Tim Bächle

Context: Vulnerabilities in software systems are often overlooked, even though their exploitation through an attacker can have drastic consequences. In the context of configurable software systems, the situation becomes even more problematic as the presence of a vulnerability can be tied to specific configurations (i.e., variants) of the system (so-called variability-induced vulnerabilities). To identify such vulnerabilities, we developed the analysis platform Vari-Joern. This platform is built around the query-based static source code analysis tool Joern and allows the code of a configurable system to be searched for patterns typical of vulnerabilities using two common analysis strategies. With the rise of AI, it is of interest whether such an approach still makes sense or whether an LLM using the same vulnerability queries can be more effective/efficient in identifying potential vulnerabilities.

Goal: Leverage popular LLMs in conjunction with vulnerability queries and evaluate whether AI can identify potential vulnerabilities in real-world highly-configurable C software as well as our static source code analysis platform Vari-Joern.

Requirements: Prior knowledge of configurable software systems (i.e., software product lines) and common software vulnerabilities in C is not required but might be helpful.