{"id":"https://openalex.org/W7152407900","doi":"https://doi.org/10.48550/arxiv.2604.06506","title":"Guiding Symbolic Execution with Static Analysis and LLMs for Vulnerability Discovery","display_name":"Guiding Symbolic Execution with Static Analysis and LLMs for Vulnerability Discovery","publication_year":2026,"publication_date":"2026-04-07","ids":{"openalex":"https://openalex.org/W7152407900","doi":"https://doi.org/10.48550/arxiv.2604.06506"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.06506","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.06506","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.06506","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5133305535","display_name":"Md Shafiuzzaman","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Shafiuzzaman, Md","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067819966","display_name":"Achintya Desai","orcid":"https://orcid.org/0009-0003-0228-0069"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Desai, Achintya","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5133250662","display_name":"Wenbo Guo","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Guo, Wenbo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5039991493","display_name":"Tevfik Bultan","orcid":"https://orcid.org/0000-0003-2993-1215"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Bultan, Tevfik","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5133305535"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.2224999964237213,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.2224999964237213,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.2078000009059906,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.16869999468326569,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/symbolic-execution","display_name":"Symbolic execution","score":0.9517999887466431},{"id":"https://openalex.org/keywords/static-analysis","display_name":"Static analysis","score":0.7878000140190125},{"id":"https://openalex.org/keywords/concolic-testing","display_name":"Concolic testing","score":0.6704999804496765},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.6280999779701233},{"id":"https://openalex.org/keywords/scalability","display_name":"Scalability","score":0.5817999839782715},{"id":"https://openalex.org/keywords/symbolic-data-analysis","display_name":"Symbolic data analysis","score":0.5422999858856201},{"id":"https://openalex.org/keywords/satisfiability-modulo-theories","display_name":"Satisfiability modulo theories","score":0.5339000225067139},{"id":"https://openalex.org/keywords/program-analysis","display_name":"Program analysis","score":0.5005000233650208},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4733000099658966},{"id":"https://openalex.org/keywords/compiler","display_name":"Compiler","score":0.4677000045776367}],"concepts":[{"id":"https://openalex.org/C2779639559","wikidata":"https://www.wikidata.org/wiki/Q7661178","display_name":"Symbolic execution","level":3,"score":0.9517999887466431},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8575000166893005},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.7878000140190125},{"id":"https://openalex.org/C11219265","wikidata":"https://www.wikidata.org/wiki/Q5158734","display_name":"Concolic testing","level":4,"score":0.6704999804496765},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.6280999779701233},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.5817999839782715},{"id":"https://openalex.org/C65620979","wikidata":"https://www.wikidata.org/wiki/Q7661176","display_name":"Symbolic data analysis","level":2,"score":0.5422999858856201},{"id":"https://openalex.org/C164155591","wikidata":"https://www.wikidata.org/wiki/Q2067766","display_name":"Satisfiability modulo theories","level":2,"score":0.5339000225067139},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.5213000178337097},{"id":"https://openalex.org/C98183937","wikidata":"https://www.wikidata.org/wiki/Q2112188","display_name":"Program analysis","level":2,"score":0.5005000233650208},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4733000099658966},{"id":"https://openalex.org/C169590947","wikidata":"https://www.wikidata.org/wiki/Q47506","display_name":"Compiler","level":2,"score":0.4677000045776367},{"id":"https://openalex.org/C2776095079","wikidata":"https://www.wikidata.org/wiki/Q489538","display_name":"The Symbolic","level":2,"score":0.45660001039505005},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.426800012588501},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.42500001192092896},{"id":"https://openalex.org/C137287247","wikidata":"https://www.wikidata.org/wiki/Q1329550","display_name":"Static program analysis","level":4,"score":0.41280001401901245},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.39750000834465027},{"id":"https://openalex.org/C23123167","wikidata":"https://www.wikidata.org/wiki/Q7661193","display_name":"Symbolic trajectory evaluation","level":3,"score":0.3919000029563904},{"id":"https://openalex.org/C199519371","wikidata":"https://www.wikidata.org/wiki/Q942695","display_name":"Source