Abstract:
Vulnerabilities are challenging to locate and repair, especially when source code is unavailable and binary patching is required. Manual methods are time-consuming, requi...Show MoreMetadata
Abstract:
Vulnerabilities are challenging to locate and repair, especially when source code is unavailable and binary patching is required. Manual methods are time-consuming, require significant expertise, and do not scale to the rate at which new vulnerabilities are discovered. Automated methods are an attractive alternative, and we propose Partially Recompilable Decompilation (PRD) to help automate the process. PRD lifts suspect binary functions to source, available for analysis, revision, or review, and creates a patched binary using source- and binary-level techniques. Although decompilation and recompilation do not typically succeed on an entire binary, our approach does because it is limited to a few functions, such as those identified by our binary fault localization. We evaluate the assumptions underlying our approach and find that, without any grammar or compilation restrictions, up to 79% of individual functions are successfully decompiled and recompiled. In comparison, only 1.7% of the full C-binaries succeed. When recompilation succeeds, PRD produces test-equivalent binaries 93.0% of the time. We evaluate PRD in two contexts: a fully automated process incorporating source-level Automated Program Repair (APR) methods; and human-edited source-level repairs. When evaluated on DARPA Cyber Grand Challenge (CGC) binaries, we find that PRD-enabled APR tools, operating only on binaries, perform as well as, and sometimes better than full-source tools, collectively mitigating 85 of the 148 scenarios, a success rate consistent with the same tools operating with access to the entire source code. PRD achieves similar success rates as the winning CGC entries, sometimes finding higher-quality mitigations than those produced by top CGC teams. For generality, the evaluation includes two independently developed APR tools and C++, Rode0day, and real-world binaries.
Published in: IEEE Transactions on Dependable and Secure Computing ( Volume: 22, Issue: 3, May-June 2025)
Funding Agency:
Arizona State University, Tempe, AZ, USA
Pemma Reiter received the BS degree in computer engineering from Virginia Tech in 2001 and the MSc degree in computer science from Arizona State University in 2019, where she is currently working toward the PhD degree. Before joining ASU, she worked at Intel Corp. 2001-2017 as a pre-silicon validation, design, and firmware engineer, and technical lead for System-on-a-Chip products. Her research interests focus on program ...Show More
Pemma Reiter received the BS degree in computer engineering from Virginia Tech in 2001 and the MSc degree in computer science from Arizona State University in 2019, where she is currently working toward the PhD degree. Before joining ASU, she worked at Intel Corp. 2001-2017 as a pre-silicon validation, design, and firmware engineer, and technical lead for System-on-a-Chip products. Her research interests focus on program ...View more
Arizona State University, Tempe, AZ, USA
Hui Jun Tay received the BS/MS degree in electrical and computer engineering from Carnegie Mellon University in 2015/2016. Hui Jun is currently working toward the PhD degree with Arizona Student University, SEFCOM. Before pursuing their PhD, they worked for DSO National Laboratories from 2016-2019 as a computer security researcher in the field of embedded security. Hui Jun’s current research interests include firmware ana...Show More
Hui Jun Tay received the BS/MS degree in electrical and computer engineering from Carnegie Mellon University in 2015/2016. Hui Jun is currently working toward the PhD degree with Arizona Student University, SEFCOM. Before pursuing their PhD, they worked for DSO National Laboratories from 2016-2019 as a computer security researcher in the field of embedded security. Hui Jun’s current research interests include firmware ana...View more
University of Michigan, Ann Arbor, MI, USA
Westley Weimer received the BA degree in computer science and mathematics from Cornell University, and the MS and PhD degrees in computer engineering from the University of California, Berkeley. He is currently a professor of computer science with the University of Michigan. His main research interests include static and dynamic analyses to improve software quality and fix defects, as well as medical imaging and human stu...Show More
