Title: Finding Needles at Scale: Using Large Language Models to Prioritize Target Selection in Windows Vulnerability Research

Abstract:

Identifying relevant code within the expansive attack surface of a contemporary operating system is akin to searching for a needle in a haystack. With thousands of signed binaries and millions of functions, the vast majority hold no relevance to any specific vulnerability. Consequently, before any deep analysis can occur, a human analyst or an LLM agent must first determine which functions warrant examination. At the scale of an entire operating system, the bottleneck lies not in the analysis itself, but in the selection of targets. To address this, we introduce Symbolicate-Enrich-Sample, a cost-effective batch processing pipeline that transforms a corpus of production Windows binaries into a prioritized, queryable research queue.

Our approach involves three primary steps. First, we restore function-level symbols for stripped vendor binaries by automatically retrieving public symbol files and integrating them with a reconstructed call graph. Second, we append inexpensive, deterministic structural features to each identified function. Based on these features, a lightweight language model assigns each function a reachability tier, a risk assessment, a hypothesis regarding potential bug classes, and a supporting rationale. Finally, we generate diverse, prioritized batches using a priority-weighted importance sampler.

This work contributes a foundational selection substrate—a prioritization layer upon which downstream detectors or LLM agents can operate. When applied to a complete Windows image containing 7,231,419 functions, our labeling mechanism proves highly selective. By applying deterministic filters atop these labels, we reduce the candidate set to approximately 22,000 functions. This manageable shortlist of "candidate needles" is small enough for a human researcher or automated agent to review effectively. We detail the methodology, characterize the pipeline’s selectivity and its limitations, and present aggregate statistics, though we have withheld the derived dataset due to legal constraints and dual-use concerns.

Source: arXiv Generated at: 2026-06-02 00:00:00 UTC