Tootfinder

Grounded AI for Code Review: Resource-Efficient Large-Model Serving in Enterprise Pipelines
Sayan Mandal, Hua Jiang
https://arxiv.org/abs/2510.10290 https://

Grounded AI for Code Review: Resource-Efficient Large-Model Serving in Enterprise Pipelines
Automated code review adoption lags in compliance-heavy settings, where static analyzers produce high-volume, low-rationale outputs, and naive LLM use risks hallucination and incurring cost overhead. We present a production system for grounded, PR-native review that pairs static-analysis findings with AST-guided context extraction and a single-GPU, on-demand serving stack (quantized open-weight model, multi-tier caching) to deliver concise explanations and remediation guidance. Evaluated on saf…

U-Turn: Enhancing Incorrectness Analysis by Reversing Direction
Flavio Ascari, Roberto Bruni, Roberta Gori, Azalea Raad
https://arxiv.org/abs/2510.09292 https://

U-Turn: Enhancing Incorrectness Analysis by Reversing Direction
O'Hearn's Incorrectness Logic (IL) has sparked renewed interest in static analyses that aim to detect program errors rather than prove their absence, thereby avoiding false alarms -- a critical factor for practical adoption in industrial settings. As new incorrectness logics emerge to capture diverse error-related properties, a key question arises: can the combination of (in)correctness techniques enhance precision, expressiveness, automation, or scalability? Notable frameworks, such as outcome…

Rapid insights for malware analysts, by Marc Rivero (@…).
Talk about r2inspect "a framework for static malware analysis built on top of radare2 and r2pipe, providing accurate detection of obfuscated strings, cryptographic signatures, exploit mitigation analysis, and more".

"Your Doctor is Spying on You": An Analysis of Data Practices in Mobile Healthcare Applications
Luke Stevenson, Sanchari Das
https://arxiv.org/abs/2510.06015 https://

"Your Doctor is Spying on You": An Analysis of Data Practices in Mobile Healthcare Applications
Mobile healthcare (mHealth) applications promise convenient, continuous patient-provider interaction but also introduce severe and often underexamined security and privacy risks. We present an end-to-end audit of 272 Android mHealth apps from Google Play, combining permission forensics, static vulnerability analysis, and user review mining. Our multi-tool assessment with MobSF, RiskInDroid, and OWASP Mobile Audit revealed systemic weaknesses: 26.1% request fine-grained location without disclosu…

Time-To-Inconsistency: A Survival Analysis of Large Language Model Robustness to Adversarial Attacks
Yubo Li, Ramayya Krishnan, Rema Padman
https://arxiv.org/abs/2510.02712 http…

Time-To-Inconsistency: A Survival Analysis of Large Language Model Robustness to Adversarial Attacks
Large Language Models (LLMs) have revolutionized conversational AI, yet their robustness in extended multi-turn dialogues remains poorly understood. Existing evaluation frameworks focus on static benchmarks and single-turn assessments, failing to capture the temporal dynamics of conversational degradation that characterize real-world interactions. In this work, we present the first comprehensive survival analysis of conversational AI robustness, analyzing 36,951 conversation turns across 9 stat…

ZeroFalse: Improving Precision in Static Analysis with LLMs
Mohsen Iranmanesh (Simon Fraser University), Sina Moradi Sabet (Amirkabir University of Technology), Sina Marefat (K. N. Toosi University of Technology), Ali Javidi Ghasr (Ferdowsi University of Mashhad), Allison Wilson (Cyber Risk Solutions), Iman Sharafaldin (Forward Security), Mohammad A. Tayebi (Simon Fraser University)

ZeroFalse: Improving Precision in Static Analysis with LLMs
Static Application Security Testing (SAST) tools are integral to modern software development, yet their adoption is undermined by excessive false positives that weaken developer trust and demand costly manual triage. We present ZeroFalse, a framework that integrates static analysis with large language models (LLMs) to reduce false positives while preserving coverage. ZeroFalse treats static analyzer outputs as structured contracts, enriching them with flow-sensitive traces, contextual evidence,…

