CuLifter: Lifting GPU Binaries to Typed IR
For binary analysis and reverse engineering of GPU code, CuLifter solves the type-erasure problem that previously blocked accurate lifting.
CuLifter recovers register types from untyped GPU binaries via constraint propagation, enabling 99.98% of 24,437 functions to be lifted to valid LLVM IR; type recovery is critical, as disabling it drops x86 pass rate from 73.8% to 0%.
GPU compilers merge all data types into a single unified register file, erasing the type information that binary-analysis tools rely on. We show that type recovery from this untyped register file is the central challenge of GPU binary lifting. We present CuLifter, a SASS-to-LLVM IR lifting framework that recovers register types via constraint propagation with conflict detection, reconstructs explicit control flow, and aggregates multi-instruction patterns. Across eight benchmark suites (24,437 GPU functions in 919 cubins) spanning open-source applications, vendor libraries, and optimized ML runtimes, CuLifter successfully lifts 99.98% of functions to valid LLVM IR. An ablation study confirms that type recovery is the only step required to produce semantically correct IR: disabling it drops the x86 pass rate from 73.8% to 0%, a 73.8 percentage-point drop.