更多流程更多漏洞：利用LLM和定制化DFA增强SAST.pdf

1、#BHUSA BlackHatEventsMore Flows,More Bugs:More Flows,More Bugs:Empowering SAST with LLMs and Customized DFAEmpowering SAST with LLMs and Customized DFAYuan Luo&Zhaojun Chen&Yi Sun&RhettxieTencent Security YunDing Lab#BHUSA BlackHatEventsOutline Introduction to SAST How to use LLM to recognize Source

2、s&Sinks DFA(Data Flow Analysis)Enhancement Results#BHUSA BlackHatEventsWhat is SAST?Source:https:/www.mend.io/blog/sast-static-application-security-testing/Static Application Security Testing(SAST)-Analyze source code without execution Scans code for bugs-Such as SQL injection or XSS,acting like an

3、X-ray Essential part of DevSecOps-Integrated into CI/CD pipelines Popular tools-CodeQL/Fortify/SonarQube/Checkmarx/.DevSecOps Lifecycle Diagram#BHUSA BlackHatEventsWhat is CodeQL?Source codeQL queryQuery ResultsBuild databaseSource:https:/ in 2006,GitHub acquired CodeQL in 2019Queries and libraries

4、are open-sourceThe core CodeQL engine is proprietaryWorkflowPreparing the codeCreating a CodeQL databaseRunning CodeQL queries against the databaseInterpreting the query results#BHUSA BlackHatEventsNo bugs anymore?Many vulnerabilities foundPeriodically perform code scanning on the default branch and

5、 pull requests#BHUSA BlackHatEventsHowever,SAST tools may overlook CVEDescriptionRoot causes for missed detectionCVE-2024-47552CVE-2024-56180CNVD-2023-45001Apache Seata,Apache EventMesh,Alibaba Nacos JRaftvulnerability;other affected applications include Apache Ignite and Apache HugeGraph.Missing so

6、urce ruleCVE-2024-37084Spring Cloud Data Flow Remote Code Execution VulnerabilityMissing summary ruleCVE-2024-22263Spring Cloud Data Flow Arbitrary File Write VulnerabilityMissing summary ruleCVE-2023-52251Kafka UI Background Messages Groovy Code Execution VulnerabilityCode pre-generationCVE-2023-34