Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Lares: LLM-driven Code Slice Semantic Search for Patch Presence Testing

Siyuan Li, Yaowen Zheng, Hong Li, Jingdong Guo, Chaopeng Dong, Chunpeng Yan, Weijie Wang, Yimo Ren, Limin Sun, Hongsong Zhu

TL;DR

Lares introduces a compile-free, LLM-driven approach for patch presence testing that directly analyzes patch source code and decompiled pseudocode to determine if a target binary contains a patched version. The method combines patch enhancement (data/control flow and macro analysis), patch localization (LLM-guided pseudocode mapping with AST-guided truncation), and patch verification (Lexical normalization, SMT-based solving, and LLM reasoning). Evaluations across multiple architectures, compilers, and optimization levels show that Lares achieves higher precision and recall than prior methods while offering better usability and scalability, including cross-architecture effectiveness. The work demonstrates practical impact for large-scale vulnerability patch validation and provides publicly available datasets and code, enabling broader adoption and further research in patch presence testing.

Abstract

In modern software ecosystems, 1-day vulnerabilities pose significant security risks due to extensive code reuse. Identifying vulnerable functions in target binaries alone is insufficient; it is also crucial to determine whether these functions have been patched. Existing methods, however, suffer from limited usability and accuracy. They often depend on the compilation process to extract features, requiring substantial manual effort and failing for certain software. Moreover, they cannot reliably differentiate between code changes caused by patches or compilation variations. To overcome these limitations, we propose Lares, a scalable and accurate method for patch presence testing. Lares introduces Code Slice Semantic Search, which directly extracts features from the patch source code and identifies semantically equivalent code slices in the pseudocode of the target binary. By eliminating the need for the compilation process, Lares improves usability, while leveraging large language models (LLMs) for code analysis and SMT solvers for logical reasoning to enhance accuracy. Experimental results show that Lares achieves superior precision, recall, and usability. Furthermore, it is the first work to evaluate patch presence testing across optimization levels, architectures, and compilers. The datasets and source code used in this article are available at https://github.com/Siyuan-Li201/Lares.

Lares: LLM-driven Code Slice Semantic Search for Patch Presence Testing

TL;DR

Lares introduces a compile-free, LLM-driven approach for patch presence testing that directly analyzes patch source code and decompiled pseudocode to determine if a target binary contains a patched version. The method combines patch enhancement (data/control flow and macro analysis), patch localization (LLM-guided pseudocode mapping with AST-guided truncation), and patch verification (Lexical normalization, SMT-based solving, and LLM reasoning). Evaluations across multiple architectures, compilers, and optimization levels show that Lares achieves higher precision and recall than prior methods while offering better usability and scalability, including cross-architecture effectiveness. The work demonstrates practical impact for large-scale vulnerability patch validation and provides publicly available datasets and code, enabling broader adoption and further research in patch presence testing.

Abstract

In modern software ecosystems, 1-day vulnerabilities pose significant security risks due to extensive code reuse. Identifying vulnerable functions in target binaries alone is insufficient; it is also crucial to determine whether these functions have been patched. Existing methods, however, suffer from limited usability and accuracy. They often depend on the compilation process to extract features, requiring substantial manual effort and failing for certain software. Moreover, they cannot reliably differentiate between code changes caused by patches or compilation variations. To overcome these limitations, we propose Lares, a scalable and accurate method for patch presence testing. Lares introduces Code Slice Semantic Search, which directly extracts features from the patch source code and identifies semantically equivalent code slices in the pseudocode of the target binary. By eliminating the need for the compilation process, Lares improves usability, while leveraging large language models (LLMs) for code analysis and SMT solvers for logical reasoning to enhance accuracy. Experimental results show that Lares achieves superior precision, recall, and usability. Furthermore, it is the first work to evaluate patch presence testing across optimization levels, architectures, and compilers. The datasets and source code used in this article are available at https://github.com/Siyuan-Li201/Lares.

Paper Structure

This paper contains 34 sections, 4 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Motivation
  3. Necessity of Patch Presence Testing
  4. Limitations and Insights
  5. Inaccuracy in Patch Localization
  6. Methodology
  7. Overview
  8. Data Flow Analysis
  9. Control Flow Analysis
  10. Macro Analysis
  11. Patch Localization
  12. Truncation of Function
  13. Prompt Construction
  14. Reverse-Matching Strategy for Add and Delete Patches
  15. Patch Verification
  16. ...and 19 more sections

Figures (4)

  • Figure 1: The Background.
  • Figure 3: The workflow of Lares.
  • Figure 4: The Patch Enhancement Module.
  • Figure 5: