A method for function name recovery in binaries via hierarchical semantic propagation
摘要
The large-scale deployment of IoT devices has led to widespread use of stripped firmware binaries, where function names are removed, leaving many functions anonymous. This obscures program semantics and heightens security risks by hiding vulnerabilities. Recovering meaningful function names is thus crucial for reverse engineering and security analysis. Existing approaches treat naming as an isolated prediction task or rely on static, limited calling contexts, struggling with deep call chains and severe semantic loss. To overcome this, we propose SemFlow, a call-graph-driven, hierarchical semantic propagation method. SemFlow reframes naming as an iterative process that progressively resolves anonymity by leveraging the call graph’s structure: it first recovers bottom-layer functions with richer context and propagates their names upward as semantic anchors to enrich context for mid- and top-layer functions. We evaluate SemFlow on real-world binaries across four architectures (x86-64, x86-32, ARM, MIPS) and four optimization levels (O0–O3). Results show consistent superiority over the state-of-the-art SYMGEN: F1 scores improve by up to 13.4% (x86-64), 20.3% (x86-32), 34.3% (ARM), and 158.5% (MIPS). Notably, on mid-layer anonymous functions—where semantic scarcity is most acute—SemFlow achieves an average F1 gain of 162.7%, demonstrating the effectiveness of hierarchical semantic propagation in mitigating context loss in deep call chains.