At the 2026 Workshop on Binary Analysis Research (BAR), co-located with the Network and Distributed System Security Symposium, we presented Dilipa: Making Micropatches from Edits to Lifted C. Dilipa is a capability within the broader CodeHawk Binary Analysis and Patching framework that enables security patches to be developed directly from edits to lifted C code, even when source code is unavailable.

Modern infrastructure increasingly depends on embedded and legacy systems whose vendors no longer provide updates. In many cases, defenders are left with vulnerable binaries but no source code, no build system, and no practical way to apply traditional software patches. Existing binary patching workflows typically require expert reverse engineers manually working at the assembly level, a slow and expensive process that does not scale well to the growing volume of vulnerabilities. Dilipa was designed to change that. Instead of forcing engineers to work directly with binary instructions, Dilipa allows patches to be expressed as small edits to decompiled C code lifted from the binary. Under the hood, the system automatically extracts those edits and transforms them into precise binary-level micropatches.

A central idea behind Dilipa is the concept of a micropatch: a small, localized modification to a binary that minimizes unintended side effects and enables strong validation after patching. Dilipa operates on a metadata-rich intermediate representation called PIR (Patcher Intermediate Representation), generated using CodeHawk's binary analysis capabilities. PIR links high-level lifted C constructs back to the exact instructions, registers, and memory locations in the original binary. This provenance information allows Dilipa to surgically insert new logic through direct instruction replacement or lightweight trampolines while preserving the surrounding program behavior as much as possible.

The paper demonstrates Dilipa on several real-world embedded-system vulnerabilities, including a production medical device vulnerability (CVE-2024-12248), a buffer overflow in an embedded intrusion detection system, and a race condition in a real-time CAN bus processing system. In one example, the patch itself consisted of only a few lines of inserted validation logic added to lifted C code, while the resulting binary modification changed just 68 bytes in a 2.8 MB firmware image. Dilipa’s integration with CodeHawk also enables relational binary analysis after patching, allowing the system to compare the original and modified binaries and provide evidence that the vulnerability was removed without introducing unintended semantic changes elsewhere in the program.

Dilipa represents a major step toward a broader vision for high-assurance remediation of legacy and end-of-life systems. By combining deep static analysis, binary lifting, micropatching, and post-patch validation within CodeHawk, we aim to reduce the expertise required to safely modify critical binaries while increasing confidence in the resulting patches. The full paper also discusses the challenges of patching optimized binaries, the design of Dilipa’s intermediate representation and trampolines, and future directions including automated synthesis of patch descriptions and support for additional architectures.