How Tree-of-AST Redefines the Boundaries of Dataflow Analysis
Black Hat USA 2025 · Day 1 · Briefings
Two researchers — one a recent high school graduate, the other a sixteen-year-old founder — developed Tree-of-AST, an LLM-powered dataflow analysis engine that applies Tree-of-Thoughts reasoning to taint analysis by traversing abstract syntax trees backward from sink to source. The system rediscovered known CVEs in large ML framework codebases and found new zero-days that CodeQL entirely missed, at a fraction of the false-positive rate. ---
AI review
A high schooler and a sixteen-year-old built a Tree-of-Thoughts taint analysis engine that outperforms CodeQL on multi-file ML codebases. The concept is sound and the sink-first inversion is a good idea. The research is promising but incomplete — the CVE numbers aren't disclosed, the benchmarks are self-reported, and the stack graph freezing workaround is a red flag.