I know they said they didn't obfuscate anything, but if you hide imports/symbols and obfuscate strings, which is the bare minimum for any competent attacker, the success rate will immediately drop to zero.<p>This is detecting the pattern of an anomaly in language associated with malicious activity, which is not impressive for an LLM.
One of the authors here.<p>The tasks here are entry level. So we are impressed that some AI models are able to detect some patterns, while looking just at binary code. We didn't take it for granted.<p>For example, only a few models understand Ghidra and Radare2 tooling (Opus 4.5 and 4.6, Gemini 3 Pro, GLM 5)
<a href="https://quesma.com/benchmarks/binaryaudit/#models-tooling" rel="nofollow">https://quesma.com/benchmarks/binaryaudit/#models-tooling</a><p>We consider it a starting point for AI agents being able to work with binaries. Other people discovered the same - vide <a href="https://x.com/ccccjjjjeeee/status/2021160492039811300" rel="nofollow">https://x.com/ccccjjjjeeee/status/2021160492039811300</a> and <a href="https://news.ycombinator.com/item?id=46846101">https://news.ycombinator.com/item?id=46846101</a>.<p>There is a long way ahead from "OMG, AI can do that!" to an end-to-end solution.
When I was developing my ghidra-cli tool for LLMs to use, I was using crackmes as tests and it had no problem getting through obfuscation as long as it was prompted about it. In practice when reverse engineering real software it can sometimes spin in circles for a while until it finally notices that it's dealing with obfuscated code, but as long as you update your CLAUDE.md/whatever with its findings, it generally moves smoothly from then on.
in the article they explicitly said they stripped symbols.
If you look at the actual backdoors many are already minimal and quite obfuscated,<p>see:<p>- <a href="https://github.com/QuesmaOrg/BinaryAudit/blob/main/tasks/dnsmasq-backdoor-detect-syscall/environment/build/backdoor.patch" rel="nofollow">https://github.com/QuesmaOrg/BinaryAudit/blob/main/tasks/dns...</a><p>- <a href="https://github.com/QuesmaOrg/BinaryAudit/blob/main/tasks/dropbear-brokenauth-detect/environment/build/backdoor.patch" rel="nofollow">https://github.com/QuesmaOrg/BinaryAudit/blob/main/tasks/dro...</a>
I've used Opus 4.5 and 4.6 to RE obfuscated malicious code with my own Ghidra plugin for Claude Code and it fully reverse engineered it. Granted, I'm talking about software cracks, not state-level backdoors.
Stripping symbols is fairly normal, but hiding <i>imports</i> ought to be suspicious in its own right.
Isn’t LLM supposed to be better at analyzing obfuscated than heuristics? Because of its ability to pattern match it can deduce what obfuscated code does?
Shameless plug: <a href="https://github.com/akiselev/ghidra-cli" rel="nofollow">https://github.com/akiselev/ghidra-cli</a><p>I’ve been using Ghidra to reverse engineer Altium’s file format (at least the Delphi parts) and it’s insane how effective it is. Models are not quite good enough to write an entire parser from scratch but before LLMs I would have never even attempted the reverse engineering.<p>I definitely would not depend on it for security audits but the latest models are more than good enough to reverse engineer file formats.
I can tell you how I am seeing agents be used with reasonable results. I will keep this high level. I don't rely on the agents solely. You build agents that augment your capabilities.<p>They can make diagrams for you, give you an attack surface mapping, and dig for you while you do more manual work. As you work on an audit you will often find things of interest in a binary or code base that you want to investigate further. LLMs can often blast through a code base or binary finding similar things.<p>I like to think of it like a swiss army knife of agentic tools to deploy as you work through a problem. They won't balk at some insanely boring task and that can give you a real speed up. The trick is if you fall into the trap of trying to get too much out of an LLM you end up pouring time into your LLM setup and not getting good results, I think that is the LLM productivity trap. But if you have a reasonable subset of "skills" / "agents" you can deploy for various auditing tasks it can absolutely speed you up some.<p>Also, when you have scale problems, just throw an LLM at it. Even low quality results are a good sniff test. Some of the time I just throw an LLM at a code review thing for a codebase I came across and let it work. I also love asking it to make me architecture diagrams.