Exploring Network-Knowledge Graph Duality: A Case Study in Agentic Supply Chain Risk Analysis
Evan Heus, Rick Bookstaber, Dhruv Sharma
https://arxiv.org/abs/2510.01115 https://

Exploring Network-Knowledge Graph Duality: A Case Study in Agentic Supply Chain Risk Analysis
Large Language Models (LLMs) struggle with the complex, multi-modal, and network-native data underlying financial risk. Standard Retrieval-Augmented Generation (RAG) oversimplifies relationships, while specialist models are costly and static. We address this gap with an LLM-centric agent framework for supply chain risk analysis. Our core contribution is to exploit the inherent duality between networks and knowledge graphs (KG). We treat the supply chain network as a KG, allowing us to use struc…

Try-Mopsa: Relational Static Analysis in Your Pocket
Rapha\"el Monat
https://arxiv.org/abs/2509.13128 https://arxiv.org/pdf/2509.13128

Try-Mopsa: Relational Static Analysis in Your Pocket
Static analyzers are complex pieces of software with large dependencies. They can be difficult to install, which hinders adoption and creates barriers for students learning static analysis. This work introduces Try-Mopsa: a scaled-down version of the Mopsa static analysis platform, compiled into JavaScript to run purely as a client-side application in web browsers. Try-Mopsa provides a responsive interface that works on both desktop and mobile devices. Try-Mopsa features all the core components…

"This paper presents a comprehensive scientometric analysis of the long-term impact of [event] on the nation scientific development."
*oh, interesting!*
"Using Scopus-indexed data..."
*closes tab*

TridentServe: A Stage-level Serving System for Diffusion Pipelines
Yifei Xia, Fangcheng Fu, Hao Yuan, Hanke Zhang, Xupeng Miao, Yijun Liu, Suhan Ling, Jie Jiang, Bin Cui
https://arxiv.org/abs/2510.02838

TridentServe: A Stage-level Serving System for Diffusion Pipelines
Diffusion pipelines, renowned for their powerful visual generation capabilities, have seen widespread adoption in generative vision tasks (e.g., text-to-image/video). These pipelines typically follow an encode--diffuse--decode three-stage architecture. Current serving systems deploy diffusion pipelines within a static, manual, and pipeline-level paradigm, allocating the same resources to every request and stage. However, through an in-depth analysis, we find that such a paradigm is inefficient …

Exploring Network-Knowledge Graph Duality: A Case Study in Agentic Supply Chain Risk Analysis
Evan Heus, Rick Bookstaber, Dhruv Sharma
https://arxiv.org/abs/2510.01115 https://

Exploring Network-Knowledge Graph Duality: A Case Study in Agentic Supply Chain Risk Analysis
Large Language Models (LLMs) struggle with the complex, multi-modal, and network-native data underlying financial risk. Standard Retrieval-Augmented Generation (RAG) oversimplifies relationships, while specialist models are costly and static. We address this gap with an LLM-centric agent framework for supply chain risk analysis. Our core contribution is to exploit the inherent duality between networks and knowledge graphs (KG). We treat the supply chain network as a KG, allowing us to use struc…

Boosting Pointer Analysis With Large Language Model-Enhanced Allocation Function Detection
Baijun Cheng, Kailong Wang, Ling Shi, Haoyu Wang, Peng Di, Yao Guo, Ding Li, Xiangqun Chen
https://arxiv.org/abs/2509.22530

Boosting Pointer Analysis With Large Language Model-Enhanced Allocation Function Detection
Pointer analysis is foundational for many static analysis tasks, yet its effectiveness is often hindered by imprecise modeling of heap allocations, particularly in C/C++ programs where user-defined allocation functions (AFs) are pervasive. Existing approaches largely overlook these custom allocators, leading to coarse aliasing and reduced analysis precision. In this paper, we present AFD, a novel technique that enhances pointer analysis by automatically identifying and modeling custom allocatio…

Synergizing Static Analysis with Large Language Models for Vulnerability Discovery and beyond
Vaibhav Agrawal, Kiarash Ahi
https://arxiv.org/abs/2509.15433 https://

