> ## Documentation Index > Fetch the complete documentation index at: https://mintlify.com/NationalSecurityAgency/ghidra/llms.txt > Use this file to discover all available pages before exploring further. # BSim Database > Behavioral similarity search for functions and executables ## Overview Ghidra's **BSim (Behavioral Similarity)** Database allows reverse engineers to ingest metadata about previously analyzed binary executables to a central server or local database. The database can then be queried to quickly discover previously seen functions and libraries in new, unknown executables. ## Key Features Queries tolerate variations in function compilation All records are indexed for quick queries, even with millions of functions Uses p-code from Ghidra's decompiler for robust matching Supports fuzzy matching with configurable similarity thresholds ## How It Works ### Feature Extraction BSim extracts features from a **concise description of function data-flow**, not explicit machine instructions: * Based on Ghidra's intermediate representation language (**p-code**) * Generated by the Ghidra decompiler * Graph-based abstract syntax tree representation * Normalized to minimize compilation variation impact ### Normalized Comparisons The resulting function descriptions are normalized to tolerate variations due to: Different machine instructions that perform the same operation Variations in register allocation, stack usage, and memory locations Compiler-dependent instruction reordering Many forms of compiler optimization and transformation Even some forms of deliberate code obfuscation ### Text Retrieval Strategies Records are indexed using text retrieval strategies enabling: * **Nearest neighbor queries**: Features don't need exact matches * **Configurable similarity**: Set percentage thresholds for matches * **Functional tolerance**: Match even when source code has changed slightly * **Microsecond queries**: Single function results typically return in microseconds For a database containing **millions of functions**, query results typically return in **microseconds**. ## Database Technologies BSim supports three database backends: | Backend | Use Case | Features | | ----------------- | ----------- | ----------------------------------------------- | | **PostgreSQL** | Production | Robust, multi-connection, fault-tolerant server | | **Elasticsearch** | Distributed | Scalable across clusters, distributed indexing | | **H2 (local)** | Development | Convenience for small personal collections | PostgreSQL server software is currently only supported on **Linux** and **macOS**. Elasticsearch must be obtained separately. H2 databases are supported on all platforms. ## Integration with Ghidra ### Ghidra Server Integration Ingest from Ghidra Server or local project repositories Results reference executables within repositories Easy ingestion using the `bsim` command script ### Plugin Client Ghidra includes a plugin client that integrates: * Query dialog directly in the main CodeBrowser * Results windows with side-by-side comparison * Direct navigation to matching functions ```bash theme={null} # Command-line ingestion example bsim createdatabase postgresql://localhost/mydb bsim ingest postgresql://localhost/mydb /path/to/ghidra/project ``` ### Query API Ghidra provides a Java API for: * Incorporating queries into analyst scripts * Programmatic ingestion of executables * Marshaling queries and results between Ghidra sessions and BSim servers ```java theme={null} // Source: BSimOverview.html:168-177 // The API allows queries and ingest to be incorporated // into analyst scripts, marshaling data between an active // Ghidra session and a BSim server ``` ## Database Configuration BSim databases can be configured for different scenarios: Create and configure PostgreSQL, H2, or Elasticsearch backends Customize feature weights for domain-specific matching Batch ingest executables from repositories Interactive and programmatic query options ## Querying BSim Database ### Query Types 1. **Single Function Query**: Search for similar functions to a specific function 2. **Batch Query**: Query multiple functions at once 3. **Overview Query**: Get database statistics and metadata 4. **Executable Query**: Find similar executables in the database ### Query Parameters Similarity threshold (0.0 to 1.0) for matching functions Confidence threshold to filter low-quality matches Maximum number of results to return ### Using the Plugin Right-click on a function in the CodeBrowser listing Select **BSim → Search for Similar Functions** Set similarity threshold and other parameters Examine matches in the results window with similarity scores ## Ingesting Executables ### Prerequisites * Executables must be analyzed in Ghidra * Decompilation must be run on functions * Database must be created and accessible ### Ingest Workflow ```bash theme={null} # Create database bsim createdatabase postgresql://localhost:5432/malware_db # Ingest from Ghidra repository bsim ingest postgresql://localhost:5432/malware_db ghidra://server/repo # Ingest from local project bsim ingest postgresql://localhost:5432/malware_db /home/user/ghidra_project ``` ### Ingest Options Filter which functions to ingest based on size, complexity, or other criteria Associate custom metadata tags with ingested executables Process large numbers of executables automatically Re-ingest updated executables without duplicates ## Command-Line Reference The `bsim` command-line utility provides comprehensive database management: | Command | Description | | ----------------- | ---------------------------------- | | `createdatabase` | Initialize a new BSim database | | `dropdatabase` | Delete an existing database | | `ingest` | Add executables to database | | `update` | Update existing executable records | | `delete` | Remove executables from database | | `queryfunctions` | Query for similar functions | | `queryexe` | Query for similar executables | | `dumpdb` | Export database contents | | `installmetadata` | Install database schema | Ensure you have proper database permissions before running administrative commands. ## Advanced Features ### Features and Weights Customize how BSim weights different aspects of function behavior: * **Data-flow features**: Weight importance of data operations * **Control-flow features**: Emphasize branching patterns * **Call graph features**: Consider function call relationships * **Constant features**: Factor in constant values used ### Performance Optimization For optimal performance with large databases: * Use PostgreSQL or Elasticsearch for production * Configure appropriate database indexes * Allocate sufficient memory to database server * Use batch queries when analyzing multiple functions ## Use Cases Identify known malware families and variants Find vulnerable code patterns across executables Recognize commercial and open-source libraries Track code reuse and software lineage ## Source Code References ```bash theme={null} # Main implementation ~/workspace/source/Ghidra/Features/BSim/ # Help documentation BSim/src/main/help/help/topics/BSim/ # Database schemas BSim/data/ # Command-line scripts BSim/support/ ``` ## Database Maintenance ### Regular Tasks * **Backup**: Regularly backup your BSim database * **Vacuum**: Run database optimization (PostgreSQL) * **Monitor**: Track database size and query performance * **Update**: Keep ingested executables synchronized with analysis ### Troubleshooting Check database indexes, increase memory allocation, or optimize feature weights Verify network connectivity, database server status, and authentication credentials Ensure executables are fully analyzed and decompiled in Ghidra ## Next Steps Perform dynamic analysis on executables Track changes between program versions