Table of Contents
Fetching ...

HELIOS: Hierarchical Graph Abstraction for Structure-Aware LLM Decompilation

Yonatan Gizachew Achamyeleh, Harsh Thomare, Mohammad Abdullah Al Faruque

TL;DR

HELIOS tackles the structural blindness of LLM-based binary decompilation by introducing a hierarchical, graph-aware prompting scheme that encodes a binary's control-flow graph, function-call graph, and P-Code details into four-tier prompts. By combining static analysis (via Ghidra) with structured prompts and an optional compiler feedback loop, HELIOS guides general-purpose LLMs to produce recompilable, semantically faithful decompilations across six architectures without model fine-tuning. Empirical results on HumanEval-Decompile and MBPP-Decompile show substantial gains in object-file compilability and functional correctness, with near-perfection compilability achievable when using compiler feedback. The framework narrows cross-architecture gaps, enabling robust decompilation in security workflows, and suggests a general paradigm for structured, graph-aware AI reasoning beyond decompilation.

Abstract

Large language models (LLMs) have recently been applied to binary decompilation, yet they still treat code as plain text and ignore the graphs that govern program control flow. This limitation often yields syntactically fragile and logically inconsistent output, especially for optimized binaries. This paper presents \textsc{HELIOS}, a framework that reframes LLM-based decompilation as a structured reasoning task. \textsc{HELIOS} summarizes a binary's control flow and function calls into a hierarchical text representation that spells out basic blocks, their successors, and high-level patterns such as loops and conditionals. This representation is supplied to a general-purpose LLM, along with raw decompiler output, optionally combined with a compiler-in-the-loop that returns error messages when the generated code fails to build. On HumanEval-Decompile for \texttt{x86\_64}, \textsc{HELIOS} raises average object file compilability from 45.0\% to 85.2\% for Gemini~2.0 and from 71.4\% to 89.6\% for GPT-4.1~Mini. With compiler feedback, compilability exceeds 94\% and functional correctness improves by up to 5.6 percentage points over text-only prompting. Across six architectures drawn from x86, ARM, and MIPS, \textsc{HELIOS} reduces the spread in functional correctness while keeping syntactic correctness consistently high, all without fine-tuning. These properties make \textsc{HELIOS} a practical building block for reverse engineering workflows in security settings where analysts need recompilable, semantically faithful code across diverse hardware targets.

HELIOS: Hierarchical Graph Abstraction for Structure-Aware LLM Decompilation

TL;DR

HELIOS tackles the structural blindness of LLM-based binary decompilation by introducing a hierarchical, graph-aware prompting scheme that encodes a binary's control-flow graph, function-call graph, and P-Code details into four-tier prompts. By combining static analysis (via Ghidra) with structured prompts and an optional compiler feedback loop, HELIOS guides general-purpose LLMs to produce recompilable, semantically faithful decompilations across six architectures without model fine-tuning. Empirical results on HumanEval-Decompile and MBPP-Decompile show substantial gains in object-file compilability and functional correctness, with near-perfection compilability achievable when using compiler feedback. The framework narrows cross-architecture gaps, enabling robust decompilation in security workflows, and suggests a general paradigm for structured, graph-aware AI reasoning beyond decompilation.

Abstract

Large language models (LLMs) have recently been applied to binary decompilation, yet they still treat code as plain text and ignore the graphs that govern program control flow. This limitation often yields syntactically fragile and logically inconsistent output, especially for optimized binaries. This paper presents \textsc{HELIOS}, a framework that reframes LLM-based decompilation as a structured reasoning task. \textsc{HELIOS} summarizes a binary's control flow and function calls into a hierarchical text representation that spells out basic blocks, their successors, and high-level patterns such as loops and conditionals. This representation is supplied to a general-purpose LLM, along with raw decompiler output, optionally combined with a compiler-in-the-loop that returns error messages when the generated code fails to build. On HumanEval-Decompile for \texttt{x86\_64}, \textsc{HELIOS} raises average object file compilability from 45.0\% to 85.2\% for Gemini~2.0 and from 71.4\% to 89.6\% for GPT-4.1~Mini. With compiler feedback, compilability exceeds 94\% and functional correctness improves by up to 5.6 percentage points over text-only prompting. Across six architectures drawn from x86, ARM, and MIPS, \textsc{HELIOS} reduces the spread in functional correctness while keeping syntactic correctness consistently high, all without fine-tuning. These properties make \textsc{HELIOS} a practical building block for reverse engineering workflows in security settings where analysts need recompilable, semantically faithful code across diverse hardware targets.
Paper Structure (40 sections, 3 figures, 7 tables)

This paper contains 40 sections, 3 figures, 7 tables.

Figures (3)

  • Figure 1: An illustration comparing two approaches for LLM based decompilation. Path B (Structurally-Agnostic), used by existing methods, treats binary artifacts as flat text. Path A (Context-Aware), our proposed approach, creates a structural context that allows the LLM to reason over control flow and produce semantically faithful decompilation.
  • Figure 2: The high-level architecture of the Helios framework. A binary is first analyzed to extract the decompiled code and its CFG. Helios then abstracts the CFG and combines it with other metadata to form a context-rich prompt for the LLM, enabling structurally-aware decompilation and optional iterative refinement via compiler feedback.
  • Figure 3: The Multi-Part Prompt Format of Helios. Our prompt provides a hierarchical view of the binary, starting with a high-level [FUNCTION_CONTEXT], followed by the [CFG_OVERVIEW] (a topological map of the CFG), and finally, the low-level evidence in [BLOCK_DETAILS] before the [RAW_DECOMPILED_CODE].