OGhidra: Local AI For Reverse Engineering at Scale

ABSTRACT

The security of critical systems relies on our ability to understand the software running inside them. Reverse engineering compiled binaries is vital for discovering vulnerabilities and verifying trustworthiness, but it remains heavily labor-intensive. An analyst can spend weeks tracing data flows and analyzing code to verify a single moderately complex binary, a manual process that simply cannot scale to meet modern national security demands.

To address this, we present a framework that pairs local large language models as well as frontier language models with structured reverse engineering tools to accelerate binary analysis. Rather than attempting to replace human analysts, our system acts as an adaptive assistant. When an analyst asks a straightforward question like "What does this function do?", the system works like a conversation: it looks up the relevant code from the binary metadata, reads it, and most importantly reasons directly. When the analyst needs something deeper, such as "Find exploitable vulnerabilities across this binary", the AI recognizes the scope of the request and shifts into a structured investigation. These designs allow OGhidra to map the binary's attack surface, apply deterministic rules to flag known vulnerability patterns like DLL hijacking or command injection, then dispatch focused analysis workers to trace and verify each lead.

The key to making this work is separating planning from execution. A reasoning layer decides what to investigate next based on what has already been found, while specialized workers interact directly with the binary through Ghidra's tooling. Findings are recorded into a shared notebook as they emerge, not batched at the end, so the system builds context the same way a human expert does: incrementally, with each discovery informing the next step. This design ensures three properties critical for high-confidence analysis: consistent vulnerability scanning that does not depend on LLM variability, verified coverage of security-relevant code areas, and a clear audit trail showing how every conclusion was reached.

Crucially, the entire system was designed to operate locally. By running models directly on the analyst's hardware, sensitive decompiled code never leaves the secure environment. This local-first design makes the approach viable for air-gapped networks, classified settings, and proprietary firmware analysis where cloud services are not an option.

Traditional vulnerability discovery relies heavily on signature matching and pattern recognition, techniques that are effective for known bug classes but blind to novel flaws. Because our system can read and reason about decompiled code rather than just scan for known signatures, it opens the door to finding vulnerabilities through understanding: tracing how user input flows through a program, recognizing when a buffer is used without proper bounds checking, or identifying that a service path is constructed from unvalidated external data. This shift from "match a pattern" to "comprehend the logic" is what allows the approach to generalize beyond reverse engineering into source code auditing, infrastructure compliance, digital forensics, and safety-critical system verification, any domain where the real question is not "does this match a known bad thing" but "is this actually correct."