Oh, nice find... We end up using PyGhidra, but the models waste some cycles because of bad ergonomics. Perhaps your cli would be easier.<p>Still, Ghidra's most painful limitation was extremely slow time with Go Lang. We had to exclude that example from the benchmark.
Thanks for sharing!
It seems to be an active space, vide a recent MCP server (<a href="https://news.ycombinator.com/item?id=46882389">https://news.ycombinator.com/item?id=46882389</a>). I you haven't tried, recommend a lot posting it as Show HN.<p>I tried a few approaches - <a href="https://github.com/jtang613/GhidrAssistMCP" rel="nofollow">https://github.com/jtang613/GhidrAssistMCP</a> (was the harderst to set) Ghidra analyzeHeadless (GPT-5.2-Codex worked with it well!) and PyGhidra (my go-to). Did you try to see which works the best?<p>I mean, very likely (especially with an explicit README for AI, <a href="https://github.com/akiselev/ghidra-cli/blob/master/.claude/skills/ghidra-cli/SKILL.md" rel="nofollow">https://github.com/akiselev/ghidra-cli/blob/master/.claude/s...</a>) your approach might be more convenient to use with AI agents.
This is really cool! Thanks for sharing. It's a lot more sophisticated than what I did w/ Ghidra + LLMs.
How does this approach compare to the various Ghidra MCP servers?
There’s not much difference, really. I stupidly didn’t bother looking at prior art when I started reverse engineering and the ghidra-cli was born (along with several others like ilspy-cli and debugger-cli)<p>That said, it should be easier to use as a human to follow along with the agent and Claude Code seems to have an easier time with discovery rather than stuffing all the tool definitions into the context.
I also did this approach (scripts + home-brew cli)...because I didn't know Ghidra MCP servers existed when I got started.<p>So I don't have a clear idea of what the comparison would be but it worked pretty well for me!
[dead]
GPT is impressive with a consistent 0% false positive rate across models, yet its ability to detect is as high as 18%. Meanwhile Claude Opus 4.6 is able to detect up to 46% of backdoors, but has a 22% false positive rate.<p>It would be interesting to have an experiment where these models are able to test exploiting but their alignment may not allow that to happen. Perhaps combining models together can lead to that kind of testing. The better models will identify, write up "how to verify" tests and the "misaligned" models will actually carry out the testing and report back to the better models.
It would be really cool if someone developed some standard language and methodology for measuring the success of binary classificaiton tasks...<p>Oh, wait, we have had that for a hundred years - somehow it's just entirely forgotten when generative models are involved.
>While end-to-end malware detection is not reliable yet, AI can make it easier for developers to perform initial security audits. A developer without reverse engineering experience can now get a first-pass analysis of a suspicious binary. [...] The whole field of working with binaries becomes accessible to a much wider range of software engineers. It opens opportunities not only in security, but also in performing low-level optimization, debugging and reverse engineering hardware, and porting code between architectures.<p>THIS is the takeaway. These tools are allowing *adjacency* to become a powerful guiding indicator. You don't need to be a reverser, you can just understand how your software works and drive the robot to be a fallible hypothesis generator in regions where you can validate only some of the findings.
> The executables in our benchmark often have hundreds or thousands of functions — while the backdoors are tiny, often just a dozen lines buried deep within. Finding them requires strategic thinking: identifying critical paths like network parsers or user input handlers and ignoring the noise.<p>Perhaps it would make sense to provide LLMs with some strategy guides written in .md files.
That's what I thought of too. Given their task formulation (they basically said - "check these binaries with these tools at your disposal" - and that's it!) their results are already super impressive. With a proper guidance and professional oversight it's a tremendous force multiplier.
