Enhancing Semantic-Aware Binary Diffing with High-Confidence Dynamic Instruction Alignment
Chengfeng Ye
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Malware & RE
Chengfeng Ye presents a technique for improving **binary diffing** accuracy by using **dynamic forced execution** to identify high-confidence instruction alignments (anchor points) between two binary versions. Binary diffing -- locating similar and different parts between two binaries -- is essential for vulnerability analysis, allowing researchers to understand patches and identify the underlying bugs. Modern binary diffing tools like **DeepBinDiff** and **SigmaDiff** use a "neighborhood consensus" approach where confidently matched instructions (anchor points) guide the matching of remaining instructions. The key finding: by identifying **24% more anchor points** with equivalent or higher accuracy, the technique improves the F1 score of existing tools by **3 to 40 percentage points** across cross-version, cross-optimization, cross-compiler, cross-architecture, and cross-obfuscation scenarios, with only **1.6-3.2%** additional runtime overhead.
AI review
A practical improvement to binary diffing that actually matters for vulnerability research. Using dynamic forced execution to generate compiler-robust instruction features, then prioritized path sampling to handle path explosion, and reduced CFG isomorphism to resolve ambiguities -- this produces 24% more anchor points and 3-40% F1 improvement across real scenarios including cross-architecture and cross-obfuscation. The 1.6-3.2% overhead makes this immediately integrable into existing tools.