Tootfinder

"This paper presents a comprehensive scientometric analysis of the long-term impact of [event] on the nation scientific development."
*oh, interesting!*
"Using Scopus-indexed data..."
*closes tab*

from my link log —
Attempting cross translation unit taint analysis for Firefox.
https://attackanddefense.dev/2025/12/16/attempting-cross-translation-unit-static-analysis.html
saved 2025-12-17

⚡ Escape hatch exists: #[AllowDynamicProperties] attribute opts into old behavior. Use ONLY for legacy vendor code or gradual migration with a removal plan. Never use for new code.
📊 Timeline: PHP 8.1 = allowed | PHP 8.2 = deprecated warning | PHP 9.0 = fatal error. Start fixing now!
🎯 Migration strategy: Run PHPStan/Psalm analysis, fix domain models first (critical), then controllers/services, then DTOs. Add static analysis to CI pipeline to prevent regression.

ZeroFalse: Improving Precision in Static Analysis with LLMs
Mohsen Iranmanesh (Simon Fraser University), Sina Moradi Sabet (Amirkabir University of Technology), Sina Marefat (K. N. Toosi University of Technology), Ali Javidi Ghasr (Ferdowsi University of Mashhad), Allison Wilson (Cyber Risk Solutions), Iman Sharafaldin (Forward Security), Mohammad A. Tayebi (Simon Fraser University)

ZeroFalse: Improving Precision in Static Analysis with LLMs
Static Application Security Testing (SAST) tools are integral to modern software development, yet their adoption is undermined by excessive false positives that weaken developer trust and demand costly manual triage. We present ZeroFalse, a framework that integrates static analysis with large language models (LLMs) to reduce false positives while preserving coverage. ZeroFalse treats static analyzer outputs as structured contracts, enriching them with flow-sensitive traces, contextual evidence,…

Rapid insights for malware analysts, by Marc Rivero (@…).
Talk about r2inspect "a framework for static malware analysis built on top of radare2 and r2pipe, providing accurate detection of obfuscated strings, cryptographic signatures, exploit mitigation analysis, and more".

U-Turn: Enhancing Incorrectness Analysis by Reversing Direction
Flavio Ascari, Roberto Bruni, Roberta Gori, Azalea Raad
https://arxiv.org/abs/2510.09292 https://

U-Turn: Enhancing Incorrectness Analysis by Reversing Direction
O'Hearn's Incorrectness Logic (IL) has sparked renewed interest in static analyses that aim to detect program errors rather than prove their absence, thereby avoiding false alarms -- a critical factor for practical adoption in industrial settings. As new incorrectness logics emerge to capture diverse error-related properties, a key question arises: can the combination of (in)correctness techniques enhance precision, expressiveness, automation, or scalability? Notable frameworks, such as outcome…

🔓 Problem 2: Zero type safety. Your age property can be int, string, null, array - PHP accepts anything without complaints. Type errors only surface at runtime, often in production.
🛠️ Problem 3: IDEs and tooling are blind. No autocomplete suggestions, no refactoring support, static analysis tools like PHPStan and Psalm cannot detect issues. You lose all modern developer experience benefits.

Time-To-Inconsistency: A Survival Analysis of Large Language Model Robustness to Adversarial Attacks
Yubo Li, Ramayya Krishnan, Rema Padman
https://arxiv.org/abs/2510.02712 http…

Time-To-Inconsistency: A Survival Analysis of Large Language Model Robustness to Adversarial Attacks
Large Language Models (LLMs) have revolutionized conversational AI, yet their robustness in extended multi-turn dialogues remains poorly understood. Existing evaluation frameworks focus on static benchmarks and single-turn assessments, failing to capture the temporal dynamics of conversational degradation that characterize real-world interactions. In this work, we present the first comprehensive survival analysis of conversational AI robustness, analyzing 36,951 conversation turns across 9 stat…

"Your Doctor is Spying on You": An Analysis of Data Practices in Mobile Healthcare Applications
Luke Stevenson, Sanchari Das
https://arxiv.org/abs/2510.06015 https://

