Document Open Access Logo

Discovering and Repairing Flaws in C Binaries Without Requiring Codebase and Instrumentation

Authors Diogo Ferreira , Ibéria Medeiros

PDF

File

Thumbnail PDF
PDF
OASIcs.AEiC.2026.2.pdf
  • Filesize: 1.15 MB
  • 19 pages

Document Identifiers

Subject Classification

ACM Subject Classification
  • Security and privacy → Penetration testing
  • Security and privacy → Software reverse engineering
  • Security and privacy → Software security engineering
Keywords
  • Buffer Overflow Vulnerabilities
  • Binary Patching
  • Reverse Engineering
  • Static Analysis
  • Software Security

Metrics

Abstract

Industrial and embedded software systems frequently integrate various third-party components sourced from diverse providers into their codebases. These systems are commonly developed in C, a language known for its lack of variable bounds checking, making it vulnerable to Buffer Overflows (BOs), which, when exploited, can cause severe damage. Consequently, the binary code resulting from vulnerable C programs is also vulnerable and remains so in the final products. Fixing these software systems is challenging because only binary code is available. This paper presents PatchBin, a binary patching tool to automatically fix BO vulnerabilities and validate the effectiveness of fixes while ensuring no new flaws are introduced. The approach involves a combination of fuzzing, reverse static analysis and static rewriting techniques to, respectively, (i) identify possible malicious inputs that can trigger BOs, (ii) find their root cause by employing reverse data flow analysis, and (iii) remove them by rewriting the binary code with effective validation, thus generating a new binary without the original flaws and new ones. Experimental evaluations with synthetic and real-world applications demonstrated that PatchBin detects and fixes BO in binary programs without introducing new vulnerabilities. The results showed that PatchBin is an important aid for industrial partners, enabling them to test and fix their products, including third-party components, without access to source code, but only to binary code.

Cite As Get BibTex

Diogo Ferreira and Ibéria Medeiros. Discovering and Repairing Flaws in C Binaries Without Requiring Codebase and Instrumentation. In 30th Ada-Europe International Conference on Reliable Software Technologies (AEiC 2026). Open Access Series in Informatics (OASIcs), Volume 143, pp. 2:1-2:19, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2026) https://doi.org/10.4230/OASIcs.AEiC.2026.2

Author Details

Diogo Ferreira
  • LASIGE, Department of Informatics, Faculty of Sciences of University of Lisboa, Portugal
Ibéria Medeiros
  • LASIGE, Department of Informatics, Faculty of Sciences of University of Lisboa, Portugal

Funding

This work was partially supported by P2030 through project I2DT, ref. COMPETE2030-FEDER-00389100, an ITEA4 European project (ref. 22025), and by FCT through the LASIGE Research Unit, ref. UID/00408/2025.

