Hardening Agentic Binary Reverse-Engineering Platforms

Dynamic-analysis agents execute attacker-controlled code. Persistence between samples lets one binary stage state for the next, and shared infrastructure turns one bad sample into a platform compromise.

Provision a fresh VM or container per sample from a known-clean image, with no writable mounts to host or shared storage. Destroy the instance after the analysis run regardless of outcome. Treat any "warm pool" of sandboxes as an anti-pattern.

Sandbox lifecycle logs show 1:1 instance-to-sample ratio with teardown timestamp. Image hashes are pinned and rotated on a tracked cadence. A reused-instance event raises an incident.

A target that reaches real internet from an analysis sandbox can exfiltrate the analyst environment, fetch second-stage payloads, or signal C2 that it is being analyzed. An agent talked into running egress-capable verbs amplifies the same risk.

Block all outbound traffic at the sandbox network boundary by default. Provide behavioral observation through emulated-internet services (INetSim-style fakes, DNS sinks, fake update servers) on an isolated network segment. Egress to real destinations requires an explicit, audited approval path.

Network policy denies egress by default; emulated services log all attempted connections. A test sample attempting external DNS resolution receives the sinkhole response and the attempt is recorded.

If the LLM client, the orchestrator, and the binary execution share filesystem, identity, or network paths, a compromised execution context can reach the agent's secrets, tool tokens, or other samples' artifacts. This is the ambient-authority failure mode applied to RE platforms.

Place the agent/orchestrator and the target execution in distinct trust zones with no shared credentials, no shared mounts, and no shared service identities. Communication crosses a narrow, structured RPC surface — no shell pass-through.

Identity audit shows the execution sandbox holds no tokens that grant access to model APIs, evidence stores, or other sandboxes. A red-team check that escapes the sandbox cannot read agent state.

Broad shell access is the single largest excessive-agency surface in RE agents. The published failure pattern is consistent: agents with raw shell get talked into running adversary-chosen commands inside the sandbox network.

Define an allowlist of named tools (decompile_function, list_xrefs, set_breakpoint, run_trace, query_strings) with typed parameters. Reject calls outside the list. See the generic capability discipline in agent capability control and the survey's "constrained, semantically meaningful interfaces" recommendation.

Tool dispatcher rejects and logs any unknown tool name. No code path exists from agent output to a generic shell or eval. Static review of the orchestrator confirms.

Even within an allowlist, exposing tools as free-form CLI argument strings reinvents shell injection. Semantic interfaces make per-call authorization tractable and make abuse legible in logs.

Each tool takes structured arguments validated against a schema (function address, breakpoint address, file handle ID). The agent cannot pass raw flags or inject argument fragments. Path arguments resolve through a handle table, not raw filesystem strings.

Schema validation rejects malformed calls. A fuzzing pass against the dispatcher with adversarial argument shapes produces no shell expansion or path traversal.

Some actions cannot be safely autonomous: writes outside the sandbox, real-internet egress, modification of the target binary, debugger operations that can affect the host, large resource grabs. Without a gate, a prompt-injected agent will eventually take one.

Define a risk-class taxonomy and route any tool call in a risk class to a synchronous approval queue staffed by an analyst. The agent waits or proceeds with a no-op fallback. Approvals are logged with the requesting evidence chain.

Attempting a risk-class action without a queued approval is denied and logged. Approval audit trail ties each escalation to a human identity and a justification.

Hard caps limit the blast radius of a compromised or looping agent. AgentRE-Bench's 25-call budgets and FORGE's per-agent context bounds exist for the same reason: a runaway agent is both a safety and a cost problem.

Configure per-task limits on tool calls, total tokens, wall-clock time, and sandbox CPU/memory. Exceeding any limit terminates the task and emits a structured event. Surface remaining budget to the agent so the cap is part of its planning surface.

A synthetic looping task is terminated at the configured budget; the termination event is in the audit log; no orphan sandbox instance remains.

Strings, symbol names, debug messages, decompiler output, and runtime stdout originate from the target. Without provenance tagging, the agent cannot distinguish operator instructions from attacker-authored text embedded in the binary. This is the prompt-injection threat applied to RE.

Every artifact entering the LLM context carries an origin label (operator, tool-internal, target-controlled). System policy is explicit: instructions found in target-controlled text are data, not commands. See tool-using agent hardening for the broader pattern.

Context-builder unit tests confirm origin labels survive into the final prompt. An adversarial regression sample with embedded instruction-shaped strings does not change the agent's tool-selection behavior.

ANSI escapes, terminal control sequences, and visually disguised text can mislead both the agent and human reviewers reading the same logs. Decompiler comments and symbol names are common smuggling channels.

Strip or escape control characters and ANSI sequences in all tool outputs before they enter the agent context or the reviewer UI. Normalize Unicode, flag bidi controls, and quarantine outputs that exceed shape thresholds for human review.

A test artifact with embedded ANSI and bidi controls renders as escaped text in both the agent transcript and reviewer UI. No raw control bytes appear in stored evidence.

