ICSME 2025
Sun 7 - Fri 12 September 2025 Auckland, New Zealand
Fri 12 Sep 2025 14:35 - 14:50 at Case Room 2 260-057 - Session 16 - Security 2 Chair(s): Gregorio Robles

In response to challenges in software supply chain security, several organisations have created infrastructures to independently build commodity open source projects and release the resulting binaries for Java/Maven and other software ecosystems. Build platform variability can strengthen security as it facilitates the detection of compromised build environments. Furthermore, by improving the security posture of the build platform and collecting provenance information during the build, the resulting artifacts can be used with greater trust. Such offerings are now available from Google, Oracle and RedHat. The availability of multiple binaries built from the same sources creates new challenges and opportunities, and raises questions such as: “Does build A confirm the integrity of build B?” or “Can build A reveal a compromised build B?”.
To answer such questions requires a notion of equivalence between binaries. We demonstrate that the obvious approach based on bitwise equality has significant shortcomings in practice, and propose an alternative approach based on levels of equivalence, inspired by clone detection types.

We demonstrate the value of these new levels through several experiments. For this purpose, we construct a dataset consisting of Java binaries (jar files) built from the same sources independently by different providers, resulting in 14,156 pairs of binaries in total.
We then compare the compiled class files in those jar files and find that for 3,750 pairs of jars (26.49%) there is at least one such file that is different, also forcing the jar files and their cryptographic hashes to be different. However, based on the new equivalence levels, we can still establish that many of them are practically equivalent; the number of pairs of jars with non-equivalent classes drops to 13.65 % in some cases. We evaluate several candidate equivalence relations on a semi-synthetic dataset that provides oracles consisting of pairs of binaries that either should be, or must not be equivalent.

This technique has been applied to evaluate artifacts built from source and used within Oracle’s Graal Development Kit for Micronaut (GDK) product.

Fri 12 Sep

Displayed time zone: Auckland, Wellington change

13:30 - 15:00
Session 16 - Security 2Research Papers Track / Industry Track / Registered Reports / NIER Track at Case Room 2 260-057
Chair(s): Gregorio Robles Universidad Rey Juan Carlos
13:30
15m
Understanding the Faults in Serverless Computing Based Applications: An Empirical Study
Research Papers Track
Changrong Xie National University of Defense Technology, Yang Zhang National University of Defense Technology, China, Xinjun Mao National University of Defense Technology, Kang Yang National University of Defense Technology, Tanghaoran Zhang National University of Defense Technology
13:45
15m
Security Vulnerabilities in Docker Images: A Cross-Tag Study of Application Dependencies
Research Papers Track
Hamid Mohayeji Nasrabadi Eindhoven University of Technology, Eleni Constantinou University of Cyprus, Alexander Serebrenik Eindhoven University of Technology
14:00
15m
Trust and Verify: Formally Verified and Upgradable Trusted Functions
Research Papers Track
Marcus Birgersson KTH Royal Institute of Technology, Cyrille Artho KTH Royal Institute of Technology, Sweden, Musard Balliu KTH Royal Institute of Technology
14:25
10m
MalLoc: Towards Fine-grained Android Malicious Payload Localization via LLMs
NIER Track
Tiezhu Sun University of Luxembourg, Marco Alecci University of Luxembourg, Aleksandr Pilgun University of Luxembourg, Yewei Song University of Luxembourg, Xunzhu Tang University of Luxembourg, Jordan Samhi University of Luxembourg, Luxembourg, Tegawendé F. Bissyandé University of Luxembourg, Jacques Klein University of Luxembourg
Pre-print
14:35
15m
Levels of Binary Equivalence for the Comparison of Binaries from Alternative Builds
Industry Track
Jens Dietrich Victoria University of Wellington, Tim White Victoria University of Wellington, Behnaz Hassanshahi Oracle Labs, Australia, Paddy Krishnan Oracle Labs, Australia
14:50
10m
Repairing vulnerabilities without invisible hands. A differentiated replication study on LLMs
Registered Reports
Maria Camporese University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam