OpenAnt: LLM-Powered Vulnerability Discovery Through Code Decomposition, Adversarial Verification, and Dynamic Testing
Abstract: Automated vulnerability discovery in large codebases remains challenging: traditional static analysis produces high false-positive rates, while dynamic approaches such as fuzzing require substantial infrastructure and often target narrow classes of bugs. Recent advances in LLMs enable semantic reasoning about program behavior, but applying LLMs to repository-scale security analysis introduces challenges related to context management, cost, and verification. We present OpenAnt, an open-source vulnerability discovery system that integrates static program analysis with LLM-based reasoning in a multi-stage pipeline. OpenAnt introduces three key techniques. First, codebases are decomposed into self-contained analysis units filtered by reachability from external entry points, reducing the analysis surface by up to 97% while preserving attack-relevant code. Second, candidate vulnerabilities undergo adversarial verification through constrained attacker simulation, where the model evaluates exploitability under realistic attacker capabilities. Third, findings are validated through dynamic verification, in which exploit environments are generated automatically, executed in sandboxed containers, and discarded after use. Evaluation on widely used open-source projects including OpenSSL, WordPress, and Flowise shows that this architecture can identify previously unknown vulnerabilities while maintaining manageable analysis cost and substantially reducing false positives. Our results suggest that closed-loop vulnerability discovery pipelines, combining semantic reasoning with exploit validation, provide a practical path toward scalable automated security analysis. OpenAnt is released as open source under the Apache 2.0 license at https://github.com/knostic/OpenAnt.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Explain it Like I'm 14
A simple explanation of โOpenAnt: LLMโPowered Vulnerability Discovery Through Code Decomposition, Adversarial Verification, and Dynamic Testingโ
1. What is this paper about?
This paper introduces OpenAnt, a tool that helps find security problems (vulnerabilities) in big piles of computer code. Instead of just guessing where problems might be, it uses an advanced AI that can read and reason about code, then tries to prove whether a problem can actually be attacked for real. The goal is to find real, important issues while avoiding false alarms that waste developersโ time.
2. What questions were the authors trying to answer?
- How can we search huge codebases without getting lost or paying a fortune for AI time?
- Can an AI go beyond โthis looks suspiciousโ and reason like a real attacker would?
- Can we automatically show proof (a working test) that a bug is actually exploitable?
3. How did they do it? (Methods in everyday terms)
Think of a giant software project like a city with thousands of buildings (functions). OpenAnt acts like a team of safety inspectors who narrow down where danger could really affect the public, then test those spots carefully.
Hereโs the stepโbyโstep plan:
- Parse and map the code (build the city map)
- The system reads the whole codebase and records every function and which functions call which (a โcall graphโ).
- Keep only places the public can reach (shrink the search area)
- It filters to functions that can be reached from โentry pointsโ where outside users give input (like web routes and API endpoints). This cuts away most internal helper code that attackers canโt touch.
- Classify exposure (identify highโrisk rooms)
- An AI looks at each reachable unit and decides whether itโs truly exposed to users and worthy of deeper security checking.
- Detect possible vulnerabilities (spot likely hazards)
- A stronger AI analyzes how user input flows through the code and if it reaches dangerous actions (like database queries, file access, or network calls) without proper checks.
- Adversarial verification (reason like a real attacker)
- The AI pretends to be an attacker with realistic limits:
- only a web browser (no server access, no admin passwords, no editing server files)
- It tries multiple attack ideas, step by step, and records what would have to happen for the attack to workโor why it fails. It also ignores โselfโharmโ cases where only the attackerโs own data is affected.
- Dynamic verification (build a mini test world)
- For the most plausible findings, the system automatically builds a small, isolated environment (a Docker container) and runs a test exploit to see if the problem really happens. When finished, it deletes everything it created. This produces concrete evidence: CONFIRMED or not.
Key ideas behind this pipeline:
- Code decomposition and reachability: break the code into small, selfโcontained chunks that include their dependencies, then keep only the parts that outside users can reach. This keeps the AI focused and saves cost.
- Adversarial verification: donโt just claim a bugโshow how an attacker would actually use it despite realโworld barriers (logins, input checks, browser rules).