lines of code","level":3,"score":0.38190001249313354},{"id":"https://openalex.org/C110251889","wikidata":"https://www.wikidata.org/wiki/Q1569697","display_name":"Model checking","level":2,"score":0.3564000129699707},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3422999978065491},{"id":"https://openalex.org/C200833197","wikidata":"https://www.wikidata.org/wiki/Q333707","display_name":"Compile time","level":3,"score":0.34049999713897705},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.3116999864578247},{"id":"https://openalex.org/C153180980","wikidata":"https://www.wikidata.org/wiki/Q19776675","display_name":"Commit","level":2,"score":0.29980000853538513},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.2935999929904938},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.2888999879360199},{"id":"https://openalex.org/C193702766","wikidata":"https://www.wikidata.org/wiki/Q1414548","display_name":"Concurrency","level":2,"score":0.2727000117301941},{"id":"https://openalex.org/C2776834041","wikidata":"https://www.wikidata.org/wiki/Q25346349","display_name":"Execution model","level":2,"score":0.26660001277923584},{"id":"https://openalex.org/C2989134064","wikidata":"https://www.wikidata.org/wiki/Q288510","display_name":"Execution time","level":2,"score":0.26089999079704285},{"id":"https://openalex.org/C1009929","wikidata":"https://www.wikidata.org/wiki/Q179550","display_name":"Software bug","level":3,"score":0.25940001010894775},{"id":"https://openalex.org/C1306188","wikidata":"https://www.wikidata.org/wiki/Q4060687","display_name":"Nested loop join","level":2,"score":0.25110000371932983},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.2506999969482422}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.06506","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.06506","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.06506","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.06506","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Symbolic":[0,51],"execution":[1,57,104,107,122,232],"detects":[2,109],"vulnerabilities":[3,110,177,218,226],"with":[4,64,196],"precision,":[5],"but":[6],"applying":[7],"it":[8],"to":[9,189],"large":[10],"codebases":[11],"requires":[12],"harnesses":[13,26],"that":[14],"set":[15],"up":[16],"symbolic":[17,56,103,106,121,146,231],"state,":[18],"model":[19],"dependencies,":[20],"and":[21,49,79,89,98,102,115,148,200,229],"specify":[22],"assertions.":[23],"Writing":[24],"these":[25],"has":[27],"traditionally":[28],"been":[29],"a":[30],"manual":[31],"process":[32],"requiring":[33],"expert":[34],"knowledge,":[35],"which":[36,54],"significantly":[37],"limits":[38],"the":[39,42,112,120,125,132,137,142,149],"scalability":[40,133],"of":[41,134,140,145,168,183,209],"technique.":[43],"We":[44,156],"present":[45],"Static":[46],"Analysis":[47],"Informed":[48],"LLM-Orchestrated":[50],"Execution":[52],"(SAILOR),":[53],"automates":[55],"harness":[58,91],"construction":[59],"by":[60,93,153],"combining":[61],"static":[62,73,135,214],"analysis":[63,74,215],"LLM-based":[65],"synthesis.":[66],"SAILOR":[67,158,170,188,210],"operates":[68],"in":[69],"three":[70],"phases:":[71],"(1)":[72],"identifies":[75],"candidate":[76],"vulnerable":[77],"locations":[78],"generates":[80],"vulnerability":[81,87,191],"specifications;":[82],"(2)":[83],"an":[84],"LLM":[85,223],"uses":[86],"specifications":[88],"orchestrates":[90],"synthesis":[92,224],"iteratively":[94],"refining":[95],"drivers,":[96],"stubs,":[97],"assertions":[99],"against":[100,124],"compiler":[101],"feedback;":[105],"then":[108],"using":[111,193],"generated":[113],"harness,":[114],"(3)":[116],"concrete":[117,154],"replay":[118],"validates":[119],"results":[123],"unmodified":[126],"project":[127],"source.":[128],"This":[129],"design":[130],"combines":[131],"analysis,":[136],"code":[138],"reasoning":[139],"LLMs,":[141],"path":[143],"precision":[144],"execution,":[147],"ground":[150],"truth":[151],"produced":[152],"execution.":[155],"evaluate":[157],"on":[159],"10":[160],"open-source":[161],"C/C++":[162],"projects":[163],"totaling":[164],"6.8":[165],"M":[166],"lines":[167],"code.":[169],"discovers":[171],"379":[172],"distinct,":[173],"previously":[174],"unknown":[175],"memory-safety":[176],"(421":[178],"confirmed":[179,217],"crashes).":[180],"The":[181],"strongest":[182],"five":[184],"baselines":[185],"we":[186],"compare":[187],"(agentic":[190],"detection":[192],"Claude":[194],"Code":[195],"full":[197],"codebase":[198],"access":[199],"unlimited":[201],"interaction),":[202],"finds":[203],"only":[204],"12":[205,239],"vulnerabilities.":[206,240],"Each":[207],"phase":[208],"is":[211],"critical:":[212],"Without":[213],"targeting":[216],"drop":[219],"12.2X;":[220],"without":[221,230],"iterative":[222],"zero":[225],"are":[227],"confirmed;":[228],"no":[233],"approach":[234],"can":[235],"detect":[236],"more":[237],"than":[238]},"counts_by_year":[],"updated_date":"2026-04-10T06:07:51.998497","created_date":"2026-04-10T00:00:00"}