In software supply chain security, binaries built from identical source code on different platforms often exhibit bit-level discrepancies, rendering traditional byte-wise comparison ineffective for determining functional equivalence and detecting cross-build security risks. To address this, we propose a multi-level binary equivalence model and introduce the first clone-detection framework that jointly incorporates semantic- and behavioral-level equivalence reasoning—thereby overcoming the limitations of strict bitwise equality. Our approach integrates static analysis, bytecode parsing, and equivalence relation modeling to construct a verifiable, semi-synthetic benchmark and an automated equivalence decision system. Evaluated on 14,156 pairs of Java binaries, our method identifies bit-level differences in 26.49% of samples, yet accurately confirms their functional equivalence—demonstrating substantial improvements in trustworthiness and reliability of supply chain binary comparison.

In response to challenges in software supply chain security, several organisations have created infrastructures to independently build commodity open source projects and release the resulting binaries. Build platform variability can strengthen security as it facilitates the detection of compromised build environments. Furthermore, by improving the security posture of the build platform and collecting provenance information during the build, the resulting artifacts can be used with greater trust. Such offerings are now available from Google, Oracle and RedHat. The availability of multiple binaries built from the same sources creates new challenges and opportunities, and raises questions such as: 'Does build A confirm the integrity of build B?' or 'Can build A reveal a compromised build B?'. To answer such questions requires a notion of equivalence between binaries. We demonstrate that the obvious approach based on bitwise equality has significant shortcomings in practice, and that there is value in opting for alternative notions. We conceptualise this by introducing levels of equivalence, inspired by clone detection types. We demonstrate the value of these new levels through several experiments. We construct a dataset consisting of Java binaries built from the same sources independently by different providers, resulting in 14,156 pairs of binaries in total. We then compare the compiled class files in those jar files and find that for 3,750 pairs of jars (26.49%) there is at least one such file that is different, also forcing the jar files and their cryptographic hashes to be different. However, based on the new equivalence levels, we can still establish that many of them are practically equivalent. We evaluate several candidate equivalence relations on a semi-synthetic dataset that provides oracles consisting of pairs of binaries that either should be, or must not be equivalent.