Somnus
A local-first reverse-engineering orchestrator that drives Ghidra, angr, Frida and AFL++ through a small local model to triage binaries, with no API keys and no network.
Problem
A binary you are reversing is often something you cannot send to a cloud endpoint, so a tool that assumes you can is a tool you cannot use on the interesting targets. I wanted an agent that triages binaries with the heavy tools doing the real work and a small model only deciding what to run next.
Architecture
Given a target, Somnus runs fast triage, decompiles every function through
Ghidra (cached per target), pattern-matches the decompiled C for classic bug
shapes, then hands a compacted preview to a local model (qwen3:8b over Ollama)
that calls follow-up tools and persists findings to SQLite. No API keys, no
network calls. The no-network constraint became a design forcing function: if
the local 8B cannot follow the loop, the loop is wrong, not the model.
Outcome
Verified end to end on ROP Emporium’s ret2win: it finds the overflow, the win
gadget, and the 40-byte offset with no human in the analysis loop. That is a
real result and a narrow one; generalisation past simple stack-overflow CTF
binaries is not yet tested, and the writeup says so plainly:
A local-first reverse-engineering agent.