References

  1. Omar I. Al-Bataineh. Reduce Before you Repair: Advantages of Combining Program Slicing with Automated Program Repair . In 2025 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 1-6, March 2025. URL: https://doi.org/10.1109/SANER64311.2025.00094.
  2. Mj Muhammad Aslam. Binary instrumentation with QEMU. Master’s thesis, University of Technology of Eindhoven, July 2016. Google Scholar
  3. Johannes Bader, Andrew Scott, Michael Pradel, and Satish Chandra. Getafix: learning to fix bugs automatically. Proc. ACM Programming Languages, 3(OOPSLA), October 2019. URL: https://doi.org/10.1145/3360585.
  4. Fabrice Bellard. QEMU: A generic and open source machine emulator and virtualizer, 2009. URL: https://www.qemu.org/.
  5. Xuemeng Cai and Lingxiao Jiang. Adapting Knowledge Prompt Tuning for Enhanced Automated Program Repair . In 2025 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 360-371, March 2025. URL: https://doi.org/10.1109/SANER64311.2025.00041.
  6. Buddhika Chamith, Bo Joel Svensson, Luke Dalessandro, and Ryan R Newton. Instruction punning: Lightweight instrumentation for x86-64. SIGPLAN, 52:320-332, June 2017. URL: https://doi.org/10.1145/3062341.3062344.
  7. Code-Live. Simple password generator. URL: https://github.com/codeliveru/pgen.
  8. C Cowan, F Wagle, Calton Pu, S Beattie, and J Walpole. Buffer overflows: attacks and defenses for the vulnerability of the decade. In In Proceedings of the DARPA Information Survivability Conference and Exposition, volume 2, pages 119-129, 2000. Google Scholar
  9. CWE. Top 25 most dangerous software weaknesses, 2026. URL: https://cwe.mitre.org/top25/index.html.
  10. Jason Deckard. Buffer Overflow Attacks: Detect, Exploit, Prevent. Syngress, 2005. Google Scholar
  11. Sun Ding, Hee Beng Kuan Tan, and Hongyu Zhang. Automatic removal of buffer overflow vulnerabilities in C/C++ programs. In Proceedings of the 16th International Conference on Enterprise Information Systems, 2:49-59, 2014. URL: https://doi.org/10.5220/0004888000490059.
  12. Qingao Dong, Yuanzhang Lin, Hailong Sun, and Xiang Gao. Enhancing automated vulnerability repair through dependency embedding and pattern store. In 2025 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 193-204, March 2025. URL: https://doi.org/10.1109/SANER64311.2025.00026.
  13. Gregory J. Duck. E9Patch: A powerful static binary rewriter, 2020. URL: https://github.com/GJDuck/e9patch.
  14. Gregory J Duck, Xiang Gao, and Abhik Roychoudhury. Binary rewriting without control flow recovery. In In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 151-163, 2020. URL: https://doi.org/10.1145/3385412.3385972.
  15. emacdona. Tictactoe. URL: https://github.com/emacdona/tictactoe.
  16. Jon Erickson. Hacking: The Art of Exploitation, 2nd Edition. No Starch Press, 2008. Google Scholar
  17. Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. The AFL++ fuzzing framework, 2017. URL: https://aflplus.plus/.
  18. Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. AFL++: Combining incremental steps of fuzzing research. In In Proceedings of the 14th USENIX Workshop on Offensive Technologies. USENIX Association, agt 2020. Google Scholar
  19. Fengjuan Gao, Linzhang Wang, and Xuandong Li. BovInspector: Automatic inspection and repair of buffer overflow vulnerabilities. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, pages 786-791, 2016. URL: https://doi.org/10.1145/2970276.2970282.
  20. GNU and Fee Software Foundation. GDB: The gnu project debugger, 1986. URL: https://sourceware.org/gdb/.
  21. LLVM Developer Group. The llvm compiler infrastructure project, 2003. URL: https://llvm.org/.
  22. Kanon Harada and Katsuhisa Maruyama. Towards efficient program repair with apr tools based on genetic algorithms. In 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 896-901, March 2024. URL: https://doi.org/10.1109/SANER60148.2024.00097.
  23. IBM. IBM - What is Industry 4.0, 2024. URL: https://www.ibm.com/topics/industry-4-0.
  24. João Inácio and Ibéria Medeiros. Corca: An automatic program repair tool for checking and removing effectively C flaws. In In Proceedings of the IEEE Conference on Software Testing, Verification and Validation, pages 71-82, April 2023. URL: https://doi.org/10.1109/ICST57152.2023.00016.
  25. Intel. Intel® inspector, 2025. URL: https://www.intel.com/content/www/ us/en/developer/tools/oneapi/inspector.html.
  26. Kyriakos Ispoglou, Daniel Austin, Vishwath Mohan, and Mathias Payer. Fuzzgen: Automatic fuzzer generation. In In Proceedings of the 29th USENIX Security Symposium, pages 2271-2287, agt 2020. URL: https://www.usenix.org/conference/usenixsecurity20/presentation/ispoglou.
  27. William Klieber, Ruben Martins, Ryan Steele, Matt Churilla, Mike McCall, and David Svoboda. Automated code repair to ensure spatial memory safety. In In Proceedings of IEEE/ACM International Workshop on Automated Program Repair, pages 23-30, June 2021. URL: https://doi.org/10.1109/APR52552.2021.00013.
