DecLLM: LLM-Augmented Recompilable Decompilation for Enabling Programmatic Use of Decompiled Code
Decompilers are widely used in reverse engineering (RE) to convert compiled executables into human-readable pseudocode and support various security analysis tasks. Existing decompilers, such as IDA Pro and Ghidra, focus on enhancing the readability of decompiled code rather than its recompilability, which limits further programmatic use, such as for CodeQL-based vulnerability analysis that requires compilable versions of the decompiled code. Recent LLM-based approaches for enhancing decompilation results, while useful for human RE analysts, unfortunately also follow the same path.
In this paper, we explore, for the first time, how off-the-shelf large language models (LLMs) can be used to enable recompilable decompilation—automatically correcting decompiler outputs into compilable versions. We first show that this is non-trivial through a pilot study examining existing rule-based and LLM-based approaches. Based on the lessons learned, we design DecLLM, an iterative LLM-based repair loop that utilizes both static recompilation and dynamic runtime feedback as oracles to iteratively fix decompiler outputs. We test DecLLM on popular C benchmarks and real-world binaries using two mainstream LLMs, GPT-3.5 and GPT-4, and show that off-the-shelf LLMs can achieve an upper bound of around 70% recompilation success rate, i.e., 70 out of 100 originally non-recompilable decompiler outputs are now recompilable. We also demonstrate the semantic consistency of using this recompilable code for CodeQL-based vulnerability analysis compared to the ground-truth source code. For the remaining 30% of hard cases, we further delve into their errors to gain insights for future improvements in decompilation-oriented LLM design.
Thu 26 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
16:00 - 17:15 | Decompilation and TracingResearch Papers at Cosmos 3B Chair(s): Philipp Straubinger University of Passau | ||
16:00 25mTalk | DecLLM: LLM-Augmented Recompilable Decompilation for Enabling Programmatic Use of Decompiled Code Research Papers WONG Wai Kin Hong Kong University of Science and Technology, Daoyuan Wu Hong Kong University of Science and Technology, Huaijin Wang Ohio State University, Li Zongjie Hong Kong University of Science and Technology, Zhibo Liu Hong Kong University of Science and Technology, Shuai Wang Hong Kong University of Science and Technology, Qiyi Tang Tencent Security Keen Lab, Sen Nie Tencent Security Keen Lab, Shi Wu Tencent Security Keen Lab DOI | ||
16:25 25mTalk | DataHook: An Efficient and Lightweight System Call Hooking Technique without Instruction Modification Research Papers Quan Hong Institute of Information Engineering, Chinese Academy of Sciences & School of Cyber Security, University of Chinese Academy of Sciences, Jiaqi Li Institute of Information Engineering, Chinese Academy of Sciences, Wen Zhang China Unicom Online Information Technology CO.,Ltd, Lidong Zhai Institute of Information Engineering, Chinese Academy of Sciences DOI | ||
16:50 25mTalk | Tracezip: Efficient Distributed Tracing via Trace Compression Research Papers Zhuangbin Chen Sun Yat-sen University, Junsong Pu Beijing University of Posts and Telecommunication, Zibin Zheng Sun Yat-sen University DOI | ||
Cosmos 3B is the second room in the Cosmos 3 wing.
When facing the main Cosmos Hall, access to the Cosmos 3 wing is on the left, close to the stairs. The area is accessed through a large door with the number “3”, which will stay open during the event.