Papers
Topics
Authors
Recent
Search
2000 character limit reached

SBridge: Identifying Source-to-Binary Function Similarity via Cross-Domain Control Block Matching

Published 26 Jun 2026 in cs.SE | (2606.28058v1)

Abstract: We present SBridge, a precise approach for identifying functions in binaries that are similar to the given source code functions. Identifying reused code in binaries is critical for security, particularly for detecting propagated vulnerabilities. Although binary-to-binary comparison is feasible, leveraging source code as the reference is more practical because source code is easier to collect and analyze directly without compilation. However, significant gaps between source and binary representations, including function inlining, create challenges in cross-domain function detection. Existing approaches primarily rely on string literals or structural similarities between entire functions, failing to capture detailed code behavior and generating many false alarms. SBridge addresses these limitations through a key innovation: control block-based function matching, which encapsulates essential functional features by segmenting functions into meaningful units such as conditionals and loops. Leveraging control blocks as a cross-domain representation, SBridge enables precise measurement of function similarity between source and binary code, effectively overcoming challenges posed by function inlining and stripped binaries. For evaluation, we collected 3,904 real-world C/C++ binaries from BinKit. In experiments identifying binary functions identical to input source functions, despite approximately 40% of binary functions being inlined, SBridge achieved 75.13% recall@1 and 80.98% recall@5, outperforming existing approaches, which achieved up to 43.31% recall@1 and 50.2% recall@

Summary

  • The paper introduces a novel control block matching approach that effectively maps source functions to binaries while handling compiler optimizations and inlining.
  • It extracts hierarchical control blocks and employs cosine similarity on normalized feature vectors to achieve robust cross-domain alignment.
  • Empirical evaluation on 3,904 binaries demonstrates high recall, scalability, and enhanced vulnerability detection compared to existing methods.

Function Similarity Detection via Cross-Domain Control Block Matching

Problem Formulation and Motivation

Effective identification of function-level similarities between source code and binaries is central for static vulnerability analysis, software supply chain assurance, and license compliance. Compilation-induced transformations, including symbol stripping, architecture/compiler variability, and function inlining, introduce non-trivial challenges for source-to-binary matching. The paper "SBridge: Identifying Source-to-Binary Function Similarity via Cross-Domain Control Block Matching" (2606.28058) defines and systematically addresses these obstacles with a novel cross-domain abstraction. Figure 1

Figure 1: Three major challenges in matching source code and binaries; highlighting context loss, architecture-compiler variability, and function inlining.

Conventional approaches either rely on string literals or structural function-level features, with limited resilience to compiler-induced perturbations and optimizations—especially when multiple source functions are merged into single binary functions via inlining. Attempts at source-to-source matching with decompiled binaries suffer from syntactic misalignments, making function mapping unreliable.

SBridge Design and Methodology

The core of SBridge is a function similarity measure predicated on control block matching. A control block abstracts distinct code units—such as conditional, loop, and call structures—obtained from both source and binary (decompiled) functions. By segmenting functions into semantically meaningful blocks and normalizing representations (e.g., replacing literals and variable names, canonicalizing character formats), SBridge achieves robust cross-domain alignment. Figure 2

Figure 2: Overview of SBridge depicting three phases: control block extraction, block similarity measurement, and block-based function matching.

Control blocks are classified into seven categories: conditions, else-conditions, loops, string literals, library function calls, user-defined function calls, and recursive function calls. Extraction is hierarchical for handling nested constructs; block features are encoded in vectors comprising variable usage, operator categories, function call types, string/numeric content, and dynamic features. For internal branching blocks (condition, else, loop), block similarity is computed using cosine similarity on normalized feature vectors. Figure 3

Figure 3: Flow of internal branching block vector extraction and similarity comparison for the example code, showing the vectorization and similarity calculation process.

For blocks with short feature spans (external branching and string blocks), similarity is determined categorically (exact/partial/no match). Each source block is matched to a unique binary block, and function similarity is quantified as the ratio of matched blocks over total source blocks, further modulated by a length-based weighting to account for inlining: when substantial block count discrepancies are observed due to inlining, the weighting mitigates penalization if the source is still fully contained within the binary.

Empirical Evaluation and Results

Experiments were conducted on 3,904 real-world C/C++ binaries compiled under a matrix of architectures, compilers, optimization levels, and symbol management options using BinKit benchmarks. SBridge was evaluated against MRT-OAST (AST-based deep learning clone detection) and BinaryAI (AI-driven binary-source SCA), measuring Recall@1, Recall@5, and MRR.

SBridge attains Recall@1 of 75.13% and Recall@5 of 80.98%, significantly surpassing BinaryAI (43.31% Recall@1) and MRT-OAST (12.06% Recall@1). Under aggressive function inlining (-O2 optimization) and strip symbol removal, SBridge maintains Recall@1/Recall@5 in the [52.84%, 64.41%] / [65.93%, 76.13%] interval when inlining affects ~50% of functions, with existing methods dropping below 1% accuracy for inlined functions. Figure 4

Figure 4

Figure 4

Figure 4

Figure 4: Architecture-wise Recall@1 results, with SBridge consistently outperforming baselines.

Figure 5

Figure 5

Figure 5

Figure 5

Figure 5: Optimization-level Recall@1, evidencing robustness of SBridge to function inlining and compiler transformations.

The approach exhibits practical scalability, with median function matching times under 1 s and 96.8% of cases completing in less than 10 s per source function. Figure 6

Figure 6

Figure 6: Experimental results for θb\theta_b sensitivity; Unique@1 assesses tie rates in top-1 matching, demonstrating high selectivity at recommended thresholds.

Application to Vulnerability Detection

SBridge's fine-grained matching enables effective propagated vulnerability detection in downstream binaries. When applied to 1-day vulnerability scenarios across OSS packages (tcpdump, OpenSSL, LibXML2, FFmpeg), SBridge achieves higher F1 scores and recall relative to IR-based patch presence testers (e.g., React), especially under heavy symbol stripping and inlining. The technique identifies previously undetectable vulnerabilities in binaries lacking direct function name alignment.

Implications and Future Directions

By leveraging control block abstraction, SBridge establishes a robust road to function similarity measurement across domains impacted by compiler, architecture, and symbol variability. The empirical results underscore the method’s capability to handle inlining, stripped binaries, and cross-compiler inconsistencies without resorting to coarse-grained features or unreliable syntactic matching. Practically, SBridge is applicable to large-scale static analysis, supply chain auditing, and vulnerability management workflows.

On the theoretical front, the notion of semantically congruent control blocks may serve as a foundation for further cross-domain analysis, possibly integrating IR or dataflow features for increased recall in extreme compilation cases. Combining SBridge-style block normalization with deep semantic representation learning could yield advanced models for binary-source similarity detection.

Conclusion

SBridge introduces control block–based function similarity as a principled source-to-binary bridge, providing a scalable and accurate mechanism for function-level mapping even under challenging compiler optimizations and symbol eliminations. Its high recall for inlined and stripped functions, efficient runtime characteristics, and efficacy in vulnerability detection position SBridge as a practical choice for binary analysis in security and software supply chain domains. Future advancements may entail integration with semantic representations and exploration of hybrid block-level and IR-level matching for further robustness.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.