Kalinin Maxim, Gribkov Nikita
Institute of Computer Science and Cybersecurity, Peter the Great St. Petersburg Polytechnic University, 29 Polytekhnicheskaya ul., 195251 St. Petersburg, Russia.
Sensors (Basel). 2024 Nov 13;24(22):7251. doi: 10.3390/s24227251.
This paper addresses the problem of IoT security caused by code cloning when developing a massive variety of different smart devices. A clone detection method is proposed to identify clone-caused vulnerabilities in IoT software. A hybrid solution combines syntactic and semantic analyses of the code. Based on the recovered code, an attributed abstract syntax tree is constructed for each code fragment. All nodes of the commonly used abstract syntax tree are proposed to be weighted with semantic attribute vectors. Each attributed tree is then encoded as a semantic vector using a Deep Graph Neural Network. Two graph networks are combined into a Siamese neural model, allowing training to generate semantic vectors and compare vector pairs within each training epoch. Semantic analysis is also applied to clones with low similarity metric values. This allows one to correct the similarity decision in the case of incorrect matching of functions at the syntactic level. To automate the search for clones, the BinDiff algorithm is added in the first stage to accurately select clone candidates. This has a positive impact on the ability to apply the proposed method to large sets of binary code. In an experimental study, the developed method-compared to BinDiff, Gemini, and Asteria tools-has demonstrated the highest efficiency.
本文探讨了在开发大量不同的智能设备时,由代码克隆导致的物联网安全问题。提出了一种克隆检测方法,以识别物联网软件中由克隆引起的漏洞。一种混合解决方案结合了代码的句法和语义分析。基于恢复的代码,为每个代码片段构建一个属性抽象语法树。建议对常用抽象语法树的所有节点用语义属性向量进行加权。然后使用深度图神经网络将每个属性树编码为一个语义向量。将两个图网络组合成一个连体神经模型,允许在每个训练周期内进行训练以生成语义向量并比较向量对。语义分析也应用于相似度度量值较低的克隆。这使得在句法层面函数匹配不正确的情况下能够纠正相似度判定。为了自动搜索克隆,在第一阶段添加了BinDiff算法以准确选择克隆候选对象。这对将所提出的方法应用于大量二进制代码集的能力有积极影响。在一项实验研究中,与BinDiff、Gemini和Asteria工具相比,所开发的方法已证明具有最高的效率。
