
























Abstract:Frontier LLM agents are increasingly capable of localizing suspicious code, but vulnerability reasoning requires more than access to program artifacts. An agent must carry forward the evidence that actually decides whether a vulnerability exists. Otherwise, safety-relevant facts may be present in the artifact but absent from the reasoning used to justify the claim, creating a semantic gap between available program facts and the evidence used by the agent. This problem is especially acute for stripped binaries, where source-level cues are removed and relevant evidence is fragmented across noisy lifted IR and lossy decompiled views.
We formulate stripped-binary vulnerability reasoning as a semantic grounding problem and present Veritas, a three-stage framework for reliable analysis. First, a static-analysis Slicer recovers witness-backed source-to-sink flows from lifted LLVM IR. Second, an LLM-based Discover stage aligns decompiled code with IR witnesses to construct vulnerability claims. Third, a multi-agent Validator checks these claims through guided debugging and runtime oracles. Together, these stages turn fragmented binary views into checkable claims rather than relying on direct agent inference. We instantiate Veritas for out-of-bounds vulnerabilities and evaluate it on a curated benchmark with flow-level annotations. Veritas achieves 90% recall, outperforms static, dynamic, binary-analysis, and agentic baselines, and reports no false positives among 623 exhaustively validated candidates and only two observed false positives in sampled audits. In a real-world case study, Veritas discovered a previously unknown Apple vulnerability that was confirmed and assigned a CVE, demonstrating that grounded reasoning can produce actionable findings beyond the curated benchmark.
From: Xinran Zheng [view email]
[v1]
Thu, 14 May 2026 17:16:11 UTC (875 KB)
[v2]
Mon, 6 Jul 2026 18:52:18 UTC (917 KB)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。