OpenAnt: LLM-Powered Vulnerability Discovery Through Code Decomposition, Adversarial Verification, and Dynamic Testing

📄 arXiv: 2606.19149v1 📥 PDF

作者: Nahum Korda, Gadi Evron

分类: cs.CR, cs.LG

发布日期: 2026-06-17

🔗 代码/项目: GITHUB


💡 一句话要点

提出OpenAnt以解决大规模代码库中的自动化漏洞发现问题

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 漏洞发现 代码分析 大语言模型 动态测试 对抗性验证 开源软件 安全分析

📋 核心要点

  1. 现有的自动化漏洞发现方法存在高假阳性率和基础设施需求大的问题,难以有效处理大规模代码库。
  2. OpenAnt通过将代码分解为可独立分析的单元,结合对抗性验证和动态测试,提供了一种新的漏洞发现思路。
  3. 在对OpenSSL、WordPress等开源项目的评估中,OpenAnt成功识别了未知漏洞,显著降低了假阳性率。

📝 摘要(中文)

在大规模代码库中,自动化漏洞发现仍然面临挑战:传统的静态分析方法产生高假阳性率,而动态方法如模糊测试则需要大量基础设施,且通常仅针对狭窄的错误类别。本文提出OpenAnt,一个集成静态程序分析与基于大语言模型(LLM)推理的开源漏洞发现系统。OpenAnt通过三项关键技术实现了有效的漏洞发现,首先将代码库分解为自包含的分析单元,减少分析表面;其次,通过受限攻击者模拟进行对候选漏洞的对抗性验证;最后,通过动态验证自动生成和执行漏洞环境。实验结果表明,该系统能够识别以前未知的漏洞,同时保持可管理的分析成本并显著减少假阳性。

🔬 方法详解

问题定义:本文旨在解决大规模代码库中自动化漏洞发现的挑战,现有方法如静态分析和动态测试存在高假阳性率和基础设施需求大的问题。

核心思路:OpenAnt通过将代码库分解为自包含的分析单元,结合对抗性验证和动态测试,旨在提高漏洞发现的准确性和效率。

技术框架:OpenAnt的整体架构包括三个主要阶段:代码分解、对抗性验证和动态验证。首先,代码被分解为可独立分析的单元;其次,候选漏洞通过模拟攻击者进行验证;最后,生成并执行漏洞环境以验证发现的漏洞。

关键创新:OpenAnt的主要创新在于将静态分析与LLM推理结合,采用对抗性验证和动态测试的闭环流程,从而显著降低假阳性率并提高漏洞发现的准确性。

关键设计:在设计中,OpenAnt采用了基于可达性的代码过滤机制,确保分析表面减少高达97%;同时,动态验证通过沙箱环境自动生成和执行,确保测试的安全性和有效性。

📊 实验亮点

在对OpenSSL、WordPress和Flowise等广泛使用的开源项目的评估中,OpenAnt成功识别了多个以前未知的漏洞,显著降低了假阳性率,表明其在自动化安全分析中的有效性和实用性。

🎯 应用场景

OpenAnt可广泛应用于软件安全领域,尤其是在大型开源项目的安全分析中。其自动化的漏洞发现能力能够帮助开发者及时识别和修复安全隐患,提升软件的安全性和可靠性。未来,OpenAnt的技术框架有望扩展到更多编程语言和开发环境中,推动自动化安全分析的普及。

📄 摘要(原文)

Automated vulnerability discovery in large codebases remains challenging: traditional static analysis produces high false-positive rates, while dynamic approaches such as fuzzing require substantial infrastructure and often target narrow classes of bugs. Recent advances in large language models (LLMs) enable semantic reasoning about program behavior, but applying LLMs to repository-scale security analysis introduces challenges related to context management, cost, and verification. We present OpenAnt, an open-source vulnerability discovery system that integrates static program analysis with LLM-based reasoning in a multi-stage pipeline. OpenAnt introduces three key techniques. First, codebases are decomposed into self-contained analysis units filtered by reachability from external entry points, reducing the analysis surface by up to 97% while preserving attack-relevant code. Second, candidate vulnerabilities undergo adversarial verification through constrained attacker simulation, where the model evaluates exploitability under realistic attacker capabilities. Third, findings are validated through dynamic verification, in which exploit environments are generated automatically, executed in sandboxed containers, and discarded after use. Evaluation on widely used open-source projects including OpenSSL, WordPress, and Flowise shows that this architecture can identify previously unknown vulnerabilities while maintaining manageable analysis cost and substantially reducing false positives. Our results suggest that closed-loop vulnerability discovery pipelines, combining semantic reasoning with exploit validation, provide a practical path toward scalable automated security analysis. OpenAnt is released as open source under the Apache 2.0 license at https://github.com/knostic/OpenAnt.