- Dynamic testing: automatically generate and run proofโofโconcept attacks in a safe sandbox to confirm the issue.
4. What did they find, and why is it important?
They ran OpenAnt on eight wellโknown openโsource projects (like WordPress, OpenSSL, and others) written in six different programming languages.
What happened:
- Huge reduction in code to analyze: from 64,132 functions down to about 2,281 โreachableโ units (around a 96% cut) before heavy AI reasoning began, and then down to about 586 truly exposed units.
- Real vulnerability candidates: 190 issues survived the attackerโstyle reasoning step.
- Concrete proof: 144 of those (about 76%) were reproduced automatically with generated exploits in sandboxed containers.
- Lower cost through filtering: the whole run cost about $1,461. Without the early filtering steps, it would have been about$23,700.
Why this matters:
- Fewer false alarms: Many traditional tools flag lots of โmaybeโ problems. OpenAntโs attacker simulation and live tests filter out the ones that donโt really matter, giving developers a shorter, more trustworthy list.
- Works across languages: The same reasoning approach (follow user input to dangerous actions) worked for multiple programming languages without changing the core prompt.
- Realโworld relevance: Instead of judging success only on artificial test sets (which AIs might have โseenโ during training), they focused on finding new issues in actively maintained projects.
5. Whatโs the bigger impact?
- For developers and security teams: This approach helps teams focus on real, exploitable risks, not noise. It can fit into code reviews or ongoing security checks for large projects.
- For the security field: It shows a practical path to scalable, AIโassisted code securityโcombine smart filtering, attackerโstyle reasoning, and automated proof.
- For future work: There are limitsโsome complex bugs are hard to reproduce automatically; the system depends on the AIโs skills; and large analyses can still be costly. But as AIs improve and costs drop, this โclosed loopโ (reason, then verify with a live test) could become a standard way to find serious vulnerabilities at scale.
In short: OpenAnt is like a careful, efficient security inspector for code: it narrows the search to places outsiders can reach, thinks like a patient attacker, and then builds a safe test to show whether the danger is real.
Knowledge Gaps
Below is a consolidated list of concrete knowledge gaps, limitations, and open questions that remain unresolved by the paper. Each item is phrased to suggest actionable directions for future research.
- Lack of head-to-head baselines: No quantitative comparison against leading SAST tools (e.g., CodeQL, Semgrep), fuzzing frameworks, or LLM-only detectors on the same repositories with matched metrics (precision/recall/F1, PPV, developer-validated true/false positives).
- Absent ground truth and disclosure outcomes: The claim of discovering โpreviously unknown vulnerabilitiesโ is not substantiated with responsible disclosure IDs, CVEs, patch links, or maintainer confirmations; without these, external validity of discoveries remains unverified.
- No recall estimation: The pipelineโs false-negative rate is unmeasured; there is no sampling of known exploitable issues in the evaluated repos to estimate missed vulnerabilities.
- Incomplete funnel reporting: Key funnel counts per project (e.g., flagged in Stage 4, confirmed in Stage 5) are partially missing or truncated, preventing full reproducibility and cross-project comparison.
- Entry-point heuristics may induce false negatives: The reachability filter relies on framework-specific patterns and decorators; its recall on dynamic dispatch, reflection, meta-programming, CLI tools, RPC handlers, GraphQL resolvers, or non-standard routing is not evaluated.
- Library vs. application attack-surface modeling: For libraries (e.g., OpenSSL), defining โexternally reachableโ is non-trivial; the paper does not clarify criteria or validate that true library attack surfaces were preserved after reachability filtering.
- No ablation on dependency inlining depth: The choice of inlining dependencies to depth=3 is not justified; there is no study of deeper data flows, performance/accuracy trade-offs, or adaptive depth strategies by language/framework.
- No study of call-graph soundness: The robustness of cross-file call-graph construction for dynamically typed languages (PHP, Ruby, JS/TS), C/C++ macros, templates, or reflection is unmeasured; impact on missed taint paths is unknown.
- Exposure classification accuracy unknown: Stage 3 classification quality (exploitable vs. neutral/security-control) lacks a gold-standard evaluation, inter-rater agreements, or error analyses.
