Callee: Recovering Call Graphs for Binaries with Transfer and Contrastive Learning

Recovering binary programs' call graphs is crucial for inter-procedural analysis tasks and applications based on them.transfer One of the core challenges is recognizing targets of indirect calls (i.e., indirect callees). Existing solutions all have high false positives and negatives, making call graphs inaccurate. In this paper, we propose a new solution Callee combining transfer learning and contrastive learning. The key insight is that, deep neural networks (DNNs) can automatically identify patterns concerning indirect calls, which can be more efficient than designing approximation algorithms or heuristic rules to handle various cases. Inspired by the advances in question-answering applications, we utilize contrastive learning to answer the callsite-callee question. However, one of the toughest challenges is that DNNs need large datasets to achieve high performance, while collecting large-scale indirect-call ground-truths can be computational-expensive. Since direct calls and indirect calls share similar calling conventions, it is possible to transfer knowledge learned from direct calls to indirect ones. Therefore, we leverage transfer learning to pre-train DNNs with easy-to-collect direct calls and further fine-tune the indirect-call DNNs. We evaluate Callee on several groups of targets, and results show that our solution could match callsites to callees with an F1-Measure of 94.6%, much better than state-of-the-art solutions. Further, we apply Callee to binary code similarity detection and hybrid fuzzing, and found it could greatly improve their performance.