Scientific knowledge map · Paper #53
Towards Automated Augmentation and Instrumentation of Legacy Cryptographic Executables
2020 · 18th International Conference on Applied Cryptography and Network Security (ACNS)
- Applied
- algorithm
Research question
What does the paper try to establish?
Can weak cryptographic routines in legacy executables be identified, scoped, and replaced with stronger primitives when source code and debugging symbols are unavailable?
Central answer
What is the proposed answer?
ALICE combines static feature and call-graph analysis, offline dynamic execution, dynamic taint tracking, and static binary rewriting. Its prototype replaces several hash-function implementations in ELF x86-64 binaries and largely preserves tested behavior, while retaining explicit manual and platform limitations.
Evidence profile
Six dimensions, kept separate
The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.
LowMediumHighN/A = not assessed
A smaller value means less documented support for that dimension, not that the paper is false or unimportant.
- Epistemic evidence High
-
The full source documents an implemented pipeline, explicit success criteria, multiple datasets, measured overheads, observed failures, and limitations. Generalization beyond the tested platform and hashes remains unsupported.
Experimental setup, datasets, and correctness criteria Cryptographic-library results Real-world-binary results and manual-effort analysis Limitations and future work - Auditability High
-
A checked-in complete archive copy with page count and SHA-256, the official DOI, and a public source repository make the principal evidence inspectable, although this audit did not reproduce the experiments.
Problem, ALICE goals, and contribution summary Public ALICE repository Official ACNS publication identity - Production provenance Medium
-
Named authors, venue, archive version, DOI, and repository are documented; contributor roles, exact experimental environment capture, commit-to-paper correspondence, and revision workflow are not fully recorded.
Official ACNS publication identity Public ALICE repository - External scrutiny Medium
-
ACNS publication and public code provide external exposure, but review reports and independent reproduction are not represented.
Official ACNS publication identity Public ALICE repository - Reception Low
-
The dated exact-DOI OpenAlex record located 2 citations. Under the author-defined rule, 0 through 8 located citations is Low; the count is index- and date-dependent.
Dated citation-count snapshot - Contribution significance Medium
-
The paper moves from primitive identification to executable rewriting and publishes a prototype, but broader adoption and durable downstream impact are not established by this audit.
Problem, ALICE goals, and contribution summary Conclusion and bounded claim
Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.
Top-down and bottom-up view
Hierarchical knowledge map
Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.
Towards Automated Augmentation and Instrumentation of Legacy Cryptographic Executables
ALICE is an implemented binary-analysis and rewriting toolchain for replacing weak hash functions in legacy executables without source code or debugging symbols.
Problem, ALICE goals, and contribution summary-
question Research question
research questionIs automatic cryptographic migration at the binary level practically feasible when maintainers cannot recompile or inspect original source?
Problem, ALICE goals, and contribution summary -
contribution Central answer
demonstrated on tested scopeFor a bounded class of non-obfuscated ELF x86-64 binaries, ALICE identifies hash routines, propagates digest-size changes through affected buffers, injects a replacement routine, and redirects calls with low measured overhead.
Target platform and explicit scope Primitive identification pipeline Binary augmentation and static rewriting -
scope Target environment explicitly scoped
The prototype targets ELF-format x86-64 binaries produced from C, assumes ordinary defensive software rather than malware, and requires neither source code nor debugging symbols.
Target platform and explicit scope-
assumption Non-malicious and unobfuscated input
assumedCorrectness of the workflow depends on the binary being non-obfuscated and on underlying disassembly, symbolic execution, assembly, and rewriting tools behaving adequately on the encountered instructions.
Target platform and explicit scope Limitations and future work
-
-
method Three-phase ALICE pipeline implemented
ALICE identifies target cryptography, scopes affected state, and then augments and rewrites the executable. The paper separates these phases so failures and manual obligations remain visible.
Primitive identification pipeline Change classes and dynamic-taint scoping Binary augmentation and static rewriting-
algorithm Identify hash routines
implementedThe tool scans for known constants, follows the binary call graph to collect candidates, enumerates plausible calling conventions, and executes candidates offline on known inputs to remove false positives and recover parameter order.
Primitive identification pipeline -
algorithm Scope propagated buffer changes
implementedDynamic taint analysis marks the target digest output and tracks affected memory buffers so a larger replacement digest can be accommodated. It handles routine replacement and buffer resizing, not arbitrary semantic logic changes.