- Stage interactions not quantified: It is unclear how often Stage 5 overturns Stage 4 โsafe/protectedโ assessments, and what net value Stage 4 adds; an ablation is needed to justify each stageโs contribution to cost and accuracy.
- Model dependence and portability: Results depend on closed Anthropic models (Sonnet/Opus). Robustness across model vendors, versions, and open-source models (and under model drift) is untested.
- Prompt sensitivity and determinism: The โlanguage-agnosticโ prompts are not published; there is no sensitivity analysis on prompt variants, temperature, or sampling strategies, nor evaluation of run-to-run flakiness.
- Cost/runtime reproducibility: Only dollar costs are reported; wall-clock times, hardware, concurrency, and queueing latencies are not reported, hindering operational planning and SLA estimation.
- Incremental and large-scale deployment: The pipelineโs behavior on monorepos, multi-million-LOC codebases, and incremental/CI runs (diff-based, caching, memoization) is untested.
- Attacker model rigidity: The adversarial verification assumes a browser-only, unauthenticated remote attacker. Exploits requiring authenticated low-privilege users, insiders, API tokens, mobile apps, CLIs, or service principals are outside scope and unanalyzed.
- โVictim requirementโ may mask real impact: Disallowing self-impact scenarios may miss meaningful exposures (e.g., stored-XSS awaiting admin view, privilege escalation from attacker-owned objects) and multi-step exploit chains.
- Multi-stage exploit chains: The system does not model chained vulnerabilities across services/components; how to compose findings into realistic kill-chains remains open.
- Dynamic verification environment gaps: The sandbox constraints (512 MB RAM, 1 CPU, 120 s timeout) likely prevent reproducing complex builds, integration dependencies, or timing-sensitive issues; the proportion of INCONCLUSIVE/ERROR due to environment limits vs. non-exploitability is not analyzed.
- Network and external-service modeling: SSRF and egress behaviors depend on network topology; clear policies for external network access, stub services, DNS, and intra-service isolation are not detailed or evaluated.
- Safety and ethical safeguards: Potential risks from running auto-generated exploit code (e.g., sandbox escapes, unintended outbound requests) and the governance/IRB/responsible use policies are not specified.
- Tooling attack surface: The pipeline executes untrusted code in containers; a threat analysis of the orchestrator, container isolation, and supply-chain dependencies (e.g., package managers) is absent.
- Coverage beyond input-to-sink flaws: The system focuses on taint-style vulnerabilities; its ability to detect logic bugs, protocol violations, memory safety, concurrency, and side-channel issues is limited and not empirically quantified.
- Memory safety in C/C++: The approachโs effectiveness on low-level memory errors (common in OpenSSL) is unclear; no integration with sanitizers/fuzzers or differential testing is explored.
- Lost-in-the-middle mitigation unquantified: While decomposition is posited as a remedy, there is no measurement of long-context degradation vs. unit-level performance, nor alternative retrieval/hierarchical strategies.
- CWE mapping and severity: Findings are not mapped to CWE categories or assigned severity (e.g., CVSS), limiting triage prioritization and cross-tool comparability.
- Developer-centric outcomes: No measurement of time-to-triage, fix acceptance, remediation guidance quality, or reduction of alert fatigue in real developer workflows.
- Triage artifacts and datasets: The paper does not release the structured outputs (Stage 5 reasoning trails, Stage 6 PoCs), making independent auditing of exploitability assessments difficult.
- Effect of caching and retrieval: Despite high Stage 3 costs, there is no evaluation of semantic caching, code embedding retrieval, or index-assisted navigation to reduce repeated exploration.
- Build-system and ecosystem variability: The robustness of Stage 6 across diverse build tools (e.g., Bazel, CMake, Gradle), OS-specific dependencies, and GPU/accelerator constraints is untested.
- Role- and tenant-aware verification: The system lacks a mechanism to synthesize realistic authenticated identities/tenants and verify authorization boundaries (e.g., ABAC/RBAC, multi-tenant isolation).
- Parameterizable attacker capabilities: There is no interface to tailor attacker constraints (e.g., mobile client, API-only, OAuth tokens, insider) per project, nor evaluation of how such parameters affect detection outcomes.
- Flakiness across retries: Stage 6 allows up to three fix-and-retry iterations, but the success curve, failure modes, and stability across runs are unreported.
- Integration with other analyses: How to compose OpenAnt with fuzzing, symbolic execution, or Datalog-based static analysis for higher recall and stronger guarantees remains open.
- Maintainability under model changes: The pipelineโs brittleness to model API changes and pricing/latency volatility is not discussed; strategies for model-agnostic orchestration are missing.
- Privacy/compliance for proprietary code: The implications of sending code to third-party LLMs, data retention policies, and options for on-prem or air-gapped inference are not addressed.
- Entry-point discovery across architectures: Microservices, event-driven systems, message queues, and serverless triggers pose non-HTTP entry points; discovery and reachability across these paradigms is not evaluated.
- Selection bias in evaluated projects: Projects favor web-facing repos; external validity to embedded systems, desktop apps, kernel modules, or data pipelines is untested.
- Ranking and prioritization: The system reports counts but lacks principled scoring/ranking of findings for efficient human triage under budget constraints.
Practical Applications
Immediate Applications
Below are actionable use cases that can be deployed now, derived from OpenAntโs code decomposition, adversarial verification, and dynamic (Docker-based) exploit validation. Each bullet indicates relevant sectors and key dependencies/assumptions.
- Evidence-based CI/CD security gates for repositories
- Sectors: software, SaaS, finance, healthcare, government IT
- What: Integrate OpenAnt as a CI job (e.g., GitHub Action/GitLab CI) to scan only externally reachable code paths, run LLM-based adversarial verification, and attach reproducible PoC artifacts to pull requests.
- Tools/workflow: โOpenAnt CI Action,โ PR-comment bot that posts CONFIRMED PoCs; merge gating on โCONFIRMEDโ tag.
- Dependencies: Supported languages (Python, JS/TS, Go, C/C++, Ruby, PHP); Docker on CI runners; LLM API access/cost budget; network permissions for sandboxed tests as needed.
- Assumptions: Input-driven vulnerabilities are in scope; long-context model quality affects detection.
- Triage noise reduction for existing SAST deployments
- Sectors: software, AppSec tooling vendors
- What: Use OpenAntโs reachability filtering to pre-filter SAST findings and its adversarial verification to down-rank non-exploitable alerts.
- Tools/workflow: โReachability Filterโ plugin for Semgrep/CodeQL; โAdversarial Verifier SDKโ that ingests SAST alerts and emits exploitability labels/PoCs.
- Dependencies: Access to project call graphs; mapping of SAST alerts to code units; LLM API.
- Assumptions: SAST alert context is sufficient for LLM reasoning.
- Evidence-backed vulnerability reports for maintainers and CVE filings
- Sectors: open-source maintainers, MSSPs, bug bounty programs
- What: Run OpenAnt pre-release or on bug bounty submissions to auto-generate PoCs and structured JSON outcomes (CONFIRMED/INCONCLUSIVE/etc.), improving triage throughput and report quality.
- Tools/workflow: โExploit Reproducer CLIโ; scheduled scans on release candidates; attach containerized PoC artifacts to security advisories.
- Dependencies: Buildable test environment; Docker; repository access.
- Assumptions: Dynamic verification covers the vulnerability environment without complex external deps.
- Secure plugin/extension marketplace vetting
- Sectors: WordPress, npm, VS Code, browser extensions, workflow platforms (Flowise, n8n)
- What: Scan third-party plugins with reachability filtering and exploit validation to detect IDOR, SSRF, mass assignment, XSS before publication.
- Tools/workflow: โMarketplace Intake Scannerโ pipeline; publish exploit evidence to maintainers privately.
- Dependencies: Sandbox-safe execution of plugin code; containerization; clear entry-point heuristics for each framework.
- Assumptions: Marketplace policies permit automated analysis and temporary execution.
- Rapid pre-engagement code review for consulting and pentesting
- Sectors: security consulting, MSSPs
- What: Accelerate scoping by quickly highlighting externally exposed risky flows and validated PoCs, guiding manual testing toward likely exploitable areas.
- Tools/workflow: โDiscovery-then-Manualโ two-phase workflow; deliverable includes exploit evidence bundle.
- Dependencies: Client repository access; safe sandboxing; model access.
- Assumptions: Client code builds cleanly enough for containerized PoC execution.
