Anota: Identifying Business Logic Vulnerabilities via Annotation-Based Sanitization
Meng Wang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Program Analysis
Business logic vulnerabilities represent a critical blind spot in automated security testing. Unlike memory corruption or injection flaws, these bugs abuse legitimate functionality and are invisible to tools that lack understanding of the developer's intended behavior. This talk presents **Anota**, a semi-automated framework that bridges human security intuition with machine-speed testing by allowing developers to add lightweight annotations to source code that express security policies. These annotations are then enforced at runtime through custom instrumentation, turning any fuzzer into a business logic vulnerability detector.
AI review
A practical and well-validated approach to finding business logic vulnerabilities -- the class of bugs that consistently escapes automated tools. The 22 zero-days with 17 CVEs including a patch bypass demonstrate real offensive value. The key innovation isn't the runtime monitoring itself but the insight that four annotation types can cover 27 of the CWE Top 40, making the human effort tractable. The eBPF + modified CPython instrumentation is technically solid.