A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography
Norrathep Rattanavipanon, Jakapan Suaboot, Warodom Werapun
TL;DR
The paper addresses the challenge of migrating software to post-quantum cryptography by focusing on binary executables rather than source code. It introduces QED, a three-phase static-analysis toolchain that traces dependencies from executables to quantum-vulnerable APIs within cryptography libraries, providing evidence at each phase and adjustable reporting modes. Empirical results on synthetic and real-world datasets show that QED can achieve zero false negatives with final-phase verification, while substantially reducing analyst workload (over 90% in the real-world dataset) and maintaining practical runtimes (about 4 seconds per executable). The work demonstrates the feasibility of scalable PQC readiness tooling for organizations, particularly SMBs, and outlines directions for expanding coverage to indirect calls, non-dynamically linked or in-binary cryptography, and semi-automatic patching for PQC deployment.
Abstract
Quantum computing poses a significant global threat to today's security mechanisms. As a result, security experts and public sectors have issued guidelines to help organizations migrate their software to post-quantum cryptography (PQC). Despite these efforts, there is a lack of (semi-)automatic tools to support this transition especially when software is used and deployed as binary executables. To address this gap, in this work, we first propose a set of requirements necessary for a tool to detect quantum-vulnerable software executables. Following these requirements, we introduce QED: a toolchain for Quantum-vulnerable Executable Detection. QED uses a three-phase approach to identify quantum-vulnerable dependencies in a given set of executables, from file-level to API-level, and finally, precise identification of a static trace that triggers a quantum-vulnerable API. We evaluate QED on both a synthetic dataset with four cryptography libraries and a real-world dataset with over 200 software executables. The results demonstrate that: (1) QED discerns quantum-vulnerable from quantum-safe executables with 100% accuracy in the synthetic dataset; (2) QED is practical and scalable, completing analyses on average in less than 4 seconds per real-world executable; and (3) QED reduces the manual workload required by analysts to identify quantum-vulnerable executables in the real-world dataset by more than 90%. We hope that QED can become a crucial tool to facilitate the transition to PQC, particularly for small and medium-sized businesses with limited resources.