Paper Summaries

    Summary of the paper “Harnessing the Power of LLM to Support Binary Taint Analysis”

    arXiv, 2023

    Paper citation: Liu, Puzhuo, Chengnian Sun, Yaowen Zheng, Xuan Feng, Chuan Qin, Yuncheng Wang, Zhi Li, and Limin Sun. “Harnessing the power of llm to support binary taint analysis.” arXiv preprint arXiv:2310.08275 (2023). 

    Brief Summary:

    Use LLM (almost exclusively) to do taint analysis.

    Main idea: Identifying sources, sinks, and propagation flow rules is hard, LLMs are better suited for this task.

    Approach:

    • LLM task: Identify sinks using LLM (GPT-4), give names of all external method calls (APIs) to LLM (presumably one at a time) and ask if it can be a sink for sensitive info or not.
    • LLM task: Identify sources using the same approach as the sinks.
    • Analysis task: identify the line of code that calls a source or sink.
    • Analysis task: from each sink, do static backward call graph construction to identify call trace, only include caller X if there’s a data flow from X’s parameters to callee’s parameters.
    • Analysis task: mark all sources on all extracted call graph nodes.
    • Analysis task: generate call chain from source to sink: subset of graphs between a node that contains a source and a node that contains a sink
    • LLM task: for each call chain give first method to LLM, tell it which statement is the source, ask it to 

    “Pay attention to the data alias and tainted data operations. Output in the form of data flows”.

    • LLM task: keep providing the next method in the chain, asking it “Continue to analyze function according to the above taint analysis results. Pay attention to the data alias, tainted data operations, and sources”.
    • LLM task: when the chain ends, ask LLM to summarize: 

    “Based on the above taint analysis results, analyze whether the code has vulnerabilities. If there is a vulnerability, please explain what kind of vulnerability according to CWE.”

    My thoughts: the pros

    • Can detect more vulnerabilities than state of the art.

    My thoughts: the cons

    • Takes considerably more time than state of the art.
    • State of the art finds more flows (multiple flows can belong to same vulnerabilities, so LATTE can still find more vulnerabilities with less flows). So, there’s no guarantee that LATTE will find more vulnerabilities on different benchmark.
    • Aliasing info that LATTE asks the tool to look for maybe in methods not even in the call chain, the call chain does not include all the info required to build taint flow paths.

    Leave a Reply

    Your email address will not be published. Required fields are marked *