Screen a macOS, Linux, or Windows binary for functions with anomalous call patterns.
Narrow a large binary down to a handful of functions worth deep symbolic analysis.
Generate a proof-of-concept input for a suspected vulnerability automatically.
Confirm a candidate bug is real by validating it against the live binary.
| jetnoir/metis | ashishdevasia/ha-proton-drive-backup | benchflow-ai/skillsbench-trajectories | |
|---|---|---|---|
| Stars | 6 | 6 | 6 |
| Language | Python | Python | Python |
| Last pushed | — | — | 2026-06-14 |
| Maintenance | — | — | Maintained |
| Setup difficulty | — | moderate | easy |
| Complexity | — | 2/5 | 1/5 |
| Audience | researcher | ops devops | researcher |
Figures from each repo's GitHub metadata at analysis time.
Metis is an automated pipeline for finding security vulnerabilities in compiled binary programs, meaning executable files on macOS, Linux, or Windows, without needing the original source code. It chains four analysis stages that progressively narrow down where a real vulnerability likely exists, then attempts to confirm it by triggering the bug. The first stage, C2, screens the entire call graph, the map of which functions call which, using Random Matrix Theory, a statistical technique, to flag functions whose connection patterns look anomalous. The second stage, C3, takes those flagged functions and runs template based dataflow matching using SSA form, a precise way of representing data flow, to find patterns resembling known vulnerability classes. The third stage, C6, runs symbolic execution on the highest confidence hits. Symbolic execution treats program inputs as unknown variables and uses a constraint solver called Z3 to reason about which inputs would reach a vulnerable path. A path prioritization technique called C1 sits inside C6 and focuses effort on easier to solve paths first, reducing wasted computation by up to 60 percent on mixed difficulty binaries according to the project's own benchmarks. Once C6 finds a potential vulnerability, it synthesizes a proof of concept input. The final stage, C7, validates that proof of concept against the actual running binary using LLDB, DTrace, or a subprocess, confirming whether the finding is real before it gets reported anywhere. Written in Python, Metis depends on the angr binary analysis framework and the Z3 constraint solver. It is aimed at security researchers doing vulnerability research on compiled binaries rather than general application developers.
An automated pipeline that screens compiled binaries, narrows down likely vulnerabilities using symbolic execution, and confirms them on a real running binary.
Mainly Python. The stack also includes Python, angr, Z3.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.