We are excited to announce that the 1st Workshop on Software Understanding and Reverse Engineering (SURE) will be co-located at ACM CCS 2025 in Taiwan! We invite the community to submit their awesome research https://t.co/8RTLR383kw. So, what is SURE? More in the 🧵

@moyix Finally, stay in touch. We have an associated Discord (unorthodox, we know) to connect academics and practitioners: https://t.co/xPA9o2HSKw In fact, some of the attendees this year only made it due to the outreach on Discord. Come and chat!

@moyix Also, go read some of the papers: https://t.co/4e4NFH5wpv Keep, a lookout for our executive summary of papers/discussions/conclusions at SURE 2025 for those who could not attend IRL. We will post it in the coming days.

CCS has come to a close, and so has the first-ever SURE Workshop. We want to thank the authors, the PC, @moyix, our panel, and CCS for making SURE a success. We felt the support for this research area (the room was packed out for more than half the day). See you all next year!

Check out the paper: https://t.co/fPqHtZih8F

In the special sub-area of type inferencing on binary code, Noriki's work explores the recovery of structs and how different GNN architectures may have better performance.

On our last presented work at SURE, we have Noriki Sakamoto presenting "Toward Inferring Structural Semantics from Binary Code Using Graph Neural Networks"

Check out the paper: https://t.co/UEWwvK1bzg

Indeed, LibIHT is more robust. They achieve better results on binaries that attempt to evade their analysis.

The magic happens at the kernel level. Their new tool LibIHT ( https://t.co/8x8JEgM674), is implemented both at the user-space and kernel-space level. This is important for speed and robustness against evasion techniques.

Often, when static analysis tools do not work, you need to get down in the weeds of a program and start dynamically analyzing it. In Thomason's work, he explores a way to be more robust and efficient by utilizing hardware features for dynamic analysis.

We're so back, and on our last session: Applications & Future Work. Changyu "Thomason" Zhao is presenting "LibIHT: A Hardware-Based Approach to Efficient and Evasion-Resistant Dynamic Binary Analysis". He is presenting virtually.

Find the paper here: https://t.co/8NIhOkDP1v

Now, you got your crazy code, how do you select which functions in the code to obfuscate and evaluate on? Functions must be "sensitive" and "central". Sensitive: has sensitive info like a uid or gid or a password. Central: many other functions should depend on it (calls).

Real world programs in their set need: - unique functionality - complex code - ... Some real programs: OpenSSL, QEMU, SQLite, curl, ... all difficult targets that are already hard to analyze, so they are not obfuscated.

An interesting observation: obfuscation is really expensive on the CPU. Real programs don't obfuscate the entire program; they only obfuscate critical code locations like license checks. So they construct their dataset with that in mind.

Dongpeng argues that many modern works in deobfuscation don't work on large complex programs. Instead, they are mostly tested on toy programs that are not real-world. To make a more useful evaluation, they explore how real obfuscation is used.

We're on our last talk of the session, remaining with the obfuscation topic. Dongpeng Xu is presenting "DEBRA: A Real-World Benchmark For Evaluating Deobfuscation Methods" in the place of Zheyun Feng.

Interesting question: do specific features seem to matter more for the models? Example: constants. So far, the answer is unclear. These models are very black-box and require more explainability.

Takeaways: - Training on obfuscation does help models, but it is not a silver bullet. This solution does not work well on obfuscation tech it has never seen before. Check out the work: https://t.co/808cSkntmc

Some results: you train on obfuscation, and it turns out the model does do better (with BinShot) on obfuscated code. However, training it on specific types of obfuscation tech matters. For instance, training on control flow flattening may not help at all with MBA.