Westley Weimer received the BA degree in computer science and mathematics from Cornell University, and the MS and PhD degrees in computer engineering from the University of California, Berkeley. He is currently a professor of computer science with the University of Michigan. His main research interests include static and dynamic analyses to improve software quality and fix defects, as well as medical imaging and human stu...View more
Arizona State University, Tempe, AZ, USA
Adam Doupé is an associate professor with the School of Computing and Augmented Intelligence, Arizona State University. He is also director of the Center for Cybersecurity and Trusted Foundations with the Global Security Initiative, Arizona State University and the co-director with the Laboratory of Security Engineering For Future Computing (SEFCOM). He plays CTFs with Shellphish, and as a founding member of the Order of ...Show More
Adam Doupé is an associate professor with the School of Computing and Augmented Intelligence, Arizona State University. He is also director of the Center for Cybersecurity and Trusted Foundations with the Global Security Initiative, Arizona State University and the co-director with the Laboratory of Security Engineering For Future Computing (SEFCOM). He plays CTFs with Shellphish, and as a founding member of the Order of ...View more
Arizona State University, Tempe, AZ, USA
Ruoyu Wang (Member, IEEE) is an associate professor with the School of Computing and Augmented Intelligence, Arizona State University. He is associate director of the Center for Cybersecurity and Trusted Foundations with the Global Security Initiative, Arizona State University and the co-director with the Laboratory of Security Engineering For Future Computing (SEFCOM). He is a long-time Shellphish CTF player and a member...Show More
Ruoyu Wang (Member, IEEE) is an associate professor with the School of Computing and Augmented Intelligence, Arizona State University. He is associate director of the Center for Cybersecurity and Trusted Foundations with the Global Security Initiative, Arizona State University and the co-director with the Laboratory of Security Engineering For Future Computing (SEFCOM). He is a long-time Shellphish CTF player and a member...View more
Arizona State University, Tempe, AZ, USA
Stephanie Forrest (Life Fellow, IEEE) is a professor with the School of Computing and Augmented Intelligence, Arizona State University, where she directs the Biodesign Center for Biocomputation, Security and Society. Her interdisciplinary research focuses on the intersection of biology and computation, including cybersecurity, software engineering, and biological modeling.
Stephanie Forrest (Life Fellow, IEEE) is a professor with the School of Computing and Augmented Intelligence, Arizona State University, where she directs the Biodesign Center for Biocomputation, Security and Society. Her interdisciplinary research focuses on the intersection of biology and computation, including cybersecurity, software engineering, and biological modeling.View more
Contents Arizona State University, Tempe, AZ, USA
Pemma Reiter received the BS degree in computer engineering from Virginia Tech in 2001 and the MSc degree in computer science from Arizona State University in 2019, where she is currently working toward the PhD degree. Before joining ASU, she worked at Intel Corp. 2001-2017 as a pre-silicon validation, design, and firmware engineer, and technical lead for System-on-a-Chip products. Her research interests focus on program representation at multiple abstraction levels with a goal of improving software quality, tools, and human understanding.
Pemma Reiter received the BS degree in computer engineering from Virginia Tech in 2001 and the MSc degree in computer science from Arizona State University in 2019, where she is currently working toward the PhD degree. Before joining ASU, she worked at Intel Corp. 2001-2017 as a pre-silicon validation, design, and firmware engineer, and technical lead for System-on-a-Chip products. Her research interests focus on program representation at multiple abstraction levels with a goal of improving software quality, tools, and human understanding.View more
Arizona State University, Tempe, AZ, USA
Hui Jun Tay received the BS/MS degree in electrical and computer engineering from Carnegie Mellon University in 2015/2016. Hui Jun is currently working toward the PhD degree with Arizona Student University, SEFCOM. Before pursuing their PhD, they worked for DSO National Laboratories from 2016-2019 as a computer security researcher in the field of embedded security. Hui Jun’s current research interests include firmware analysis, symbolic execution and automated program analysis.