"Your Doctor is Spying on You": An Analysis of Data Practices in Mobile Healthcare Applications
Mobile healthcare (mHealth) applications promise convenient, continuous patient-provider interaction but also introduce severe and often underexamined security and privacy risks. We present an end-to-end audit of 272 Android mHealth apps from Google Play, combining permission forensics, static vulnerability analysis, and user review mining. Our multi-tool assessment with MobSF, RiskInDroid, and OWASP Mobile Audit revealed systemic weaknesses: 26.1% request fine-grained location without disclosu…

Exploring Network-Knowledge Graph Duality: A Case Study in Agentic Supply Chain Risk Analysis
Evan Heus, Rick Bookstaber, Dhruv Sharma
https://arxiv.org/abs/2510.01115 https://

Exploring Network-Knowledge Graph Duality: A Case Study in Agentic Supply Chain Risk Analysis
Large Language Models (LLMs) struggle with the complex, multi-modal, and network-native data underlying financial risk. Standard Retrieval-Augmented Generation (RAG) oversimplifies relationships, while specialist models are costly and static. We address this gap with an LLM-centric agent framework for supply chain risk analysis. Our core contribution is to exploit the inherent duality between networks and knowledge graphs (KG). We treat the supply chain network as a KG, allowing us to use struc…

Grounded AI for Code Review: Resource-Efficient Large-Model Serving in Enterprise Pipelines
Sayan Mandal, Hua Jiang
https://arxiv.org/abs/2510.10290 https://

Grounded AI for Code Review: Resource-Efficient Large-Model Serving in Enterprise Pipelines
Automated code review adoption lags in compliance-heavy settings, where static analyzers produce high-volume, low-rationale outputs, and naive LLM use risks hallucination and incurring cost overhead. We present a production system for grounded, PR-native review that pairs static-analysis findings with AST-guided context extraction and a single-GPU, on-demand serving stack (quantized open-weight model, multi-tier caching) to deliver concise explanations and remediation guidance. Evaluated on saf…

Exploring Network-Knowledge Graph Duality: A Case Study in Agentic Supply Chain Risk Analysis
Evan Heus, Rick Bookstaber, Dhruv Sharma
https://arxiv.org/abs/2510.01115 https://

Exploring Network-Knowledge Graph Duality: A Case Study in Agentic Supply Chain Risk Analysis
Large Language Models (LLMs) struggle with the complex, multi-modal, and network-native data underlying financial risk. Standard Retrieval-Augmented Generation (RAG) oversimplifies relationships, while specialist models are costly and static. We address this gap with an LLM-centric agent framework for supply chain risk analysis. Our core contribution is to exploit the inherent duality between networks and knowledge graphs (KG). We treat the supply chain network as a KG, allowing us to use struc…

TridentServe: A Stage-level Serving System for Diffusion Pipelines
Yifei Xia, Fangcheng Fu, Hao Yuan, Hanke Zhang, Xupeng Miao, Yijun Liu, Suhan Ling, Jie Jiang, Bin Cui
https://arxiv.org/abs/2510.02838

TridentServe: A Stage-level Serving System for Diffusion Pipelines
Diffusion pipelines, renowned for their powerful visual generation capabilities, have seen widespread adoption in generative vision tasks (e.g., text-to-image/video). These pipelines typically follow an encode--diffuse--decode three-stage architecture. Current serving systems deploy diffusion pipelines within a static, manual, and pipeline-level paradigm, allocating the same resources to every request and stage. However, through an in-depth analysis, we find that such a paradigm is inefficient …

Explaining Code Risk in OSS: Towards LLM-Generated Fault Prediction Interpretations
Elijah Kayode Adejumo, Brittany Johnson
https://arxiv.org/abs/2510.06104 https://

Explaining Code Risk in OSS: Towards LLM-Generated Fault Prediction Interpretations
Open Source Software (OSS) has become a very important and crucial infrastructure worldwide because of the value it provides. OSS typically depends on contributions from developers across diverse backgrounds and levels of experience. Making safe changes, such as fixing a bug or implementing a new feature, can be challenging, especially in object-oriented systems where components are interdependent. Static analysis and defect-prediction tools produce metrics (e.g., complexity,coupling) that flag…