We are in this super weird space where the comparable tasks are one-shot, e.g. "make me a to-do app" or "check these binaries", but any real work is multi-turn and dynamically structured.<p>But when we're trying to share results, "a talented engineer sat with the thread and wrote tests/docs/harnesses to guide the model" is less impressive than "we asked it and it figured it out," even though the latter is how real work will happen.<p>It creates this perverse scenario (which is no one's fault!) where we talk about one-shot performance but one-shot performance is useful in exactly 0 interesting cases.
Something I found useful is to "just figure it out" the first part (usually discovery, or library testing, new cli testing, repo understanding, etc.) and then distill it into "learnings" that I can place in agents.md or relevant skills. So you get the speed of "just prompt it" and the repeatability of having it already worked in this area. You also get more insight into what tasks work today, and at what effort level.<p>Sometimes it feels like it's not dissimilar to spending 4 hours to automate a 10 minute task that I thought I'll need forever but ended up just using it once in the past 5 months. But sometimes I unlock something that saves a huge amount of time, and can be reused in many steps of other projects.
That’s hard. Sometimes you will do that and find it prompts the model into “strategy talk” where it deploys the words and frame you use in your .md files but doesn’t actually do the strategy.<p>Even where it works, it is quite hard to specify human strategic thinking in a way that an AI will follow.
The fact that Gemini returns the highest rate of fake positives aligns with my experience using the Gemini models. I use ChatGPT, Claude and Gemini regularly and Gemini is clearly the most sycophantic of the three. If I ask those three models to evaluate something or estimate odds of success, Gemini always comes back with the rosiest outlook.<p>I had been searching for a good benchmark that provided some empirical evidence of this sycophancy, but I hadn't found much. Measuring false positives when you ask the model to complete a detection related task may be a good way of doing that.
See direct benchmark link: <a href="https://quesma.com/benchmarks/binaryaudit/" rel="nofollow">https://quesma.com/benchmarks/binaryaudit/</a><p>Open-source GitHub: <a href="https://github.com/QuesmaOrg/BinaryAudit" rel="nofollow">https://github.com/QuesmaOrg/BinaryAudit</a>
So the best one found about 50%. I think that is not bad,
probably better than most humans. But what about the remaining
50%? Why were some found and others not?<p>> Claude Opus 4.6 found it… and persuaded itself there is nothing to worry about
> Even the best model in our benchmark got fooled by this task.<p>That is quite strange. Because it seems almost as if a human is
required to make the AI tools understand this.
I'm not an expert but about false positives: why not make the agent attempt to use the backdoor and verify that it is actually a backdoor? Maybe give it access to tools and so on.
So many models refuse to do that due to alignment and safety concerns. So cross-model comparison doesn't make sense. We do, however, require proof (such as providing a location in binary) that is hard to game. So the model not only has to say there is a backdoor, but also point out the location.<p>Your approach, however, makes a lot of sense if you are ready to have your own custom or fine-tuned model.
the false positive rate (28% on clean binaries) is the real problem here, not the 49% detection rate. if you're running this on prod systems you'd be drowning in noise. also the execl("/bin/sh") rationalization is a telling failure -- the model sees suspicious evidence and talks itself out of it rather than flagging for review.
This is a really cool experiment. What strikes me is how the results mirror what we see in software supply chain attacks too - the backdoor doesn't have to be clever, it just has to be buried deep enough that nobody bothers to look. 40MB is already past the threshold where most people would manually audit anything.<p>I wonder if a hybrid approach would work better: use AI to flag suspicious sections, then have a human reverser focus only on those. Kind of like how SAST tools work for source code - nobody expects them to catch everything, but they narrow down where to look.
Along this line can AI's find backdoors spread across multiple pieces of code and/or services? <i>i.e. by themselves they are not back-doors, advanced penetration testers would not suspect anything is afoot but when used together they provide access.</i><p><i>e.g. an intentional weakness in systemd + udev + binfmt magic when used together == authentication and mandatory access control bypass. Each weakness reviewed individually just looks like benign sub-optimal code.</i>
I highly doubt some of those results, GPT 5.2/+codex is incredible for cyber security and CTFs, and 5.3 Codex (not on API yet) even moreso. There is absolutely no way it's below Deepseek or Haiku. Seems like a harness issue, or they tested those models at none/low reasoning?
