive Emulation"],"prefix":"10.1145","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2035-7176","authenticated-orcid":false,"given":"Yikun","family":"Hu","sequence":"first","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"},{"name":"State Key Laboratory of Cryptology, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-0563-9022","authenticated-orcid":false,"given":"Yituo","family":"He","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-9160-3889","authenticated-orcid":false,"given":"Wenyu","family":"He","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-1538-107X","authenticated-orcid":false,"given":"Haoran","family":"Li","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-4505-0971","authenticated-orcid":false,"given":"Yubo","family":"Zhao","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0866-0308","authenticated-orcid":false,"given":"Shuai","family":"Wang","sequence":"additional","affiliation":[{"name":"Hong Kong University of Science and Technology, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0504-9538","authenticated-orcid":false,"given":"Dawu","family":"Gu","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"},{"name":"State Key Laboratory of Cryptology, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2025,4,9]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.25148\/etd.fi14051800"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1007\/s41635-019-00082-w"},{"key":"e_1_2_1_3_1","unstructured":"Luigi Auriemma. 2016. Signsrch 0.2.4. http:\/\/aluigi.altervista.org\/mytoolz.htm Tool searches encryption\/compression algorithms inside files"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897518.2897542"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/csma.2015.14"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","unstructured":"Armin Biere Alessandro Cimatti Edmund Clarke and Yunshan Zhu. 1999. Symbolic model checking without BDDs. In Tools and Algorithms for the Construction and Analysis of Systems: 5th International Conference TACAS\u201999 Held as Part of the Joint European Conferences on Theory and Practice of Software ETAPS\u201999 Amsterdam The Netherlands March 22\u201328 1999 Proceedings 5. 193\u2013207. https:\/\/doi.org\/10.21236\/ada360973 10.21236\/ada360973","DOI":"10.21236\/ada360973"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/sere.2012.13"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382217"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950350"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/12.241594"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3405669.3405819"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354249"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.4324\/9780203204887_chapter_10"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","unstructured":"Joan Daemen and Vincent Rijmen. 1999. AES proposal: Rijndael. https:\/\/doi.org\/10.1007\/springerreference_461 10.1007\/springerreference_461","DOI":"10.1007\/springerreference_461"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.protcy.2013.12.443"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.14722\/bar.2020.23009"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594343"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939719"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/sp.2019.00003"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.2172\/5154317"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23185"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3052995"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978370"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1049\/cp.2013.2196"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/springerreference_63978"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_3"},{"key":"e_1_2_1_27_1","unstructured":"Ilfak Guilfanov. 2006. FindCrypt2. https:\/\/hex-rays.com\/blog\/findcrypt2\/ IDA Pro plug-in searches for cryptographic algorithm"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3412841.3441910"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/262004.262005"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.14722\/bar.2024.23006"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/tifs.2024.3484944"},{"key":"e_1_2_1_32_1","unstructured":"Hex-rays. 2024. https:\/\/hex-rays.com\/ida-pro\/ A disassembler for computer software which generates assembly language source code from machine-executable code"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3596906"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","unstructured":"Yikun Hu Yituo He Wenyu He Haoran Li Yubo Zhao Shuai Wang and Dawu Gu. 2025. Binary Cryptographic Function Identification via Similarity Analysis with Path-insensitive Emulation. https:\/\/doi.org\/10.5281\/zenodo.14943895 10.5281\/zenodo.14943895","DOI":"10.5281\/zenodo.14943895"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635900"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICPC.2017.22"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3639100"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/spro.2015.10"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2714576.2714639"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3691620.3695070"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/tdsc.2012.83"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","unstructured":"Yujia Li Daniel Tarlow Marc Brockschmidt and Richard Zemel. 2015. Gated graph sequence neural networks. arXiv preprint arXiv:1511.05493 https:\/\/doi.org\/10.21203\/rs.3.rs-1364332\/v1 10.21203\/rs.3.rs-1364332\/v1","DOI":"10.21203\/rs.3.rs-1364332\/v1"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/sp40001.2021.00006"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238199"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.21236\/ada449077"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","unstructured":"HJ Lu Michael Matz J Hubicka A Jaeger and M Mitchell. 