Synergizing Static Analysis with Large Language Models for Vulnerability Discovery and beyond
This report examines the synergy between Large Language Models (LLMs) and Static Application Security Testing (SAST) to improve vulnerability discovery. Traditional SAST tools, while effective for proactive security, are limited by high false-positive rates and a lack of contextual understanding. Conversely, LLMs excel at code analysis and pattern recognition but can be prone to inconsistencies and hallucinations. By integrating these two technologies, a more intelligent and efficient system is…

Static AdS Black Holes Surrounded by Strings and Quintessence-like Field within Rastall Gravity Framework
Allan. R. P. Moreira, Faizuddin Ahmed, Abdelmalek Bouzenada
https://arxiv.org/abs/2509.15274

Static AdS Black Holes Surrounded by Strings and Quintessence-like Field within Rastall Gravity Framework
In this work, we tested the physical properties of Rastall black holes in the presence of string clouds and quintessence. The modified spacetime geometry arising from the Rastall framework is first established, providing the basis for analyzing the geodesic structure. We study null geodesics in detail, testing photon trajectories, the conditions for photon spheres, BH shadows, the associated effective radial force, and the topological features of photon rings. Also, the analysis is further test…

Analysis of an Architecture for Integrated Sensing and Communication in 5G OpenRAN
Daniel Lindenschmitt, Tobias Jung, Prudhvi Kumar Kakani, Torsten Reissland, Norman Franchi, Hans D. Schotten
https://arxiv.org/abs/2509.16917

Analysis of an Architecture for Integrated Sensing and Communication in 5G OpenRAN
This paper analyzes the functional requirements and architectural considerations for Integrated Sensing and Communication ( ISAC) in a 5G Open Radio Access Network (OpenRAN) environment, with emphasis on secure and modular deployment. Focusing on a mono-static, half-duplex sensing approach, it evaluates radar setup options, signal types, and processing placement within the Radio Access Network ( RAN), considering performance and security implications. The proposed architecture minimizes hardwar…

Transfer tensor analysis of localization in the Anderson and Aubry-Andr\'e-Harper models
Michelle C. Anderson, Chern Chuang
https://arxiv.org/abs/2509.21374 https://

Transfer tensor analysis of localization in the Anderson and Aubry-André-Harper models
We use the transfer tensor method to analyze localization and transport in simple disordered systems, specifically the Anderson and Aubry-André-Harper models. Emphasis is placed on the memory effects that emerge when ensemble-averaging over disorder, even when individual trajectories are strictly Markovian. We find that memory effects are necessary to remove fictitious terms that would correspond to redrawing static disorder at each time step, which would create a temporally uncorrelated dynam…

CodeCureAgent: Automatic Classification and Repair of Static Analysis Warnings
Pascal Joos, Islem Bouzenia, Michael Pradel
https://arxiv.org/abs/2509.11787 https://

CodeCureAgent: Automatic Classification and Repair of Static Analysis Warnings
Static analysis tools are widely used to detect bugs, vulnerabilities, and code smells. Traditionally, developers must resolve these warnings manually. Because this process is tedious, developers sometimes ignore warnings, leading to an accumulation of warnings and a degradation of code quality. This paper presents CodeCureAgent, an approach that harnesses LLM-based agents to automatically analyze, classify, and repair static analysis warnings. Unlike previous work, our method does not follow a…

Pixels to Prices: Visual Traits, Market Cycles, and the Economics of NFT Valuation
Samiha Tariq
https://arxiv.org/abs/2509.24879 https://arxiv.org/pdf/2509…

Pixels to Prices: Visual Traits, Market Cycles, and the Economics of NFT Valuation
This paper studies how visual traits and market cycles shape prices in NFT markets. Using 94,039 transactions from 26 major generative Ethereum collections, the analysis extracts 196 machine-quantified image features (covering color, composition, palette structure, geometry, texture, and deep learning embeddings), then applies a three-stage filter process to identify stable predictors for hedonic regression. A static mixed-effects model shows that market sentiment and transparent, interpretable…

LLM Hallucination Detection: A Fast Fourier Transform Method Based on Hidden Layer Temporal Signals
Jinxin Li, Gang Tu, ShengYu Cheng, Junjie Hu, Jinting Wang, Rui Chen, Zhilong Zhou, Dongbo Shan
https://arxiv.org/abs/2509.13154

