Table of Contents
Fetching ...

Exposing Hidden Interfaces: LLM-Guided Type Inference for Reverse Engineering macOS Private Frameworks

Arina Kharlamova, Youcheng Sun, Ting Yu

TL;DR

This work tackles the challenge of undocumented private macOS frameworks by introducing MOTIF, a hybrid framework that couples tool-augmented analysis with a specialized Objective-C type-inference LLM. The system comprises MOTIF-agent (LLM-guided reverse engineering with a constraint-based linter and tool suite), MOTIF-bench (a reproducible Mach-O type-inference benchmark), and MOTIF-model (a lightweight, locally deployable tool-aware LLM). On MOTIF-Bench, signature recovery improves from 15% to 86% relative to static baselines, and private-framework case studies show reconstructed headers that compile and enable security analysis. The framework provides a scalable foundation for auditing macOS internals while maintaining privacy and reproducibility, with potential extension to other binary formats and operating systems.

Abstract

Private macOS frameworks underpin critical services and daemons but remain undocumented and distributed only as stripped binaries, complicating security analysis. We present MOTIF, an agentic framework that integrates tool-augmented analysis with a finetuned large language model specialized for Objective-C type inference. The agent manages runtime metadata extraction, binary inspection, and constraint checking, while the model generates candidate method signatures that are validated and refined into compilable headers. On MOTIF-Bench, a benchmark built from public frameworks with groundtruth headers, MOTIF improves signature recovery from 15% to 86% compared to baseline static analysis tooling, with consistent gains in tool-use correctness and inference stability. Case studies on private frameworks show that reconstructed headers compile, link, and facilitate downstream security research and vulnerability studies. By transforming opaque binaries into analyzable interfaces, MOTIF establishes a scalable foundation for systematic auditing of macOS internals.

Exposing Hidden Interfaces: LLM-Guided Type Inference for Reverse Engineering macOS Private Frameworks

TL;DR

This work tackles the challenge of undocumented private macOS frameworks by introducing MOTIF, a hybrid framework that couples tool-augmented analysis with a specialized Objective-C type-inference LLM. The system comprises MOTIF-agent (LLM-guided reverse engineering with a constraint-based linter and tool suite), MOTIF-bench (a reproducible Mach-O type-inference benchmark), and MOTIF-model (a lightweight, locally deployable tool-aware LLM). On MOTIF-Bench, signature recovery improves from 15% to 86% relative to static baselines, and private-framework case studies show reconstructed headers that compile and enable security analysis. The framework provides a scalable foundation for auditing macOS internals while maintaining privacy and reproducibility, with potential extension to other binary formats and operating systems.

Abstract

Private macOS frameworks underpin critical services and daemons but remain undocumented and distributed only as stripped binaries, complicating security analysis. We present MOTIF, an agentic framework that integrates tool-augmented analysis with a finetuned large language model specialized for Objective-C type inference. The agent manages runtime metadata extraction, binary inspection, and constraint checking, while the model generates candidate method signatures that are validated and refined into compilable headers. On MOTIF-Bench, a benchmark built from public frameworks with groundtruth headers, MOTIF improves signature recovery from 15% to 86% compared to baseline static analysis tooling, with consistent gains in tool-use correctness and inference stability. Case studies on private frameworks show that reconstructed headers compile, link, and facilitate downstream security research and vulnerability studies. By transforming opaque binaries into analyzable interfaces, MOTIF establishes a scalable foundation for systematic auditing of macOS internals.
Paper Structure (13 sections, 1 equation, 14 figures, 7 tables)

This paper contains 13 sections, 1 equation, 14 figures, 7 tables.

Figures (14)

  • Figure 1: Command execution across privilege boundaries via hidden APIs. A sandboxed application invokes a private framework API, which registers an XPC messaging interface. Through this channel, attacker-controlled arguments can be used to execute code outside the sandbox.
  • Figure 2: Example of MOTIF in operation: the agent interacts with analysis tools and a semantic linter in a closed-loop refinement process to recover hidden APIs.
  • Figure 3: Overview of the MOTIF architecture. The pipeline consists of: (I) binary preparation; (II) a constraint satisfaction feedback loop under linter-derived semantics, composed of (II.1) prompt assembly; (II.2) an agent system; and (II.3) semantic linter diagnostics. The loop iteratively refines candidate signatures until constraint satisfaction is achieved.
  • Figure 4: Example tool call: LLM invokes disassembler to inspect method body.
  • Figure 5: Overview of Mach-O Type-Inference Framework Benchmark construction process. The pipeline consists of five main stages. Data collection: Ground truth data are extracted from Xcode resources, while input data candidates are dumped from the dyld shared cache and processed. Filtering: Frameworks are binned by method count and equally sampled to ensure balanced representation across varying sizes and prevent sampling bias. Data preprocessing: Extracted headers are transformed and parsed using ANTLR4-based tools to reduce size and extract incomplete method signatures. Matching: Candidate methods are matched against the ground truth and unmatched methods are discarded. Evaluation process: Solutions generated by LLMs are parsed and compared against the ground truth on a per-signature basis, evaluating argument types and return types to generate benchmark metrics and reports.
  • ...and 9 more figures