As I do eval and training data sets for living, in niche skills, you can find plenty of surprises.<p>The code is open-source; you can run it yourself using Harbor Framework:<p>git clone git@github.com:QuesmaOrg/BinaryAudit.git<p>export OPENROUTER_API_KEY=...<p>harbor run
--path tasks
--task-name lighttpd-*
--agent terminus-2
--model openrouter/anthropic/claude-opus-4.6
--model openrouter/google/gemini-3-pro-preview
--model openrouter/openai/gpt-5.2
--n-attempts 3<p>Please open PR if you find something interesting, though our domain experts spend fair amount of time looking at trajectories.
Just for fun, I ran dnsmasq-backdoor-detect-printf (which has a 0% pass rate in your leaderboard with GPT models) with --agent codex instead of terminus-2 with gpt-5.2-codex and it identified the backdoor successfully on the first try. I honestly think it's a harness issue, could you re-run the benchmarks with Codex for gpt-5.2-codex and gpt-5.2?
Are the existing trajectories from your runs published anywhere? Or is the only way is for me to run them again?
I wonder how model performance would change if the tooling included the ability to interact with the binary and validate the backdoor. Particularly for models that had a high rate of false positives, would they test their hypothesis?
Very, very cool. Besides the top-performing models, it's interesting (if I'm reading this correctly) that gpt-5.2 did ~2x better than gpt-5.2-codex.. why?
> gpt-5.2 did ~2x better than gpt-5.2-codex.. why?<p>Optimising a model for a certain task, via fine-tuning (aka post-training), can lead to loss of performance on other tasks. People want codex to "generate code" and "drive agents" and so on. So oAI fine-tuned for that.
Random thoughts, only vaguely related: what’s the impact of AI on CTFs? I would assume that kills part of the fun of such events?
It would be interesting to have some tests run against deliberate code obfuscation next
> Claude Opus 4.6 found it… and persuaded itself there is nothing to worry about.<p>Lol.<p>> Gemini 3 Pro supposedly “discovered” a backdoor.<p>Yup, sounds typical for Gemini...it tends to lie.<p>Very good article. Sounds super useful to apply its findings and improve LLMs.<p>On a similar note.... reverse engineering is now accessible to the public. Tons of old software is now be easy to RE. Are software companies having issues with this?
Ummm, is it a good idea to use AI for malware analysis? I know this is just a proof of concept, but if you have actual malware, it doesn’t seem safe to hand that to AI. Given the lengths of anti-debugging that goes in existing malware, making something to prompt inject, or trick AI to execute something, seems easier.
So these beat me to identifying backdoors too. This is going places in an alarming pace.
the interactive code viewer is neat!
And this one demonstration why these "1000 CTOs claim no effectiveness improvement after introducing AI in their companies" are 100% BS.<p>They may have not noticed an improvement, but it doesn't mean there isn't any.
Is it? Gemini 3-pro-preview and 3-flash-preview, respectively top2 and top3, had 44% and 37% true positive and whooping 65% and 86% false positives. This is worse than a coin toss. Anything more than 0% (3% to be generous) is useless in the real world. This leaves only grok and GPT, with 18%, 9% and 2% success rate.<p>In fact, this is what authors said themselves: "However, this approach is not ready for production. Even the best model, Claude Opus 4.6, found relatively obvious backdoors in small/mid-size binaries only 49% of the time. Worse yet, most models had a high false positive rate — flagging clean binaries." So I'm not sure if we're even discussing the same article.<p>I also don't see a comparison with any other methodology. What is the success rate of ./decompile binary.exe | grep "(exec|system)/bin/sh"? What is the success rate of state-of-the-art alternative approaches?
Even without AI, many (most?) orgs are held back by internal processes and politics, not development speed.
it also generally takes a heck of a noisy bang for internal developments to make it to the c-suite
These results are terrible, false positives and false negatives. Useless
[dead]
[dead]
Validating binary streams at the gateway level is such an overlooked part of the stack; catching malformed Protobuf or Avro payloads before they poison downstream state is a massive win for long-term system reliability.