On the Precision of Dynamic Program Fingerprints Based on Performance Counters

Research output: Contribution to book/Conference proceedings/Anthology/ReportConference contributionContributedpeer-review

Contributors

  • Anderson Faustino Da Silva - , Universidade Estadual de Maringá (Author)
  • Marcelo Borges Nogueira - , Federal University of Rio Grande do Norte (Author)
  • Sergio Queiroz De Medeiros - , Federal University of Rio Grande do Norte (Author)
  • Jeronimo Castrillon - , Chair of Compiler Construction (cfaed) (Author)
  • Fernando Magno Quintao Pereira - , Universidade Federal de Minas Gerais (Author)

Abstract

Task classification is the challenge of determining whether two binary programs perform the same task. This problem is essential in scenarios such as malware identification, plagiarism detection, and redundancy elimination. Classification can be performed statically or dynamically. In the former case, the classifier analyzes the binary image of the program, whereas in the latter it observes the program's execution. Recent research has demonstrated that dynamic classification is more accurate, particularly in adversarial settings where programs may be obfuscated. This remains true even when both classifiers use the exact representation of programs, such as histograms of instruction opcodes. The superior accuracy of dynamic classification stems from its ability to disregard dead code inserted during the obfuscation process. However, state-of-the-art dynamic techniques, such as Valgrind plugins, can slow down program execution by as much as 100 times due to binary instrumentation. This paper proposes to eliminate this overhead by replacing program instrumentation with the sampling of hardware performance counters. Our findings reveal both advantages and limitations of this approach. On the positive side, classifiers based on hardware counters impose almost no runtime overhead while retaining greater accuracy than purely static classifiers, particularly in the presence of obfuscation. On the downside, counter-based classifiers are slightly less accurate than instrumentation-based approaches and offer coarser granularity, being limited to whole-program classification rather than individual functions. Despite these limitations, our results challenge the conventional belief that dynamic code classifiers are too costly to be deployed in environments such as online servers, operating systems, and virtual machines.

Details

Original languageEnglish
Title of host publicationCGO 2026 - Proceedings of the 2026 IEEE/ACM International Symposium on Code Generation and Optimization
EditorsStephen M. Blackburn, Albert Cohen, Timothy M. Jones
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Pages507-519
Number of pages13
ISBN (electronic)979-8-3315-9288-2
ISBN (print)979-8-3315-9289-9
Publication statusPublished - 23 Feb 2026
Peer-reviewedYes

Conference

Title24th IEEE/ACM International Symposium on Code Generation and Optimization
Abbreviated titleCGO 2026
Conference number24
Descriptionco-located as part of HPCA/CGO/PPoPP/CC 2026
Duration31 January - 4 February 2026
LocationInternational Convention Centre Sydney
CitySydney
CountryAustralia

External IDs

ORCID /0000-0002-5007-445X/work/219972781

Keywords

Keywords

  • Binary Diffing, Code Classification, Security