Studies of agent CTF performance show consistent over-trust of decompiler output. A single view — especially a synthesized view like decompilation — is the easiest surface for a target to manipulate.

For any claim that drives a downstream action (verdict, IOC, vulnerability), the evidence chain must include at least one corroborating view: disassembly, CFG, dynamic trace, or symbolic result. Make this a structural requirement of the evidence schema, not a prompt instruction.

Evidence-graph validator rejects high-confidence claims supported only by decompiler output. Audit shows no shipped verdict with a single-view chain.

When a target probes for a debugger, checks timing, or fingerprints the environment, an agent that silently works around it is making a judgment call that should belong to a human. Auto-bypass also trains the platform to normalize adversary-shaped behavior.

Detectors for common anti-analysis patterns (timing checks, debugger detection, environment fingerprinting) emit a reviewer-visible event. The agent's policy explicitly bars autonomous evasion; bypass is a risk-class action requiring approval.

A test sample exercising anti-analysis primitives produces a reviewer alert; the agent's transcript shows it paused or escalated rather than patched around the check.

A verdict without provenance is unreviewable and unfalsifiable. Project Ire's chain-of-evidence pattern exists because expert reviewers need to see the path from artifact to conclusion, not just the conclusion.

Every claim record carries: source artifact ID, tool calls invoked, raw observations, derived inferences, and a validation status. The reviewer UI renders the chain; downstream consumers receive it as structured data alongside the verdict.

Sampling shipped verdicts shows 100% have a complete chain. Verdicts with incomplete chains are blocked at the export boundary.

Where a claim is checkable — a candidate crashing input, a decryption key, a patched control-flow path — the cost of running the check is far below the cost of shipping a wrong answer. Project Naptime, ClearAgent, and Project Ire converge on this pattern.

For each claim type, define a deterministic validator: does the input crash the binary, does the key decrypt the artifact, does the patched binary still pass functional tests. Validation status is a first-class field on the evidence record.

Claim taxonomy enumerates which classes have validators and which do not. Unvalidated high-impact claims are flagged in the reviewer UI and blocked from auto-shipping.

Project Ire's harder evaluation showed 0.89 precision but 0.26 recall. An agent verdict that arrives at a Defender/EDR or blocklist as a hard label, with no confidence or evidence, is a calibration failure dressed as a detection. Hallucination calibration can dominate raw reasoning depth in benchmark outcomes.

Every verdict carries a confidence value and the evidence chain. Downstream integrations consume confidence-aware records, not booleans. Track an over-claim / hallucination rate as a first-class platform metric alongside precision and recall.

Sample downstream payload includes confidence and evidence-chain references. Dashboard reports over-claim rate and trend. Low-confidence verdicts cannot enter blocklists or EDR rules without human review.

Without a complete trace, neither incident response nor model regression analysis is possible. Tamper-evidence matters because the same target that compromises an agent will try to edit its trail.

Persist tool call name, parameters, return value, timestamp, sandbox ID, and the agent reasoning step that produced the call. Use append-only storage with hash chaining or equivalent. Retention aligns with IR and compliance windows.

Replay of a sample analysis from logs reconstructs the full agent transcript and tool history. Tampering tests confirm modifications are detectable.

Agentic RE platforms will surface vulnerabilities in third-party software. Shipping those findings without coordination — or letting the agent post them anywhere outside a controlled channel — burns trust and may cross legal lines.

Document the disclosure workflow: which findings route to which vendors, who owns vendor contact, what the embargo policy is, and how the agent's evidence chain is sanitized before external sharing. The platform's egress policy enforces that agent output cannot publish externally without going through this path.

Disclosure SOP exists, is owned, and has been exercised on at least one finding. Egress controls block direct external posting from the platform.

Some agent outputs have outsized downstream cost: a "benign" verdict that whitelists a real threat, a "vulnerable" verdict that triggers a CVE filing, an extracted IOC that feeds a global blocklist. Letting these auto-ship is the failure mode the precision/recall numbers warn about.

Enumerate the verdict classes that gate on human review. Reviewers see the evidence graph, not just the conclusion — the "Decompiling the Synergy" study shows experts are harmed by hallucinated suggestions when provenance is hidden. Track time-to-review and reviewer override rate.

Routing rules in code map verdict class to review requirement. Audit shows zero auto-shipped verdicts in gated classes. Reviewer UI shows the full evidence chain by default.

Defenses against in-binary prompt injection, fake C2 indicators, and anti-analysis tricks decay as models, prompts, and tool wrappers change. Without a regression suite, drift goes undetected until production.

Maintain an internal corpus of adversarial samples (held privately, not published) covering injection-shaped strings, misleading symbols, anti-analysis primitives, and corroboration-trap patterns. Run the corpus on every model swap, prompt change, or tool integration. Track pass rate as a release gate.

Regression dashboard shows corpus coverage and per-release pass rate. A failed regression blocks deploy. Corpus owner is named.