- Due diligence scanning in M&A and vendor risk management
- Sectors: finance, enterprise procurement, legal
- What: Produce an evidence-based risk snapshot of targetsโ codebases, focusing on exploitable, externally reachable vulnerabilities.
- Tools/workflow: โEvidence-Based Risk Reportโ with per-repo funnel stats and validated findings.
- Dependencies: Legal permission for source access; compute budget; Docker.
- Assumptions: Short engagement windows; coverage limited to input-driven classes.
- SecOps/SOC enrichment for incident response
- Sectors: enterprise SecOps, MSPs
- What: When a suspicious endpoint is implicated in incidents, run targeted OpenAnt units to confirm exploitability and reproduce attack paths.
- Tools/workflow: โOn-demand Adversarial Verificationโ job tied to incident ticket.
- Dependencies: CI/security infra with Docker; time-boxed LLM calls.
- Assumptions: Code versions under investigation are accessible.
- Compliance and assurance evidence for SSDF/ISO 27001/PCI DSS controls
- Sectors: regulated industries (finance, healthcare)
- What: Treat dynamic verification logs and artifacts as objective evidence that high-risk paths are tested for exploitability.
- Tools/workflow: Pipeline artifacts archived in compliance repository; audit dashboards.
- Dependencies: Policy acceptance of AI-assisted validation; retention strategy for ephemeral artifacts.
- Assumptions: Auditors accept reproducible PoCs as evidence; privacy constraints on code access.
- Secure development education and labs
- Sectors: academia, corporate training
- What: Use OpenAnt to generate real PoCs from training repos, teaching closed-loop โfrom code to exploitโ reasoning.
- Tools/workflow: Classroom kits with predefined repos and ephemeral containers.
- Dependencies: Student-safe compute; curated repos; controlled LLM usage.
- Assumptions: Focus on input-driven classes aligns with course objectives.
- Low-cost small-team security for SMEs
- Sectors: SMEs, startups
- What: Host an โOpenAnt Liteโ scheduled scan on critical services to catch high-impact, externally exposed flaws without a dedicated AppSec team.
- Tools/workflow: Weekly/PR-triggered scans with digest reports and PoCs.
- Dependencies: Budgeting per-run; Docker-ready CI; LLM API.
- Assumptions: SMEs accept the subset coverage and cost variability.
Long-Term Applications
The following applications require further research, scaling, integration, or standardization before broad deployment.
- Auto-remediation loops with exploit-to-fix workflows
- Sectors: software, DevSecOps tooling vendors
- What: Couple confirmed exploits to LLM-guided patch suggestions, test patches against the same dynamic harness, and auto-open PRs.
- Dependencies: High-precision patch generation; regression testing; human-in-the-loop review.
- Assumptions: Adequate model reliability for safe code modification.
- IDE-native โattacker simulationโ and reachable-path reasoning
- Sectors: developer tooling
- What: Inline โWhat can an attacker do here?โ analysis in editors, showing reachable sinks and exploitability with on-demand PoC harness generation.
- Dependencies: Efficient local context retrieval; low-latency LLMs; developer privacy controls.
- Assumptions: Cost and latency reduction for interactive use.
- Sector-grade coverage for complex environments (microservices, distributed systems, ICS)
- Sectors: energy, manufacturing, telecom, fintech, healthcare
- What: Extend dynamic verification to multi-service orchestrations (Kubernetes), message buses, and timing/race conditions using coordinated containers.
- Dependencies: Orchestrated testbeds; service emulators; tighter time control; possibly fuzzing integration.
- Assumptions: Feasible to model external dependencies and timing in CI; extended vulnerability classes.
- Integration with formal methods and symbolic execution
- Sectors: high-assurance software (aerospace, medical devices, finance)
- What: Use symbolic execution to prove reachability to sinks and feed counterexamples into OpenAntโs dynamic harness for exploit realization.
- Dependencies: Scalable hybrid analysis; interchange formats between tools; compute resources.
- Assumptions: Hybrid pipelines outperform either approach alone for critical components.
- National-scale scanning of critical open source with evidence artifacts
- Sectors: public sector, CERTs, policy
- What: Government-backed programs to continuously scan critical OSS, publish responsible, evidence-based advisories, and support maintainers with PoCs.
