- The paper introduces a novel control block matching approach that effectively maps source functions to binaries while handling compiler optimizations and inlining.
- It extracts hierarchical control blocks and employs cosine similarity on normalized feature vectors to achieve robust cross-domain alignment.
- Empirical evaluation on 3,904 binaries demonstrates high recall, scalability, and enhanced vulnerability detection compared to existing methods.
Function Similarity Detection via Cross-Domain Control Block Matching
Effective identification of function-level similarities between source code and binaries is central for static vulnerability analysis, software supply chain assurance, and license compliance. Compilation-induced transformations, including symbol stripping, architecture/compiler variability, and function inlining, introduce non-trivial challenges for source-to-binary matching. The paper "SBridge: Identifying Source-to-Binary Function Similarity via Cross-Domain Control Block Matching" (2606.28058) defines and systematically addresses these obstacles with a novel cross-domain abstraction.
Figure 1: Three major challenges in matching source code and binaries; highlighting context loss, architecture-compiler variability, and function inlining.
Conventional approaches either rely on string literals or structural function-level features, with limited resilience to compiler-induced perturbations and optimizations—especially when multiple source functions are merged into single binary functions via inlining. Attempts at source-to-source matching with decompiled binaries suffer from syntactic misalignments, making function mapping unreliable.
SBridge Design and Methodology
The core of SBridge is a function similarity measure predicated on control block matching. A control block abstracts distinct code units—such as conditional, loop, and call structures—obtained from both source and binary (decompiled) functions. By segmenting functions into semantically meaningful blocks and normalizing representations (e.g., replacing literals and variable names, canonicalizing character formats), SBridge achieves robust cross-domain alignment.
Figure 2: Overview of SBridge depicting three phases: control block extraction, block similarity measurement, and block-based function matching.
Control blocks are classified into seven categories: conditions, else-conditions, loops, string literals, library function calls, user-defined function calls, and recursive function calls. Extraction is hierarchical for handling nested constructs; block features are encoded in vectors comprising variable usage, operator categories, function call types, string/numeric content, and dynamic features. For internal branching blocks (condition, else, loop), block similarity is computed using cosine similarity on normalized feature vectors.
Figure 3: Flow of internal branching block vector extraction and similarity comparison for the example code, showing the vectorization and similarity calculation process.
For blocks with short feature spans (external branching and string blocks), similarity is determined categorically (exact/partial/no match). Each source block is matched to a unique binary block, and function similarity is quantified as the ratio of matched blocks over total source blocks, further modulated by a length-based weighting to account for inlining: when substantial block count discrepancies are observed due to inlining, the weighting mitigates penalization if the source is still fully contained within the binary.
Empirical Evaluation and Results
Experiments were conducted on 3,904 real-world C/C++ binaries compiled under a matrix of architectures, compilers, optimization levels, and symbol management options using BinKit benchmarks. SBridge was evaluated against MRT-OAST (AST-based deep learning clone detection) and BinaryAI (AI-driven binary-source SCA), measuring Recall@1, Recall@5, and MRR.
SBridge attains Recall@1 of 75.13% and Recall@5 of 80.98%, significantly surpassing BinaryAI (43.31% Recall@1) and MRT-OAST (12.06% Recall@1). Under aggressive function inlining (-O2 optimization) and strip symbol removal, SBridge maintains Recall@1/Recall@5 in the [52.84%, 64.41%] / [65.93%, 76.13%] interval when inlining affects ~50% of functions, with existing methods dropping below 1% accuracy for inlined functions.



Figure 4: Architecture-wise Recall@1 results, with SBridge consistently outperforming baselines.


Figure 5: Optimization-level Recall@1, evidencing robustness of SBridge to function inlining and compiler transformations.
The approach exhibits practical scalability, with median function matching times under 1 s and 96.8% of cases completing in less than 10 s per source function.

Figure 6: Experimental results for θb​ sensitivity; Unique@1 assesses tie rates in top-1 matching, demonstrating high selectivity at recommended thresholds.
Application to Vulnerability Detection
SBridge's fine-grained matching enables effective propagated vulnerability detection in downstream binaries. When applied to 1-day vulnerability scenarios across OSS packages (tcpdump, OpenSSL, LibXML2, FFmpeg), SBridge achieves higher F1 scores and recall relative to IR-based patch presence testers (e.g., React), especially under heavy symbol stripping and inlining. The technique identifies previously undetectable vulnerabilities in binaries lacking direct function name alignment.
Implications and Future Directions
By leveraging control block abstraction, SBridge establishes a robust road to function similarity measurement across domains impacted by compiler, architecture, and symbol variability. The empirical results underscore the method’s capability to handle inlining, stripped binaries, and cross-compiler inconsistencies without resorting to coarse-grained features or unreliable syntactic matching. Practically, SBridge is applicable to large-scale static analysis, supply chain auditing, and vulnerability management workflows.
On the theoretical front, the notion of semantically congruent control blocks may serve as a foundation for further cross-domain analysis, possibly integrating IR or dataflow features for increased recall in extreme compilation cases. Combining SBridge-style block normalization with deep semantic representation learning could yield advanced models for binary-source similarity detection.
Conclusion
SBridge introduces control block–based function similarity as a principled source-to-binary bridge, providing a scalable and accurate mechanism for function-level mapping even under challenging compiler optimizations and symbol eliminations. Its high recall for inlined and stripped functions, efficient runtime characteristics, and efficacy in vulnerability detection position SBridge as a practical choice for binary analysis in security and software supply chain domains. Future advancements may entail integration with semantic representations and exploration of hybrid block-level and IR-level matching for further robustness.