More Flows, More Bugs: Empowering SAST with LLMs and Customized DFA
Black Hat USA 2025 · Day 1 · Briefings
Researchers at Tencent Security Wind Ding Lab have built a pipeline that uses large language models to automatically identify missing source and sink functions in CodeQL, then extends the tool's data flow analysis engine to handle cross-thread execution, Java reflection, and pass-by-value semantics. The result: a 15% increase in detected data flows across more than 5,000 scanned projects, plus the discovery of previously undetectable CVEs in high-profile open-source software. ---
AI review
Tencent's Wind Ding Lab does real engineering work here — LLM-assisted source/sink discovery plus targeted CodeQL DFA extensions that actually move the needle. Not glamorous, not novel in concept, but executed with genuine depth and quantified results. The reflection analysis workaround alone is worth the price of admission.