- Dependencies: Funding; governance and disclosure policy; community coordination; compute.
- Assumptions: Policy alignment with OSS ecosystems and responsible disclosure norms.
- Supply-chain and registry gatekeeping with exploit-validated checks
- Sectors: package registries (npm, PyPI), container registries, app stores
- What: Mandate or incentivize exploit-validated scans for high-risk packages prior to feature releases or โtrustedโ labels.
- Dependencies: Standard APIs for results; throughput to handle ecosystem scale; avoiding excessive false negatives/positives.
- Assumptions: Community acceptance; fairness and transparency in gatekeeping.
- Risk scoring for cyber insurance underwriters
- Sectors: insurance, finance
- What: Use counts and severity of CONFIRMED vulnerabilities in core services to inform premiums and underwriting decisions.
- Dependencies: Standardized scoring; anti-gaming safeguards; periodic attestations.
- Assumptions: Legal and ethical permission to assess codebases; consistent methodologies.
- Benchmarking and research standards for LLM security evaluation
- Sectors: academia, standards bodies (NIST/ISO), industry consortia
- What: Establish contamination-aware evaluation protocols using real-world discovery and dynamic verification as a gold standard.
- Dependencies: Shared datasets of anonymized PoCs; reproducibility infrastructure.
- Assumptions: Broad adoption by researchers and vendors.
- Privacy-preserving and on-prem LLM analysis
- Sectors: healthcare, finance, defense
- What: Deploy OpenAnt with local or edge LLMs and offline container builds so source never leaves the perimeter.
- Dependencies: Strong local models; MLOps for on-prem; hardware.
- Assumptions: Local models approach cloud LLM reasoning quality.
- Cross-language and monorepo scale-out with hierarchical analysis
- Sectors: large enterprises
- What: Hierarchical/context-chunking strategies to handle very deep call graphs and massive monorepos without losing relevant context.
- Dependencies: Improvements in retrieval-augmented analysis; model long-context robustness.
- Assumptions: Continued advances in model context handling and cost efficiency.
- Standardized exploit-result schema and attestation
- Sectors: compliance, supply chain, auditors
- What: Define a common JSON/attestation schema for exploit outcomes that auditors and tools can verify and exchange.
- Dependencies: Industry consensus; cryptographic signing/attestation infrastructure.
- Assumptions: Ecosystem incentives for interoperability outweigh vendor lock-in.
- Augmented fuzzing guided by LLM semantic triage
- Sectors: software, security research
- What: Use OpenAnt to identify promising sinks/paths; hand seeds/constraints to fuzzers (AFL/libFuzzer/OSS-Fuzz) for deeper coverage and variant discovery.
- Dependencies: Seed generation interfaces; instrumentation; CI orchestration.
- Assumptions: Synergy improves recall on complex bugs beyond input-driven classes.
- Continuous โruntime postureโ monitoring in production-like mirrors
- Sectors: SaaS, cloud platforms
- What: Mirror production builds into staging and run periodic exploit validation with synthetic traffic to detect regressions or newly reachable paths.
- Dependencies: Safe staging infra; change-detection triggers; cost controls.
- Assumptions: Organizational tolerance for frequent automated security exercises.
Notes on feasibility across applications
- Model capability/limits: Effectiveness depends on LLM reasoning quality and context window limits; some classes (logic/spec violations, race conditions) remain challenging.
- Cost controls: Stage 3 (exposure classification) dominates operational cost; reachability filtering and caching are essential for scale.
- Dynamic verification coverage: Complex dependencies and timing-sensitive exploits may require manual harnessing or extended orchestration.
- Scope alignment: Best results for input-driven vulnerabilities that propagate to dangerous sinks (injection, path traversal, SSRF, auth bypass, XSS).
- Governance and data handling: Policies may restrict code sharing with cloud LLMs; on-prem deployments mitigate but require strong local models and MLOps maturity.
Glossary
- Abstract syntax tree (AST): A tree representation of the syntactic structure of source code used for program analysis and tooling. "language-specific abstract syntax tree (AST) analysis."
