Dr Cristina Cifuentes | The mother of decompilation

As one of QUT's first PhD graduates, Dr Cristina Cifuentes pioneered work in decompilation, which has since become a cornerstone of cybersecurity analysis. Now Vice President of Software Assurance at Oracle, Cristina reflects on her time at QUT, the uphill battle to have her work recognised, and how her groundbreaking thesis laid the foundation for a global field.

Can you explain what decompilation is, and why it’s so important for those who aren't familiar with it?

Decompilation is the process of converting a compiled binary executable program that runs on a computer back into a high-level representation of the source code; i.e., it is the inverse of the compilation process.

It's a critical tool in the cybersecurity community. It allows researchers and malware analysts to understand the code within a compiled binary for various purposes, including, but not limited to, identifying vulnerabilities in the code, determining how to fix or patch those vulnerabilities, understanding how a piece of malware operates, and more.

You recently celebrated 30 years of decompilation. When you look back, what memories or milestones stand out most?

Looking back over the past 30 years, one memory that stands out is how hard it was to publish academic peer-reviewed papers while I was doing my PhD! The topic of decompilation was not well known in the academic community—many believed it was impossible—and all my early papers were rejected year after year from Computer Science venues.

Years later, when visiting organisations and academic institutions around the world, security researchers would come up to thank me and shake my hand, telling me how much my thesis had influenced their work. For many, it was their introduction to the field of computer security research—they had been given my thesis as a starting point to learn about the techniques. It was surreal to see the thesis being used almost like a textbook! Who would have thought that would happen? I know Geoff Olney, the technical writer who worked with me at the time, would have been thrilled to see how all those edits and reviews paid off.

Can you take us back to your time at QUT—what inspired you to begin exploring decompilation?

I was doing my Honours at QUT and enjoyed a variety of subjects—one of my favourites was Advanced Compilers, which focused on code generation; that is, how to compile a programming language into machine-level, binary executable code. I also took an extra project subject on compilers, and during the summer break, I worked with Professor John Gough and two other students on a project exploring how to make the Gardens Point Modula-2 compilers—originally developed for mainframes—available on a PC.

That hands-on work with low-level assembly and the process of translating from high-level languages and intermediate representations into assembly fascinated me. So, when John and Professor Bill Caelli told me about a potential project to do the reverse, I was immediately intrigued. The problem sounded challenging, and that appealed to me.

At the time, did you imagine how influential your research would become?

I could never have imagined that my research would have the kind of impact it has had on the global cybersecurity community—a community that didn’t even exist when I was conducting my research in the early 1990s. It really grew and took shape in the 2000s.

What were the biggest challenges you faced early on as you tried to turn your ideas about decompilation into reality?

The biggest challenges I faced while doing the research were:

• Not having other students or academics onsite to talk to about this area, as no one else was working on decompilation at the time. Instead, I connected with a few people online via email, though email was still new and only available within academic institutions.
• Struggling to publish my initial papers at domestic and international computer science conferences.

You were one of QUT’s first PhD graduates—can you share what your experience at QUT was like, and how it shaped the path you’re on today?

As a migrant, my experience at QUT was enriched by friendships with both domestic and international students. I had the opportunity to learn about cultures beyond my own Latina background, especially during my first years at QUT. I enjoyed computing challenges, and doing my PhD in an area that was so intellectually demanding from a problem-solving perspective was incredibly rewarding.

Having a supportive supervisor was also key. John Gough guided me with prompts like “go this way” or “what about thinking of the following.” He genuinely cared about the work I shared with him. He told me that a PhD is about learning how to do research—that I didn’t have to stay in the same area forever. At the beginning of the PhD, I would be the apprentice and he would be the expert, but by the end, I would become the expert and he the apprentice. That philosophy made the journey truly meaningful, and I’m grateful to John for his support throughout.

This experience gave me the confidence to tackle other complex challenges in the years that followed, such as binary translation, compilation and partitioning for a massively parallel Verilog machine, just-in-time compilation of Java for resource-constrained IoT devices, and static program analysis for detecting vulnerabilities in source code. It also prepared me to lead teams at Oracle Labs and now at Oracle’s Software Assurance organisation.

What excites you most about the work you’re doing now as Vice President of Software Assurance at Oracle?

The most exciting part of my work in Oracle’s Software Assurance organisation is the ability to deploy security research and software engineering ideas into production, creating a new state-of-the-art in software assurance for large-scale industrial applications. We’re pushing the boundaries of what’s currently possible and scaling up software assurance to new levels, developing innovations as we go along the journey.

What’s the proudest moment of your professional journey so far?

The proudest moment of my professional journey so far was last year, when I was invited to a meeting at the U.S. Department of Defense, and I was asked a question specifically because I was recognised as an expert in decompilation. The fact that, 30 years after the submission and publication of my research, decompilation is now a standard term discussed in government defence departments is truly amazing—and a testament to the impact of the work.

I also find it incredibly rewarding that my career has come full circle. Today, I lead teams and hire security researchers who use decompilers in their work, techniques that I helped pioneer. It’s an extraordinary thing to witness in one’s lifetime.

When you reflect on your legacy, what do you hope your contributions will represent?

I hope my contributions will represent a turning point, when something once thought impossible became possible. At a time when few believed decompilation could be automated, I built the foundations that helped prove it could. My work showed that rigorous, Mathematical-based program analysis at the binary level wasn’t just academic theory—it could have real-world applications with lasting impact.

I’d like my legacy to be one of persistence, vision, and practical innovation. I didn’t just contribute to cybersecurity research—I helped shape a toolset and mindset that now define parts of it. I hope others, especially students and young researchers, see in my journey that it’s okay to work on something unconventional, to face rejection, and still press forward. If what I built continues to inspire or empower others, then that’s the kind of legacy I’d be proud to leave behind.

Finally, what advice would you give to QUT students or alumni who dream of building an enduring legacy in their own field?

My advice to QUT students and alumni is to focus on problem areas that genuinely interest you—especially those that are challenging—and pursue them with passion. Stay committed to solving problems that matter to you. Don’t give up when you face setbacks. I persevered despite many academic conference paper rejections, and yet my final PhD thesis is now considered a reference book. It wouldn’t be if I had given up 30-something years ago.

Impact takes time. You’re doing the work because you’re interested in it—you’re having fun regardless!

And finally, embrace the latest technology. Don’t get left behind. Explore how emerging technologies can help you solve new problems or promote your work in new and different ways.

QUT degrees—Bachelor of Applied Science (Computer Science) (Honours) 1991 and PhD 1995

Have a question for Cristina? Connect with her on LinkedIn.