2018. System V application binary interface. AMD64 Architecture Processor Supplement 588\u2013601. https:\/\/doi.org\/10.3403\/00374100u 10.3403\/00374100u","DOI":"10.3403\/00374100u"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635900"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635900"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","unstructured":"Zhenhao Luo Pengfei Wang Baosheng Wang Yong Tang Wei Xie Xu Zhou Danjun Liu and Kai Lu. 2023. VulHawk: Cross-architecture Vulnerability Detection with Entropy-based Binary Code Search.. In NDSS. https:\/\/doi.org\/10.14722\/ndss.2023.24415 10.14722\/ndss.2023.24415","DOI":"10.14722\/ndss.2023.24415"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","unstructured":"No\u00e9 Lutz. 2008. Towards revealing attacker\u2019s intent by automatically decrypting network traffic. M\u00e9moire de ma\u0131trise ETH Z\u00fcrich Switzerland https:\/\/doi.org\/10.1016\/s1353-4858(19)30098-4 10.1016\/s1353-4858(19)30098-4","DOI":"10.1016\/s1353-4858(19)30098-4"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1142\/9789811224317_0003"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2714576.2714639"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00121"},{"key":"e_1_2_1_54_1","unstructured":"Niels M\u00f6ller. 2013. Nettle. https:\/\/www.lysator.liu.se\/ nisse\/nettle A low-level cryptographic library"},{"key":"e_1_2_1_55_1","unstructured":"Mozilla. [n. d.]. Network Security Services (NSS). https:\/\/firefox-source-docs.mozilla.org\/security\/nss\/index.html"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1108\/oxan-es272348"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.7838\/jsebs.2017.22.2.169"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/tse.2022.3231621"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.49"},{"key":"e_1_2_1_60_1","unstructured":"POODLE. 2014. CVE-2014-3566. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=cve-2014-3566 Accessed: 2024-01"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/hcs49909.2020.9220443"},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.21203\/rs.3.rs-4113962\/v1"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/1572272.1572287"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-05446-9_7"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","unstructured":"Nitin Saxena. 2014. Progress on polynomial identity testing-II. Perspectives in Computational Complexity: The Somenath Biswas Anniversary Volume 131\u2013146. https:\/\/doi.org\/10.1007\/978-3-319-05446-9_7 10.1007\/978-3-319-05446-9_7","DOI":"10.1007\/978-3-319-05446-9_7"},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1109\/spro.2015.16"},{"key":"e_1_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/322217.322225"},{"key":"e_1_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.13189\/csit.2017.050502"},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/236114.236115"},{"key":"e_1_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1145\/3503222.3507744"},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/567097.567098"},{"key":"e_1_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.5040\/9781350101272.00000005"},{"key":"e_1_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1016\/0020-0190(90)90109-b"},{"key":"e_1_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1145\/3650212.3652117"},{"key":"e_1_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/3569933"},{"key":"e_1_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1145\/3533767.3534367"},{"key":"e_1_2_1_77_1","unstructured":"Hao Wang Wenjie Qu Gilad Katz Wenyu Zhu Zeyu Gao Han Qiu Jianwei Zhuge and Chao Zhang. 2024. BinaryCorp. https:\/\/github.com\/vul337\/jTrans a dataset for the task of binary code similarity detection"},{"key":"e_1_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23225"},{"key":"e_1_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.14722\/bar.2019.23058"},{"key":"e_1_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.1109\/ase.2017.8115645"},{"key":"e_1_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04444-1_13"},{"key":"e_1_2_1_82_1","unstructured":"Kevin Weatherman. 2022. Yara for IDA 1.1.0. https:\/\/github.com\/kweatherman\/yara4ida IDA Pro plugin with crypto\/hash\/compression signatures"},{"key":"e_1_2_1_83_1","doi-asserted-by":"publisher","unstructured":"Douglas Brent West et al. 2001. Introduction to graph theory. 2 Prentice hall Upper Saddle River. https:\/\/doi.org\/10.1142\/9789811273117_0001 10.1142\/9789811273117_0001","DOI":"10.1142\/9789811273117_0001"},{"key":"e_1_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1109\/hpca.2008.4658658"},{"key":"e_1_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243827"},{"key":"e_1_2_1_86_1","doi-asserted-by":"publisher","DOI":"10.1109\/sp.2017.56"},{"key":"e_1_2_1_87_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598121"},{"key":"e_1_2_1_88_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134018"},{"key":"e_1_2_1_89_1","doi-asserted-by":"publisher","DOI":"10.1145\/3611643.3616301"},{"key":"e_1_2_1_90_1","doi-asserted-by":"publisher","DOI":"10.1109\/tse.2021.3069529"},{"key":"e_1_2_1_91_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.47"},{"key":"e_1_2_1_92_1","doi-asserted-by":"publisher","DOI":"10.1109\/tse.2021.3056139"},{"key":"e_1_2_1_93_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5466"},{"key":"e_1_2_1_94_1","doi-asserted-by":"publisher","DOI":"10.31274\/td-20240329-185"},{"key":"e_1_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2014.18"},{"key":"e_1_2_1_96_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2021.03.011"},{"key":"e_1_2_1_97_1","doi-asserted-by":"publisher","DOI":"10.54499\/2020.09139.bd"},{"key":"e_1_2_1_98_1","doi-asserted-by":"publisher","DOI":"10.1109\/sp40001.2021.00051"},{"key":"e_1_2_1_99_1","doi-asserted-by":"publisher","DOI":"10.1145\/3640337"},{"key":"e_1_2_1_100_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-09519-5_73"},{"key":"e_1_2_1_101_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23492"}],"container-title":["Proceedings of the ACM on Programming Languages"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3720415","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3720415","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T17:07:06Z","timestamp":1760029626000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3720415"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,9]]},"references-count":101,"journal-issue":{"issue":"OOPSLA1","published-print":{"date-parts":[[2025,4,9]]}},"alternative-id":["10.1145\/3720415"],"URL":"https:\/\/doi.org\/10.1145\/3720415","relation":{},"ISSN":["2475-1421"],"issn-type":[{"type":"electronic","value":"2475-1421"}],"subject":[],"published":{"date-parts":[[2025,4,9]]},"assertion":[{"value":"2024-10-13","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-02-18","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-04-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}