NDSS 2025 – VeriBin: Adaptive Verification Of Patches At The Binary Level

The growing prevalence of binary‑only software distributions has left security teams grappling with a paradox: patches are essential for fixing vulnerabilities, yet without source code, verifying that those patches do not break existing functionality is nearly impossible. Traditional static analysis tools rely on high‑level semantics that disappear during compilation, creating blind spots that attackers can exploit. VeriBin addresses this gap by operating directly on compiled binaries, offering a pragmatic solution for environments where source is unavailable or proprietary, such as embedded devices, legacy systems, and third‑party libraries.

At the core of VeriBin is a two‑stage workflow that combines symbolic execution with property‑based verification. First, the engine symbolically explores the binary to pinpoint code regions altered by the patch, generating symbolic constraints that capture the exact nature of the modifications. Next, it evaluates these constraints against a set of safety properties designed to guarantee functional equivalence—ensuring that the patched binary behaves identically for all inputs that exercised the original code. This approach sidesteps the need for full program decompilation while still providing rigorous guarantees, and it scales to large functions by employing selective path pruning and incremental solving techniques.

The implications for the broader security ecosystem are significant. By delivering high‑confidence, source‑agnostic patch validation, VeriBin enables faster deployment of critical fixes, reduces the risk of inadvertent regressions, and strengthens defenses against supply‑chain attacks like the XZ Utils backdoor. Organizations can integrate VeriBin into continuous integration pipelines, automating binary patch safety checks alongside traditional testing. As binary‑level analysis matures, tools like VeriBin are poised to become standard components of secure software delivery, fostering greater resilience across the software supply chain.