Minimal Binary Patching for Safety-Critical Systems

Patching vulnerabilities in safety-critical domains such as automotive and aerospace is costly and complex. A small code modification can trigger a complete rebuild, producing a binary with widespread changes. This inflates patch size, complicates regression testing, and makes over-the-air (OTA) updates inefficient, as traditional binary diffs often replace large portions of the executable. We present a binary rewriting–based experiment that shows the feasibility of a patch that updates only the affected bytes by computing the impact of a code change at the binary level. This produces minimal, localized patches rather than regenerated executables. The preliminary experiment shows that a single source change, which leads to thousands of modified bytes after recompilation, can be captured with only a few bytes using our method. For automotive and aerospace systems, this technique reduces patch size, conserves bandwidth, and minimizes disruption to certified software, offering a promising direction for efficient and reliable vulnerability remediation.