  28. Zhiqiang Lin, Xuxian Jiang, Dongyan Xu, Bing Mao, and Li Xie. AutoPaG: Towards Automated Software Patch Generation with Source Code Root Cause Identification and Repair. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pages 329-340, 2007. Google Scholar
  29. Chenyang Lyu, Shouling Ji, Yuwei Li, Junfeng Zhou, Jianhai Chen, and Jing Chen. Smartseed: Smart seed generation for efficient fuzzing. arXiv, 2018. Google Scholar
  30. Chenyang Lyu, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song, and Raheem Beyah. Mopt: Optimized mutation scheduling for fuzzers. In In Proceedings of the 28th USENIX Security Symposium, pages 1949-1966, agt 2019. URL: https://www.usenix.org/conference/usenixsecurity19/presentation/lyu.
  31. Michael Matz, Jan Hubicka, Andreas Jaeger, and Mark Mitchell. System v application binary interface. AMD64 Architecture Processor Supplement, Draft v0, 99(2013):57, 2013. Google Scholar
  32. Sergey Mechtaev, Jooyong Yi, and Abhik Roychoudhury. Angelix: Scalable Multiline Program Patch Synthesis via Symbolic Analysis. In Proceedings of the 2016 IEEE/ACM 38th International Conference on Software Engineering, 2016. Google Scholar
  33. Mend.io. Most secure programming languages, 2024. URL: https://www.whitesourcesoftware.com/ resources/research-reports/what-are-the-most-secure-programming-languages/.
  34. Microsoft. Definition of a security vulnerability, 2014. URL: https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10).
  35. Ricardo Morgado, Ibéria Medeiros, and Nuno Neves. Towards web application security by automated code correction. In Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering, 2020. Google Scholar
  36. NIST. Nist software assurance reference dataset, 2026. URL: https://samate.nist.gov/SARD/.
  37. Eduard Pinconschi, Rui Abreu, and Pedro Adão. A comparative study of automatic program repair techniques for security vulnerabilities. In Proceedings of the IEEE International Symposium on Software Reliability Engineering (ISSRE), pages 196-207, 2021. URL: https://doi.org/10.1109/ISSRE52982.2021.00031.
  38. James Ransome and Anmol Misra. Core Software Security: Security at the Source. CRC Press, 2018. Google Scholar
  39. Fayozbek Rustamov and Joobeom Yun. Deepdiver: Diving into abysmal depth of the binary for hunting deeply hidden software vulnerabilities. Future Internet, 12:74, January 2020. URL: https://doi.org/10.3390/FI12040074.
  40. Eric Schulte, Michael D. Brown, and Vlad Folts. A broad comparative evaluation of x86-64 binary rewriters. In In Proceedings of the 15th Workshop on Cyber Security Experimentation and Test, pages 129-144, agt 2022. URL: https://doi.org/10.1145/3546096.3546112.
  41. Eric Schulte, Jonathan DiLorenzo, Westley Weimer, and Stephanie Forrest. Automated repair of binary and assembly programs for cooperating embedded devices. Journal SIGARCH Computer Architecture, 41:317-328, March 2013. URL: https://doi.org/10.1145/2451116.2451151.
  42. Hossain Shahriar, Hisham M. Haddad, and Ishan Vaidya. Buffer Overflow Patching for C and C++ Programs: Rule-Based Approach. ACM SIGAPP Applied Computing Review, 13(2):8-19, 2013. Google Scholar
  43. Vaibhav Sharma. Automatically repairing binary programs using adapter synthesis. In In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering, pages 1238-1241, November 2019. URL: https://doi.org/10.1109/ASE.2019.00149.
  44. Stelios Sidiroglou-Douskos, Eric Lahtinen, Fan Long, and Martin Rinard. Automatic Error Elimination by Horizontal Code Transfer across Multiple Applications. ACM SIGPLAN Notices, 50(6):43?54, 2015. Google Scholar
  45. Alexey Smirnov and Tzi-cker Chiueh. Automatic Patch Generation for Buffer Overflow Attacks. In Proceedings of the 3rd International Symposium on Information Assurance and Security, pages 165-170, 2007. URL: https://doi.org/10.1109/IAS.2007.87.
  46. Sonar. Sonarqube, 2025. URL: https://www.sonarqube.org/.
  47. Threatpost. St. jude medical patches vulnerable cardiac devices, 2024. URL: https://threatpost.com/st-jude-medical-patches-vulnerable-cardiac-devices/122955/.
  48. Jayakrishna Vadayath, Moritz Eckert, Kyle Zeng, Nicolaas Weideman, Gokulkrishna Praveen Menon, Yanick Fratantonio, Davide Balzarotti, Adam Doupé, Tiffany Bao, Ruoyu Wang, Christophe Hauser, and Yan Shoshitaishvili. Arbiter: Bridging the static and dynamic divide in vulnerability discovery on binary programs. In In Proceedings of the USENIX Security Symposium, pages 413-430, agt 2022. URL: https://www.usenix.org/conference/usenixsecurity22/presentation/vadayath.
  49. Wired. Jeep remote vulnerability, 2024. URL: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.
  50. Michal Zalewski. AFL: American fuzzy loop, 2026. URL: https://lcamtuf.coredump.cx/afl/.
Any Issues?
X

Feedback on the Current Page

CAPTCHA

Thanks for your feedback!

Feedback submitted to Dagstuhl Publishing

Could not send message

Please try again later or send an E-mail
© 2023-2026 Schloss Dagstuhl – LZI GmbH Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact