Karim Eldefrawy

Cryptography, Cybersecurity, Privacy

Co-founder and CTO at Confidencial.io
2017-2021: SRI
2011-2016: HRL Laboratories
2006-2010: PhD@UC Irvine

Scientific curiosity

Scientific knowledge map · Paper #53

Towards Automated Augmentation and Instrumentation of Legacy Cryptographic Executables

Karim Eldefrawy, Michael E. Locasto, Norrathep Rattanavipanon, and Hassen Saïdi

2020 · 18th International Conference on Applied Cryptography and Network Security (ACNS)

  • Applied
  • algorithm

What does the paper try to establish?

Can weak cryptographic routines in legacy executables be identified, scoped, and replaced with stronger primitives when source code and debugging symbols are unavailable?

What is the proposed answer?

ALICE combines static feature and call-graph analysis, offline dynamic execution, dynamic taint tracking, and static binary rewriting. Its prototype replaces several hash-function implementations in ELF x86-64 binaries and largely preserves tested behavior, while retaining explicit manual and platform limitations.

Six dimensions, kept separate

The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.

The visual spider chart requires JavaScript. The complete values and rationales follow in text.

LowMediumHighN/A = not assessed

A smaller value means less documented support for that dimension, not that the paper is false or unimportant.

Epistemic evidence High

The full source documents an implemented pipeline, explicit success criteria, multiple datasets, measured overheads, observed failures, and limitations. Generalization beyond the tested platform and hashes remains unsupported.

Experimental setup, datasets, and correctness criteria Cryptographic-library results Real-world-binary results and manual-effort analysis Limitations and future work
Auditability High

A checked-in complete archive copy with page count and SHA-256, the official DOI, and a public source repository make the principal evidence inspectable, although this audit did not reproduce the experiments.

Problem, ALICE goals, and contribution summary Public ALICE repository Official ACNS publication identity
Production provenance Medium

Named authors, venue, archive version, DOI, and repository are documented; contributor roles, exact experimental environment capture, commit-to-paper correspondence, and revision workflow are not fully recorded.

Official ACNS publication identity Public ALICE repository
External scrutiny Medium

ACNS publication and public code provide external exposure, but review reports and independent reproduction are not represented.

Official ACNS publication identity Public ALICE repository
Reception Low

The dated exact-DOI OpenAlex record located 2 citations. Under the author-defined rule, 0 through 8 located citations is Low; the count is index- and date-dependent.

Dated citation-count snapshot
Contribution significance Medium

The paper moves from primitive identification to executable rewriting and publishes a prototype, but broader adoption and durable downstream impact are not established by this audit.

Problem, ALICE goals, and contribution summary Conclusion and bounded claim

Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.

Hierarchical knowledge map

Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.

paper

Towards Automated Augmentation and Instrumentation of Legacy Cryptographic Executables

ALICE is an implemented binary-analysis and rewriting toolchain for replacing weak hash functions in legacy executables without source code or debugging symbols.

Problem, ALICE goals, and contribution summary
  1. question

    Research question

    research question

    Is automatic cryptographic migration at the binary level practically feasible when maintainers cannot recompile or inspect original source?

    Problem, ALICE goals, and contribution summary
  2. scope Target environment explicitly scoped

    The prototype targets ELF-format x86-64 binaries produced from C, assumes ordinary defensive software rather than malware, and requires neither source code nor debugging symbols.

    Target platform and explicit scope
    1. assumption

      Non-malicious and unobfuscated input

      assumed

      Correctness of the workflow depends on the binary being non-obfuscated and on underlying disassembly, symbolic execution, assembly, and rewriting tools behaving adequately on the encountered instructions.

      Target platform and explicit scope Limitations and future work
  3. method Three-phase ALICE pipeline implemented

    ALICE identifies target cryptography, scopes affected state, and then augments and rewrites the executable. The paper separates these phases so failures and manual obligations remain visible.

    Primitive identification pipeline Change classes and dynamic-taint scoping Binary augmentation and static rewriting
    1. algorithm

      Identify hash routines

      implemented

      The tool scans for known constants, follows the binary call graph to collect candidates, enumerates plausible calling conventions, and executes candidates offline on known inputs to remove false positives and recover parameter order.

