Oxidizer: The First Rust Decompiler Integrated into angr, Presented at IEEE S&P 2026

Project Background and Positioning

Oxidizer is the world’s first deep Rust decompiler built on the angr binary analysis framework. Its core capability is to decompile Rust binaries into Rust‑like pseudo‑code instead of the C‑style output produced by conventional decompilers. The research paper was accepted at IEEE S&P 2026, a top security conference.

Why Existing Decompilers Fail on Rust

When opening a Rust binary with IDA Pro or Ghidra, the output looks like a bombed mess: struct types disappear, control flow becomes a "goto hell", inlining scrambles call relationships, and Rust’s unique calling convention leads to completely wrong parameter reconstruction. Conventional C‑oriented decompilers (Hex‑Rays, Ghidra, Binary Ninja) assume a C/C++ compilation model and cannot recover high‑level Rust abstractions.

Oxidizer’s Solution

Oxidizer processes Rust‑specific language structures and control flow directly during decompilation, rather than translating generic C pseudo‑code into Rust. This requires low‑level modifications to the decompiler, including:

Restoring Rust struct types

Reconstructing operator‑controlled control flow

Identifying and handling inlined functions

Modeling Rust calling conventions

Recovering enums and macros

Installation

pip install angr
angr decompile <binary> --functions <addr> --rust

The tool is merged into the main angr branch, requiring no extra installation.

Key Features

4.1 Unique Rust Enum and Macro Recovery

Rust enums can carry data and are central to error‑handling patterns such as Result and Option. Traditional decompilers reduce them to raw numbers and jumps. Oxidizer fully restores them, as shown in the example below.

// Original Rust code
match validate(data) {
    Ok(parsed) => process(parsed),
    Err(e) => return Err(e),
}

// Oxidizer decompilation output (pseudo‑code)
if validate(data).is_ok() {
    process(validate(data).unwrap())
} else {
    return Err(validate(data).unwrap_err())
}

4.2 Human‑Study Validation

User experiments showed that participants using Oxidizer achieved:

28% higher accuracy

20% faster task completion

These gains are concrete efficiency improvements.

Evaluation Results

The tool was tested on 28 popular Rust projects across multiple optimization levels and compiler versions. The comparative assessment (Oxidizer vs. angr’s generic Rust support, Hex‑Rays, Ghidra, Binary Ninja) yielded the following observations:

Simplicity : Oxidizer – best; angr – medium; others – poor.

Fidelity : Oxidizer – best; angr – medium; others – poor.

Rust enum recovery : Oxidizer – ✅; all others – ❌.

Rust macro recovery : Oxidizer – ✅; all others – ❌.

Application Scenarios

Malware Analysis

Rust is increasingly adopted by malware authors for its memory safety, cross‑platform nature, and anti‑reverse‑engineering properties. Typical cases include Rust‑based ransomware (e.g., LockBit 3.0), botnet trojans, and supply‑chain attack components. Oxidizer enables red‑team analysts to understand such binaries.

Vulnerability Research

Security auditors can use Oxidizer to examine closed‑source Rust binaries, including proprietary libraries and firmware components.

Firmware Analysis

Rust is used in embedded firmware and critical Linux kernel modules; Oxidizer assists in deep binary understanding of these systems.

Red‑Team Perspective

Attackers are already using Rust – its binaries are small, have few dependencies, and are hard to reverse engineer.

Defenders are lagging – without Oxidizer, analyzing a Rust sample could take days; now it can be done in hours.

Implication for red‑teams – if you write tools in Rust, don’t be overconfident; opponents now have a powerful analysis weapon.

Conclusion

Oxidizer represents a paradigm shift in binary reverse engineering: designing decompilers for a specific language can dramatically outperform generic solutions.