Search papers, labs, and topics across Lattice.
CuLifter, a SASS-to-LLVM IR lifting framework, addresses the challenge of type recovery in GPU binaries where type information is erased during compilation. It uses constraint propagation with conflict detection to recover register types, reconstruct control flow, and aggregate multi-instruction patterns. Evaluation across a large dataset of GPU functions shows a 99.98% success rate in lifting functions to valid LLVM IR, with type recovery being crucial for semantic correctness.
Recovering type information from untyped GPU register files is the key to enabling effective binary analysis, unlocking reverse engineering and security analysis of proprietary GPU code.
GPU compilers merge all data types into a single unified register file, erasing the type information that binary-analysis tools rely on. We show that type recovery from this untyped register file is the central challenge of GPU binary lifting. We present CuLifter, a SASS-to-LLVM IR lifting framework that recovers register types via constraint propagation with conflict detection, reconstructs explicit control flow, and aggregates multi-instruction patterns. Across eight benchmark suites (24,437 GPU functions in 919 cubins) spanning open-source applications, vendor libraries, and optimized ML runtimes, CuLifter successfully lifts 99.98% of functions to valid LLVM IR. An ablation study confirms that type recovery is the only step required to produce semantically correct IR: disabling it drops the x86 pass rate from 73.8% to 0%, a 73.8 percentage-point drop.
