A hybrid LLM workflow can help identify user privilege related variables in programs of any size
Haizhou Wang, Zhilong Wang, Peng Liu
TL;DR
The paper addresses privilege leakage by focusing on user privilege related (UPR) variables and introduces an LLM-assisted workflow that assigns a per-variable UPR score. It combines static program analysis (PDG-based variable subgraphs and statement-level dependencies) with an LLM to rate code statements, aggregating those ratings into a final per-variable score on a $0$–$10$ scale. Empirical results across multiple servers and services show that with a high threshold (e.g., >$0.8$ or $9.0$ on the 0–10 scale), the method achieves an average FPR of about $13.49 ext{ extperthousand}$ and identifies substantially more UPR variables than heuristic baselines. The study also analyzes the impact of prompt design and discusses practical limitations, including proprietary-program applicability and LLM service costs, highlighting a path toward more efficient, scalable code reviews for privilege-related vulnerabilities.
Abstract
Many programs involves operations and logic manipulating user privileges, which is essential for the security of an organization. Therefore, one common malicious goal of attackers is to obtain or escalate the privileges, causing privilege leakage. To protect the program and the organization against privilege leakage attacks, it is important to eliminate the vulnerabilities which can be exploited to achieve such attacks. Unfortunately, while memory vulnerabilities are less challenging to find, logic vulnerabilities are much more imminent, harmful and difficult to identify. Accordingly, many analysts choose to find user privilege related (UPR) variables first as start points to investigate the code where the UPR variables may be used to see if there exists any vulnerabilities, especially the logic ones. In this paper, we introduce a large language model (LLM) workflow that can assist analysts in identifying such UPR variables, which is considered to be a very time-consuming task. Specifically, our tool will audit all the variables in a program and output a UPR score, which is the degree of relationship (closeness) between the variable and user privileges, for each variable. The proposed approach avoids the drawbacks introduced by directly prompting a LLM to find UPR variables by focusing on leverage the LLM at statement level instead of supplying LLM with very long code snippets. Those variables with high UPR scores are essentially potential UPR variables, which should be manually investigated. Our experiments show that using a typical UPR score threshold (i.e., UPR score >0.8), the false positive rate (FPR) is only 13.49%, while UPR variable found is significantly more than that of the heuristic based method.