Huici, Daniel; Yousefnezhad, Narges; Rodríguez, Ricardo J.; Costin, Andrei
Automating Firmware Vulnerability Triage via High-Level Representations and Similarity Digests Proceedings Article
In: Proceedings of the Workshop on Binary Analysis Research (BAR) 2026, 2026, ISBN: 978-1-970672-08-4.
Abstract | Links | BibTeX | Tags: binary code similarity, firmware vulnerability triage, high-level intermediate representation, N-day vulnerabilities, similarity digests
@inproceedings{Huici2026,
title = {Automating Firmware Vulnerability Triage via High-Level Representations and Similarity Digests},
author = {Daniel Huici and Narges Yousefnezhad and Ricardo J. Rodríguez and Andrei Costin},
url = {https://webdiis.unizar.es/~ricardo/files/papers/HuiciYRC-BAR-26.pdf},
doi = {10.14722/bar.2026.23027},
isbn = {978-1-970672-08-4},
year = {2026},
date = {2026-01-01},
booktitle = {Proceedings of the Workshop on Binary Analysis Research (BAR) 2026},
abstract = {Tracking N-day vulnerabilities in fragmented firmware ecosystems is an open challenge, often hampered by the disconnect between abstract CVE descriptions and the binary code actually distributed in production and connected devices. In this paper, we present a generic CVE-based framework for correlating vulnerable files in heterogeneous firmware images using similarity digests. Our approach leverages sc APOTHEOSIS, an open-source approximate nearest neighbor search system, to scale similarity queries across massive collections of artifacts. To bridge the semantic gap between vulnerability reports and binary reality, we introduce an automated process that lifts confirmed vulnerable implementations to high-level intermediate representations and generates function-level search signatures. We demonstrate the effectiveness of this system as a rapid triage tool using the sc OpenWrt ecosystem as a case study. In the event of a new CVE disclosure, our approach allows analysts to consult the pre-created sc APOTHEOSIS index to immediately generate a prioritized list of affected firmware versions, significantly accelerating impact assessment without being dependent on reliable nor accurate vendor/CVE metadata or source code.},
keywords = {binary code similarity, firmware vulnerability triage, high-level intermediate representation, N-day vulnerabilities, similarity digests},
pubstate = {published},
tppubtype = {inproceedings}
}
Tracking N-day vulnerabilities in fragmented firmware ecosystems is an open challenge, often hampered by the disconnect between abstract CVE descriptions and the binary code actually distributed in production and connected devices. In this paper, we present a generic CVE-based framework for correlating vulnerable files in heterogeneous firmware images using similarity digests. Our approach leverages sc APOTHEOSIS, an open-source approximate nearest neighbor search system, to scale similarity queries across massive collections of artifacts. To bridge the semantic gap between vulnerability reports and binary reality, we introduce an automated process that lifts confirmed vulnerable implementations to high-level intermediate representations and generates function-level search signatures. We demonstrate the effectiveness of this system as a rapid triage tool using the sc OpenWrt ecosystem as a case study. In the event of a new CVE disclosure, our approach allows analysts to consult the pre-created sc APOTHEOSIS index to immediately generate a prioritized list of affected firmware versions, significantly accelerating impact assessment without being dependent on reliable nor accurate vendor/CVE metadata or source code.