- Adversarial verification: A validation stage that tests whether a hypothesized vulnerability is exploitable by simulating realistic attacker behavior. "Stage 5: Adversarial Verification"
- Agentic exploration: Iterative, tool-assisted code navigation by an LLM agent to gather context and trace relationships for analysis. "the agentic code exploration required to trace call relationships and security exposure."
- American fuzzy lop (AFL): A popular coverage-guided fuzzing tool that discovers bugs by mutating inputs and monitoring execution. "American fuzzy lop (AFL)."
- Authorization bypass: A flaw allowing access to protected functionality or data without proper permission checks. "including authorization bypasses, server-side request forgery (SSRF), injection vulner- abilities, and path traversal flaws."
- Benchmark leakage: Contamination where evaluation benchmarks appear in model training data, inflating apparent performance. "LLM benchmark leakage"
- Bidirectional call graph: A graph of function calls that records both caller and callee relationships for program understanding. "construct a bidirectional call graph"
- Breadth-first traversal: A graph exploration strategy that visits neighbors level by level, used here to mark reachable functions. "performs a breadth-first traversal of the call graph"
- Closed-loop vulnerability discovery pipeline: An analysis process that cycles from detection to verification and back, aiming to produce concrete exploit evidence. "closed-loop vulnerability discovery pipeline"
- Constrained attacker simulation: Modeling a realistic attacker with limited capabilities (e.g., browser-only, no admin) to test exploitability. "constrained attacker simulation"
- Cross-site scripting (XSS): An injection attack where untrusted input is executed as script in a user's browser. "cross-site scripting (XSS)"
- Data-flow analysis: Static analysis that tracks how data moves through a program to identify unsafe flows to sensitive operations. "data-flow analysis."
- Dangerous sink: A security-sensitive operation (e.g., file I/O, command exec) that becomes hazardous when fed attacker-controlled input. "dangerous sink"
- Decorator analysis: Inspection of framework-specific annotations to identify externally exposed functions. "decorator analysis"
- Docker Compose: A YAML-based tool for defining and running multi-container Docker applications. "a Docker Compose configuration"
- Dynamic verification: Runtime validation that attempts to reproduce exploits in a controlled environment. "Stage 6: Dynamic Verification"
- Ephemeral execution: Short-lived, disposable test environments that are created to run an exploit and then removed. "Ephemeral execution."
- Exposure classification: Categorizing code units by security relevance and external reachability before deeper analysis. "Stage 3: Exposure Classification"
- IDOR (Insecure Direct Object Reference): A class of authorization flaws where direct references to objects can be manipulated to access others' data. "IDOR / Missing Authorization"
- Intermediate representation: A unified, language-agnostic format produced by parsers to support downstream analysis stages. "unified intermediate representation"
- Language-agnostic prompt: A single prompt template designed to reason about vulnerabilities across different programming languages. "the detection prompt is language-agnostic."
- Lost-in-the-middle effect: Degradation in model accuracy when key information appears in the middle of long inputs. "lost-in-the-middle effect"
- Mass assignment: A vulnerability where bulk input binding sets unintended object fields, enabling privilege escalation or policy bypass. "Mass Assignment / Privilege Escalation"
- OSS-Fuzz: A continuous fuzzing service for open-source projects that automates large-scale bug discovery. "OSS-Fuzz"
- Path traversal: An attack that manipulates file paths to access files outside intended directories. "path traversal flaws."
- Reachability filtering: Restricting analysis to code reachable from external inputs to reduce cost while preserving attack surface. "reachability filtering reduces the analysis set to 390 units"
- Sandboxed Docker containers: Isolated containerized environments with restricted resources used for safe exploit testing. "sandboxed Docker containers"
- Server-side request forgery (SSRF): An attack where a server is tricked into making unintended requests to internal or external services. "server-side request forgery (SSRF)"
- Static Application Security Testing (SAST): Automated static code analysis for detecting potential vulnerabilities without executing the program. "Static Application Security Testing (SAST) tools"
- Symbolic analysis: Program reasoning technique using symbolic representations of inputs/paths to infer properties or find bugs. "symbolic analysis"
- Zip Slip: A path traversal vulnerability in archive extraction allowing files to be written outside the target directory. "Zip Slip"
Collections
Sign up for free to add this paper to one or more collections.