Reference implementation accompanying the paper "SCARA: A Semantics-Constrained Autonomous Remediation Agent for Opaque Industrial Software Vulnerabilities" (ACM TOSEM, journal-first submission).
SCARA takes as input a binary artifact, a Software Supply Chain Knowledge Graph (SSCKG), and a set of upstream vulnerability candidates, and produces (i) reachability evidence for each candidate and (ii) the strongest feasible remediation artifact permitted by the artifact's availability class.
The pipeline is organized into four agents:
| Stage | Agent | Module |
|---|---|---|
| 1 | Candidate Acquisition and Context Agent (CACA) | scara.caca |
| 2 | Operational-State Verification Agent (OSVA) | scara.osva |
| 3 | Remediation Synthesis Agent (RSA) | scara.rsa |
| 4 | Correctness Validation Agent (CVA) | scara.cva |
A closed-loop CVA → RSA feedback path supports rejection-constraint-driven remediation iteration; the iteration budget is bounded (default = 3 cycles).
SCARA Framework_t/
├── scara/ # core framework (CACA, OSVA, RSA, CVA, SSCKG, pipeline)
├── baselines/ # baseline systems referenced in §5.2
├── ablations/ # nine ablation variants (A1–A9) from §5.5
├── evaluation/ # RQ1–RQ7 metric runners and statistical reporting
├── configs/ # default + per-partition YAML configs
├── scripts/ # batch reproduction scripts
├── tests/ # unit / smoke tests
├── examples/ # minimal end-to-end examples
├── docs/ # design notes
├── pyproject.toml
├── requirements.txt
└── LICENSE
git clone <this repo>
cd "SCARA Framework_t"
python -m venv .venv && source .venv/bin/activate # or .\.venv\Scripts\activate on Windows
pip install -e .External tools that SCARA dispatches to (install separately as needed):
| Tool | Used by | Notes |
|---|---|---|
| angr 9.2 | OSVA (binary) | pip install angr |
| KLEE 3.1 (LLVM 14) | OSVA (OIS-ICS, MATIEC C) | requires Docker or local build |
| Z3 4.12 | OSVA SMT backend | bundled with z3-solver PyPI |
| RetroWrite | RSA Tier 2 (PIE ELF) | https://github.com/HexHive/retrowrite |
| E9Patch | RSA Tier 2 (x86 PE) | https://github.com/GJDuck/e9patch |
| GTIRB | RSA Tier 2 (multi-arch) | https://github.com/GrammaTech/gtirb |
| FirmAE | CVA replay (OIS-Binary) | https://github.com/pr0v3rbs/FirmAE |
| libmodbus / OpenDNP3 / open62541 | CVA replay (OIS-Protocol) | system packages |
| OpenPLC + MATIEC | CVA replay (OIS-ICS) | https://github.com/thiagoralves/OpenPLC_v3 |
SBERT (all-mpnet-base-v2) |
OSVA path scoring | pip install sentence-transformers |
| Qwen3-7B / DeepSeek-V3 | RSA Tier 3 | local serving via vLLM or API |
End-to-end pipeline on a single case:
python -m scara.cli run \
--binary path/to/artifact.bin \
--ssckg path/to/ssckg.json \
--alerts path/to/alerts.jsonl \
--config configs/default.yaml \
--out runs/case0001Reproduce paper experiments end-to-end:
bash scripts/reproduce_paper.shThe pipeline emits, per candidate, a JSON record containing the OSVA label
(SAT-strict / SAT-relaxed / UNSAT / UNKNOWN), the selected tier
(tier1 / tier2 / tier3 / none), CVA acceptance evidence, and the
sequence of CVA → RSA rejection constraints if any.
- Default random seeds: 42–46 (five runs averaged).
- Solver budget:
T_total = 300 s, relaxation pass =150 s. - Coverage threshold:
tau_cov = 0.95(calibrated on validation subset). - Path softmax temperature:
tau_p = 0.5; CACA mixing weightalpha = 0.6. - Hyperparameters are set in
configs/default.yaml.
Released under the MIT License (see LICENSE). Upstream tools retain their
respective licenses.
If you use SCARA, please cite:
@article{scara2026,
title = {SCARA: A Semantics-Constrained Autonomous Remediation Agent for
Opaque Industrial Software Vulnerabilities},
author = {Anonymous},
journal= {ACM Transactions on Software Engineering and Methodology},
year = {2026},
note = {Journal-first submission}
}