ProtocolGuard: Detecting Protocol Non-compliance Bugs via LLM-guided Static Analysis and Dynamic Verification

Xiangpu Song

Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Program Analysis

This talk presents **ProtocolGuard**, a hybrid framework that detects **protocol non-compliance bugs** -- semantic errors where implementations deviate from protocol specifications (RFC documents). Unlike memory safety bugs that trigger crashes, these bugs are **silent**: they don't produce explicit error signals but can cause serious consequences including service disruption, client impersonation, and denial-of-service attacks.

AI review

A well-designed pipeline that solves a genuinely hard problem: finding silent protocol logic bugs that produce no crashes, no sanitizer signals, and sometimes identical responses across vulnerable and correct implementations. The LLM-generated assertion statements as bug oracles is the key contribution -- turning unfuzzable logic bugs into fuzzable assertion failures. 158 unique bugs across 11 implementations with CVE assignments demonstrates real impact.

Watch on YouTube