Hui Jun Tay received the BS/MS degree in electrical and computer engineering from Carnegie Mellon University in 2015/2016. Hui Jun is currently working toward the PhD degree with Arizona Student University, SEFCOM. Before pursuing their PhD, they worked for DSO National Laboratories from 2016-2019 as a computer security researcher in the field of embedded security. Hui Jun’s current research interests include firmware analysis, symbolic execution and automated program analysis.View more
University of Michigan, Ann Arbor, MI, USA
Westley Weimer received the BA degree in computer science and mathematics from Cornell University, and the MS and PhD degrees in computer engineering from the University of California, Berkeley. He is currently a professor of computer science with the University of Michigan. His main research interests include static and dynamic analyses to improve software quality and fix defects, as well as medical imaging and human studies of programming.
Westley Weimer received the BA degree in computer science and mathematics from Cornell University, and the MS and PhD degrees in computer engineering from the University of California, Berkeley. He is currently a professor of computer science with the University of Michigan. His main research interests include static and dynamic analyses to improve software quality and fix defects, as well as medical imaging and human studies of programming.View more
Arizona State University, Tempe, AZ, USA
Adam Doupé is an associate professor with the School of Computing and Augmented Intelligence, Arizona State University. He is also director of the Center for Cybersecurity and Trusted Foundations with the Global Security Initiative, Arizona State University and the co-director with the Laboratory of Security Engineering For Future Computing (SEFCOM). He plays CTFs with Shellphish, and as a founding member of the Order of the Overflow hosted the DEF CON CTF (Quals and Finals) from 2018–2021. His research focuses on automated vulnerability analysis, web security, binary analysis, mobile security, network security, underground economies, cybercrime, hacking competitions, and human factors of security.
Adam Doupé is an associate professor with the School of Computing and Augmented Intelligence, Arizona State University. He is also director of the Center for Cybersecurity and Trusted Foundations with the Global Security Initiative, Arizona State University and the co-director with the Laboratory of Security Engineering For Future Computing (SEFCOM). He plays CTFs with Shellphish, and as a founding member of the Order of the Overflow hosted the DEF CON CTF (Quals and Finals) from 2018–2021. His research focuses on automated vulnerability analysis, web security, binary analysis, mobile security, network security, underground economies, cybercrime, hacking competitions, and human factors of security.View more
Arizona State University, Tempe, AZ, USA
Ruoyu Wang (Member, IEEE) is an associate professor with the School of Computing and Augmented Intelligence, Arizona State University. He is associate director of the Center for Cybersecurity and Trusted Foundations with the Global Security Initiative, Arizona State University and the co-director with the Laboratory of Security Engineering For Future Computing (SEFCOM). He is a long-time Shellphish CTF player and a member of Nautilus Institute, the DEF CON CTF (Quals and Finals) organizer since 2022. His main research interest is binary analysis, including but not limited to, automated reverse engineering, vulnerability discovery, exploit generation, and decompilation.
Ruoyu Wang (Member, IEEE) is an associate professor with the School of Computing and Augmented Intelligence, Arizona State University. He is associate director of the Center for Cybersecurity and Trusted Foundations with the Global Security Initiative, Arizona State University and the co-director with the Laboratory of Security Engineering For Future Computing (SEFCOM). He is a long-time Shellphish CTF player and a member of Nautilus Institute, the DEF CON CTF (Quals and Finals) organizer since 2022. His main research interest is binary analysis, including but not limited to, automated reverse engineering, vulnerability discovery, exploit generation, and decompilation.View more
Arizona State University, Tempe, AZ, USA
Stephanie Forrest (Life Fellow, IEEE) is a professor with the School of Computing and Augmented Intelligence, Arizona State University, where she directs the Biodesign Center for Biocomputation, Security and Society. Her interdisciplinary research focuses on the intersection of biology and computation, including cybersecurity, software engineering, and biological modeling.
Stephanie Forrest (Life Fellow, IEEE) is a professor with the School of Computing and Augmented Intelligence, Arizona State University, where she directs the Biodesign Center for Biocomputation, Security and Society. Her interdisciplinary research focuses on the intersection of biology and computation, including cybersecurity, software engineering, and biological modeling.View more