LLM Hallucination Detection: A Fast Fourier Transform Method Based on Hidden Layer Temporal Signals
Hallucination remains a critical barrier for deploying large language models (LLMs) in reliability-sensitive applications. Existing detection methods largely fall into two categories: factuality checking, which is fundamentally constrained by external knowledge coverage, and static hidden-state analysis, that fails to capture deviations in reasoning dynamics. As a result, their effectiveness and robustness remain limited. We propose HSAD (Hidden Signal Analysis-based Detection), a novel halluci…

On the Late-Time Instability of MOT solution to the Time-Domain PMCHWT Equation
Van Chien Le, Viviana Giunzioni, Pierrick Cordel, Francesco P. Andriulli, Kristof Cools
https://arxiv.org/abs/2509.14995 …

On the Late-Time Instability of MOT solution to the Time-Domain PMCHWT Equation
This paper investigates the late-time instability of marching-on-in-time solution to the time-domain PMCHWT equation. The stability analysis identifies the static solenoidal nullspace of the time-domain electric field integral operator as the primary cause of instability. Furthermore, it reveals that the instability mechanisms of the time-domain PMCHWT equation are fundamentally different from those of the time-domain electric field integral equation. In particular, the PMCHWT's instability is …

ATLANTIS: AI-driven Threat Localization, Analysis, and Triage Intelligence System
Taesoo Kim, HyungSeok Han, Soyeon Park, Dae R. Jeong, Dohyeok Kim, Dongkwan Kim, Eunsoo Kim, Jiho Kim, Joshua Wang, Kangsu Kim, Sangwoo Ji, Woosun Song, Hanqing Zhao, Andrew Chin, Gyejin Lee, Kevin Stevens, Mansour Alharthi, Yizhuo Zhai, Cen Zhang, Joonun Jang, Yeongjin Jang, Ammar Askar, Dongju Kim, Fabian Fleischer, Jeongin Cho, Junsik Kim, Kyungjoon Ko, Insu Yun, Sangdon Park, Dowoo Baik, Haein Lee, Hy…

ATLANTIS: AI-driven Threat Localization, Analysis, and Triage Intelligence System
We present ATLANTIS, the cyber reasoning system developed by Team Atlanta that won 1st place in the Final Competition of DARPA's AI Cyber Challenge (AIxCC) at DEF CON 33 (August 2025). AIxCC (2023-2025) challenged teams to build autonomous cyber reasoning systems capable of discovering and patching vulnerabilities at the speed and scale of modern software. ATLANTIS integrates large language models (LLMs) with program analysis -- combining symbolic execution, directed fuzzing, and static analysi…

Explaining Code Risk in OSS: Towards LLM-Generated Fault Prediction Interpretations
Elijah Kayode Adejumo, Brittany Johnson
https://arxiv.org/abs/2510.06104 https://

Explaining Code Risk in OSS: Towards LLM-Generated Fault Prediction Interpretations
Open Source Software (OSS) has become a very important and crucial infrastructure worldwide because of the value it provides. OSS typically depends on contributions from developers across diverse backgrounds and levels of experience. Making safe changes, such as fixing a bug or implementing a new feature, can be challenging, especially in object-oriented systems where components are interdependent. Static analysis and defect-prediction tools produce metrics (e.g., complexity,coupling) that flag…

LitterBox : An Extensible Framework for LLM-enhanced Scratch Static Code Analysis
Benedikt Fein, Florian Oberm\"uller, Gordon Fraser
https://arxiv.org/abs/2509.12021 https:…

LitterBox+: An Extensible Framework for LLM-enhanced Scratch Static Code Analysis
Large language models (LLMs) have become an essential tool to support developers using traditional text-based programming languages, but the graphical notation of the block-based Scratch programming environment inhibits the use of LLMs. To overcome this limitation, we propose the LitterBox+ framework that extends the Scratch static code analysis tool LitterBox with the generative abilities of LLMs. By converting block-based code to a textual representation suitable for LLMs, LitterBox+ allows u…