Change classes and dynamic-taint scoping -
algorithm Inject and redirect
implementedALICE appends replacement code, rewrites affected stack and memory references, and redirects calls statically, minimizing runtime instrumentation overhead.
Binary augmentation and static rewriting
-
-
evidence group Experimental evidence empirical
The prototype is evaluated across multiple cryptographic libraries, compiler optimization levels, and six real applications, with explicit functional tests, code-size measurements, instruction counts, and tool runtime.
Experimental setup, datasets, and correctness criteria Cryptographic-library results Real-world-binary results and manual-effort analysis-
evidence Library corpus
measuredTests cover hash implementations from OpenSSL, libgcrypt, mbedTLS, and FreeBL across common compiler optimization settings. The rewritten library binaries add little executed-instruction overhead relative to manually rebuilt baselines.
Experimental setup, datasets, and correctness criteria Cryptographic-library results -
evidence Real-world application corpus
measured with failureThe paper tests md5sum, sha1sum, smd5_mkpass, ssha_mkpass, curl, and lighttpd. Most rewritten binaries pass project tests and the target hash behavior, but one misidentified routine and an O3 curl case expose concrete failure modes.
Real-world-binary results and manual-effort analysis
-
-
claim Functionality preservation on tested binaries
demonstrated on corpusFor the successful cases, rewritten applications pass the available original test suites and produce the expected stronger-hash behavior. This is test-based evidence, not a proof of semantic equivalence.
Real-world-binary results and manual-effort analysis -
claim Low measured runtime and code-size overhead
measuredLibrary experiments add about 300 executed instructions on average, and application runs remain below roughly five percent instruction overhead; rewritten real binaries add about 4-11 KB. Tool execution ranges from under a minute on simple cases to about five minutes on the largest tested program.
Cryptographic-library results Real-world-binary results and manual-effort analysis -
claim Reduced manual rewriting effort
measured on corpusOn the reported O2 application set, ALICE automatically rewrites 99.87 percent of counted changed instructions when routine and buffer changes are included; excluding routine identification, it handles about 70.17 percent of buffer-plus-logic changes.
Real-world-binary results and manual-effort analysis -
limitation group Limitations material
The prototype does not automatically infer arbitrary control-logic changes, does not replace primitives inside dynamic libraries, does not support obfuscated programs, and inherits unsoundness or unsupported-instruction risks from angr, Keystone, and other components.
Change classes and dynamic-taint scoping Limitations and future work-
limitation Demonstrated only for hash replacement
explicitly scopedAlthough the architecture is presented as extensible, the concrete evaluation replaces hash functions; it does not establish automated migration for arbitrary encryption, signature, protocol, or post-quantum primitives.
Target platform and explicit scope Conclusion and bounded claim
-
-
artifact group Paper and code
publicly availableThe extended manuscript is checked in with fixity metadata and the authors link a public ALICE repository. This audit confirmed the repository link but did not rebuild or reproduce the toolchain.
Public ALICE repository Official ACNS publication identity -
scrutiny External scrutiny
venue reviewedThe conference paper appeared at ACNS 2020 and the extended source exposes its experiments and limitations. Review reports and an independent reproduction are not represented.
Official ACNS publication identity Limitations and future work -
lineage Role in cryptographic migration
documentedALICE extends binary cryptographic identification from detection toward replacement, while leaving semantic logic repair and broader primitive support as subsequent work.
Problem, ALICE goals, and contribution summary Limitations and future work
Audit trail
Source index
Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.
- Problem, ALICE goals, and contribution summary Abstract and Section 1, PDF pages 1-3
- Target platform and explicit scope Section 3, Goal and Scope, PDF pages 4-6
- Primitive identification pipeline Section 4.1, PDF pages 6-8
- Change classes and dynamic-taint scoping Section 4.2, PDF pages 8-11
- Binary augmentation and static rewriting Section 4.3, PDF pages 11-12
- Experimental setup, datasets, and correctness criteria Section 5.1, PDF pages 12-13
- Cryptographic-library results Section 5.2, Table 1, and Figure 3, PDF pages 13-15
- Real-world-binary results and manual-effort analysis Section 5.3, Tables 2-3 and Figures 4-5, PDF pages 15-17
- Limitations and future work Section 6, PDF pages 17-18
- Conclusion and bounded claim Section 7, PDF page 18
- Public ALICE repository Repository linked by the paper; repository state was not independently reproduced in this audit
- Official ACNS publication identity DOI 10.1007/978-3-030-57878-7_18
- Dated citation-count snapshot OpenAlex reported 2 citations when accessed 2026-07-11