The dependency hierarchy of modern web application components is becoming increasingly complex. Focusing solely on identifying risky components without considering their actual threat level often leads to numerous false alarms. Current mainstream supply chain analysis methods rely on static component scanning and Software Bill of Materials (SBOM) construction, using version information to match vulnerability databases to identify potential risk components. While this method can detect known vulnerabilities, it lacks analysis of runtime context vulnerability function call paths and data flow dependencies, making it impossible to determine whether vulnerabilities actually impact risk components when triggered. To address this, this paper innovatively combines dynamic analysis with static analysis to assess the actual reachability of vulnerabilities for the first time. By using bytecode instrumentation technology to monitor runtime call behavior in real time, we cross-validate static risk data with dynamic call records to precisely mark high-risk components that are actually triggered, effectively addressing the deficiency of missing vulnerability function call paths. Finally, we introduce large language model (LLM) to analyze risk component/method call graphs, further reducing false positive rates. To our knowledge, this is the first known method to achieve precise risk component analysis based on the impact of exposed interfaces in web applications. We name this method PreciseRisk-LLM and have successfully applied it to various risk types, including deserialization and Log4j. Experimental results demonstrate that PreciseRisk-LLM significantly outperforms single-identification methods, achieving optimal identification accuracy and providing a reliable basis for assessing the actual impact of risk components on web applications.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

PreciseRisk-LLM: Precise Component Risk Evaluation in Web Applications with LLMs

  • Rui Guo,
  • Najinsha Hu,
  • Jingfang Su,
  • Jie Meng,
  • Zihan Huang,
  • Guangjun Wen

摘要

The dependency hierarchy of modern web application components is becoming increasingly complex. Focusing solely on identifying risky components without considering their actual threat level often leads to numerous false alarms. Current mainstream supply chain analysis methods rely on static component scanning and Software Bill of Materials (SBOM) construction, using version information to match vulnerability databases to identify potential risk components. While this method can detect known vulnerabilities, it lacks analysis of runtime context vulnerability function call paths and data flow dependencies, making it impossible to determine whether vulnerabilities actually impact risk components when triggered. To address this, this paper innovatively combines dynamic analysis with static analysis to assess the actual reachability of vulnerabilities for the first time. By using bytecode instrumentation technology to monitor runtime call behavior in real time, we cross-validate static risk data with dynamic call records to precisely mark high-risk components that are actually triggered, effectively addressing the deficiency of missing vulnerability function call paths. Finally, we introduce large language model (LLM) to analyze risk component/method call graphs, further reducing false positive rates. To our knowledge, this is the first known method to achieve precise risk component analysis based on the impact of exposed interfaces in web applications. We name this method PreciseRisk-LLM and have successfully applied it to various risk types, including deserialization and Log4j. Experimental results demonstrate that PreciseRisk-LLM significantly outperforms single-identification methods, achieving optimal identification accuracy and providing a reliable basis for assessing the actual impact of risk components on web applications.