BugMagnifier: TON Transaction Simulator for Revealing Smart Contract Vulnerabilities
Yury Yanovich, Victoria Kovalevskaya, Maksim Egorov, Elizaveta Smirnova, Matvey Mishuris, Yash Madhwal, Kirill Ziborov, Vladimir Gorgadze, Subodh Sharma
https://arxiv.org/abs/2509.24444

BugMagnifier: TON Transaction Simulator for Revealing Smart Contract Vulnerabilities
The Open Network (TON) blockchain employs an asynchronous execution model that introduces unique security challenges for smart contracts, particularly race conditions arising from unpredictable message processing order. While previous work established vulnerability patterns through static analysis of audit reports, dynamic detection of temporal dependencies through systematic testing remains an open problem. We present BugMagnifier, a transaction simulation framework that systematically reveals…

Security Evaluation of Android apps in budget African Mobile Devices
Alioune Diallo, Anta Diop, Abdoul Kader Kabore, Jordan Samhi, Aleksandr Pilgun, Tegawend\'e F. Bissyande, Jacque Klein
https://arxiv.org/abs/2509.18800

Can We Trust the AI Pair Programmer? Copilot for API Misuse Detection and Correction
Saikat Mondal, Chanchal K. Roy, Hong Wang, Juan Arguello, Samantha Mathan
https://arxiv.org/abs/2509.16795

Can We Trust the AI Pair Programmer? Copilot for API Misuse Detection and Correction
API misuse introduces security vulnerabilities, system failures, and increases maintenance costs, all of which remain critical challenges in software development. Existing detection approaches rely on static analysis or machine learning-based tools that operate post-development, which delays defect resolution. Delayed defect resolution can significantly increase the cost and complexity of maintenance and negatively impact software reliability and user trust. AI-powered code assistants, such as …

The Cybersecurity of a Humanoid Robot
V\'ictor Mayoral-Vilches
https://arxiv.org/abs/2509.14096 https://arxiv.org/pdf/2509.14096

The Cybersecurity of a Humanoid Robot
The rapid advancement of humanoid robotics presents unprecedented cybersecurity challenges that existing theoretical frameworks fail to adequately address. This report presents a comprehensive security assessment of a production humanoid robot platform, bridging the gap between abstract security models and operational vulnerabilities. Through systematic static analysis, runtime observation, and cryptographic examination, we uncovered a complex security landscape characterized by both sophistica…

Characterizing Phishing Pages by JavaScript Capabilities
Aleksandr Nahapetyan, Kanv Khare, Kevin Schwarz, Bradley Reaves, Alexandros Kapravelos
https://arxiv.org/abs/2509.13186 …

Characterizing Phishing Pages by JavaScript Capabilities
In 2024, the Anti-Phishing Work Group identified over one million phishing pages. Phishers achieve this scale by using phishing kits -- ready-to-deploy phishing websites -- to rapidly deploy phishing campaigns with specific data exfiltration, evasion, or mimicry techniques. In contrast, researchers and defenders continue to fight phishing on a page-by-page basis and rely on manual analysis to recognize static features for kit identification. This paper aims to aid researchers and analysts by …

Validating Solidity Code Defects using Symbolic and Concrete Execution powered by Large Language Models
\c{S}tefan-Claudiu Susan ("Alexandru Ioan Cuza", University of Ia\c{s}i, Department of Computer Science), Andrei Arusoaie ("Alexandru Ioan Cuza", University of Ia\c{s}i, Department of Computer Science), Dorel Lucanu ("Alexandru Ioan Cuza", University of Ia\c{s}i, Department of Computer Science)

Validating Solidity Code Defects using Symbolic and Concrete Execution powered by Large Language Models
The high rate of false alarms from static analysis tools and Large Language Models (LLMs) complicates vulnerability detection in Solidity Smart Contracts, demanding methods that can formally or empirically prove the presence of defects. This paper introduces a novel detection pipeline that integrates custom Slither-based detectors, LLMs, Kontrol, and Forge. Our approach is designed to reliably detect defects and generate proofs. We currently perform experiments with promising results for seven…