      Primitive identification pipeline
    2. algorithm

      Scope propagated buffer changes

      implemented

      Dynamic taint analysis marks the target digest output and tracks affected memory buffers so a larger replacement digest can be accommodated. It handles routine replacement and buffer resizing, not arbitrary semantic logic changes.

      Change classes and dynamic-taint scoping
    3. algorithm

      Inject and redirect

      implemented

      ALICE appends replacement code, rewrites affected stack and memory references, and redirects calls statically, minimizing runtime instrumentation overhead.

      Binary augmentation and static rewriting
  4. evidence group Experimental evidence empirical

    The prototype is evaluated across multiple cryptographic libraries, compiler optimization levels, and six real applications, with explicit functional tests, code-size measurements, instruction counts, and tool runtime.

    Experimental setup, datasets, and correctness criteria Cryptographic-library results Real-world-binary results and manual-effort analysis
    1. evidence

      Real-world application corpus

      measured with failure

      The paper tests md5sum, sha1sum, smd5_mkpass, ssha_mkpass, curl, and lighttpd. Most rewritten binaries pass project tests and the target hash behavior, but one misidentified routine and an O3 curl case expose concrete failure modes.

      Real-world-binary results and manual-effort analysis
  5. claim

    Functionality preservation on tested binaries

    demonstrated on corpus

    For the successful cases, rewritten applications pass the available original test suites and produce the expected stronger-hash behavior. This is test-based evidence, not a proof of semantic equivalence.

    Real-world-binary results and manual-effort analysis
  6. claim

    Low measured runtime and code-size overhead

    measured

    Library experiments add about 300 executed instructions on average, and application runs remain below roughly five percent instruction overhead; rewritten real binaries add about 4-11 KB. Tool execution ranges from under a minute on simple cases to about five minutes on the largest tested program.

    Cryptographic-library results Real-world-binary results and manual-effort analysis
  7. claim

    Reduced manual rewriting effort

    measured on corpus

    On the reported O2 application set, ALICE automatically rewrites 99.87 percent of counted changed instructions when routine and buffer changes are included; excluding routine identification, it handles about 70.17 percent of buffer-plus-logic changes.

    Real-world-binary results and manual-effort analysis
  8. limitation group Limitations material

    The prototype does not automatically infer arbitrary control-logic changes, does not replace primitives inside dynamic libraries, does not support obfuscated programs, and inherits unsoundness or unsupported-instruction risks from angr, Keystone, and other components.

    Change classes and dynamic-taint scoping Limitations and future work
    1. limitation

      Demonstrated only for hash replacement

      explicitly scoped

      Although the architecture is presented as extensible, the concrete evaluation replaces hash functions; it does not establish automated migration for arbitrary encryption, signature, protocol, or post-quantum primitives.

      Target platform and explicit scope Conclusion and bounded claim
  9. artifact group

    Paper and code

    publicly available

    The extended manuscript is checked in with fixity metadata and the authors link a public ALICE repository. This audit confirmed the repository link but did not rebuild or reproduce the toolchain.

    Public ALICE repository Official ACNS publication identity

Source index

Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.

  1. Problem, ALICE goals, and contribution summary Abstract and Section 1, PDF pages 1-3
  2. Target platform and explicit scope Section 3, Goal and Scope, PDF pages 4-6
  3. Primitive identification pipeline Section 4.1, PDF pages 6-8
  4. Change classes and dynamic-taint scoping Section 4.2, PDF pages 8-11
  5. Binary augmentation and static rewriting Section 4.3, PDF pages 11-12
  6. Experimental setup, datasets, and correctness criteria Section 5.1, PDF pages 12-13
  7. Cryptographic-library results Section 5.2, Table 1, and Figure 3, PDF pages 13-15
  8. Real-world-binary results and manual-effort analysis Section 5.3, Tables 2-3 and Figures 4-5, PDF pages 15-17
  9. Limitations and future work Section 6, PDF pages 17-18
  10. Conclusion and bounded claim Section 7, PDF page 18
  11. Public ALICE repository Repository linked by the paper; repository state was not independently reproduced in this audit
  12. Official ACNS publication identity DOI 10.1007/978-3-030-57878-7_18
  13. Dated citation-count snapshot OpenAlex reported 2 citations when accessed 2026-07-11