When Binaries Talk Back: Representation-Confusion Attacks on LLM-Assisted Reverse Engineering

📅 2026-07-14
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the vulnerability of large language model (LLM)-assisted reverse engineering to adversarial manipulation by malicious binaries, which can mislead LLMs into misinterpreting data as executable instructions or standalone evidence, thereby producing erroneous conclusions. The paper introduces, for the first time, a novel attack paradigm termed Representation Ambiguity-based Reverse Engineering deception (RARE), wherein adversarial binaries are crafted to induce such misinterpretations. To counter this threat, the authors propose RARE-Guard, a defense framework integrating authorization control, provenance tracking, and evidence validation mechanisms. Built upon the Ghidra, r2pipe, and angr toolchain, RARE-Guard employs techniques including Data-Only rendering, Support Gate, and Provenance Gate. Experimental results demonstrate that without protection, LLMs recommend dangerous operations in 35 out of 40 cases; with RARE-Guard, all spurious claims are fully blocked across multiple analysis tools while preserving legitimate reverse engineering capabilities.
📝 Abstract
LLM-assisted reverse-engineering (RE) systems analyze strings, decompiler output, and tool reports derived from ttacker-controlled binaries. A binary can make data look like instructions or records from one origin look like independent evidence. We call such failures Representation-Confusion Attacks in Reverse Engineering (RARE): the pipeline promotes a correctly extracted observation to instruction authority, claim-validating evidence, or trusted analysis state without the authority or support that role requires. RARE-Bench measures these failures with behavior-checked clean and adversarial binaries. After an exploratory 11,520-call study, we test RARE-Guard's authorization and evidence controls on 20 new programs and two models. Without runtime controls, the models propose a planted unsafe action in 35/40 adversarial cases and 0/40 clean cases. When binary-derived content is shown only as data (Data-Only rendering), they still make 15 unsafe proposals. Tool Authorization denies all 15 and authorizes all 40 matched analyst requests. On identical report drafts, Support Gate validates 23/40 false claims by counting records from one origin separately. Provenance Gate groups those records before counting support, validates 0/40 false claims, and retains all 40 supported claims. We then instrument Ghidra, r2pipe, and angr on 16 further programs. In a preselected eight-program subset, no single-tool draft reaches Support Gate's validation threshold for the false claim. In fused drafts across all 16 programs, Support Gate validates 32/32 false claims. Provenance Gate prevents validation of all 32 and retains all 32 supported claims. A deterministic renderer prevents downgraded claims from reappearing in the final report. Binary-derived content may therefore guide analysis without gaining authority over tools, and views from several tools do not necessarily provide independent evidence.
Problem

Research questions and friction points this paper is trying to address.

reverse engineering
large language models
representation confusion
adversarial binaries
evidence validation
Innovation

Methods, ideas, or system contributions that make the work stand out.

Representation-Confusion Attacks
LLM-assisted Reverse Engineering
Provenance Gate
Tool Authorization
RARE-Guard
🔎 Similar Papers
2024-03-27ACM Transactions on Software Engineering and MethodologyCitations: 2