Exposing Hidden Interfaces: LLM-Guided Type Inference for Reverse Engineering macOS Private Frameworks

TL;DR

This paper introduces MOTIF, a framework combining tool-augmented analysis and a fine-tuned large language model to accurately infer types and generate headers for undocumented macOS private frameworks, aiding security analysis.

Contribution

MOTIF is the first system to integrate LLM-guided type inference with runtime analysis for reverse engineering macOS private frameworks.

Findings

Significantly improves signature recovery from 15% to 86%.

Ensures reconstructed headers are compilable and linkable.

Facilitates security research and vulnerability analysis.

Abstract

Private macOS frameworks underpin critical services and daemons but remain undocumented and distributed only as stripped binaries, complicating security analysis. We present MOTIF, an agentic framework that integrates tool-augmented analysis with a finetuned large language model specialized for Objective-C type inference. The agent manages runtime metadata extraction, binary inspection, and constraint checking, while the model generates candidate method signatures that are validated and refined into compilable headers. On MOTIF-Bench, a benchmark built from public frameworks with groundtruth headers, MOTIF improves signature recovery from 15% to 86% compared to baseline static analysis tooling, with consistent gains in tool-use correctness and inference stability. Case studies on private frameworks show that reconstructed headers compile, link, and facilitate downstream security research and vulnerability studies. By transforming opaque binaries into analyzable interfaces, MOTIF establishes a scalable foundation for systematic auditing of macOS internals.