## How Deterministic Fully-Static Whole-Binary Translation Works (Elevator) **Deterministic fully-static whole-binary translation** is a method for converting an executable from one CPU architecture (e.g., x86-64) to another (e.g., AArch64) **without using heuristics, runtime components, or debug information**. The approach is exemplified by **Elevator**, a system introduced in the 2026 paper "[Deterministic Fully-Static Whole-Binary Translation without Heuristics](https://arxiv.org/abs/2605.08419)". ### Core Problem: Code vs. Data Ambiguity In stripped binaries, it is impossible to perfectly distinguish code bytes from data bytes (a variation of the halting problem). Traditional static binary translators rely on heuristics (e.g., following likely control flow) or dynamic runtime fallbacks (JIT), which introduce non-determinism and expand the trusted computing base. ### The Solution: Superset Disassembly & Exhaustive Interpretation Elevator solves this by treating **every byte as potentially code, data, or an operand**. Instead of guessing, it performs **superset disassembly**: 1. **Exhaustive Interpretation**: For every byte offset in the binary, Elevator generates all feasible interpretations (e.g., "this byte is the start of an instruction," "this byte is data," "this byte is part of an operand"). 2. **Control Flow Graph Construction**: It builds a control flow graph that includes **all possible execution paths** derived from these interpretations. 3. **Pruning**: Paths that lead to illegal instructions or abnormal termination are pruned, but all valid paths are preserved. ### Translation Pipeline The translation process is fully static and deterministic: 1. **Offline Tile Bank**: Elevator uses a pre-generated library of "tiles" (small code snippets) derived from a high-level description of the source ISA (x86-64) and target ISA (AArch64). Each tile corresponds to specific instruction translations. 2. **Composition**: The system composes these tiles to generate the translated code for every valid control flow path identified in the superset disassembly. 3. **State Preservation**: The translation ensures full state preservation, including register mappings and ABI boundary handling via transition gadgets. 4. **Indirect Control Flow**: For indirect jumps (where the target is computed at runtime), Elevator embeds address-lookup tables directly into the binary, eliminating the need for a runtime translation component. ### Key Characteristics & Trade-offs * **Determinism**: Translating the same binary twice produces identical output, enabling reproducible builds and cryptographic signing before deployment. * **Self-Contained Output**: The result is a complete, standalone executable with **no runtime component** in the trusted code base. This reduces the attack surface and simplifies certification. * **Code Size Expansion**: The main trade-off is significant code size growth (often 4-5x larger) because all feasible code paths are explicitly generated. * **Performance**: Evaluations on SPECint 2006 benchmarks show performance comparable to or better than QEMU's user-mode JIT emulation, despite the static approach. ### Comparison with Traditional Approaches | Feature | Heuristic-Based/JIT Translators | Elevator (Deterministic Fully-Static) | | :--- | :--- | :--- | | **Heuristics** | Relies on guesses | None | | **Determinism** | Low (runtime-dependent) | High (identical output) | | **Code Size** | Moderate, unpredictable | High but predictable | | **Runtime Component** | Required (JIT engine) | None | | **Obfuscated Binaries** | Often fails | Handles all cases | | **Certification** | Difficult (runtime is TCB) | Easy (static artifact) | ### Practical Implications This approach is particularly valuable for: * **Security-critical systems**: Where the trusted computing base must be minimized. * **Legacy software migration**: Moving old x86 binaries to ARM-based servers without source code. * **Embedded systems**: Where predictable performance and binary size are manageable trade-offs for reliability. ### References * **Primary Paper**: [arXiv:2605.08419](https://arxiv.org/abs/2605.08419) - "Deterministic Fully-Static Whole-Binary Translation without Heuristics" * **Technical Summary**: [emergentmind.com/papers/2605.08419](https://www.emergentmind.com/papers/2605.08419) * **Related Work (Superset Disassembly)**: [Multiverse System](https://deepwiki.com/utds3lab/multiverse) - A prior system using superset disassembly for static binary rewriting. * **Accessible Explanation**: [Sesame Disk Article](https://sesamedisk.com/deterministic-fully-static-binary-translation-elevator/)