{"id":"https://openalex.org/W7162127502","doi":"https://doi.org/10.48550/arxiv.2605.22058","title":"Finding Missing Input Validation in TEEs via LLM-Assisted Symbolic Execution","display_name":"Finding Missing Input Validation in TEEs via LLM-Assisted Symbolic Execution","publication_year":2026,"publication_date":"2026-05-21","ids":{"openalex":"https://openalex.org/W7162127502","doi":"https://doi.org/10.48550/arxiv.2605.22058"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.22058","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.22058","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.22058","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5136759837","display_name":"Chengyan Ma","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ma, Chengyan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002667771","display_name":"Jieke Shi","orcid":"https://orcid.org/0000-0002-0799-5018"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shi, Jieke","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037808916","display_name":"Ruidong Han","orcid":"https://orcid.org/0000-0001-6859-6005"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Han, Ruidong","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136739454","display_name":"Ye Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Ye","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136749287","display_name":"Yuqing Niu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Niu, Yuqing","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5136806961","display_name":"David Lo","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lo, David","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":6,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.7031000256538391,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.7031000256538391,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.1136000007390976,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.08250000327825546,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/symbolic-execution","display_name":"Symbolic execution","score":0.8190000057220459},{"id":"https://openalex.org/keywords/observability","display_name":"Observability","score":0.7300000190734863},{"id":"https://openalex.org/keywords/scalability","display_name":"Scalability","score":0.6021000146865845},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.5184000134468079},{"id":"https://openalex.org/keywords/syntax","display_name":"Syntax","score":0.4697999954223633},{"id":"https://openalex.org/keywords/isolation","display_name":"Isolation (microbiology)","score":0.4050000011920929},{"id":"https://openalex.org/keywords/symbolic-data-analysis","display_name":"Symbolic data analysis","score":0.3880999982357025},{"id":"https://openalex.org/keywords/source-lines-of-code","display_name":"Source lines of code","score":0.38100001215934753},{"id":"https://openalex.org/keywords/abstract-syntax-tree","display_name":"Abstract syntax tree","score":0.37299999594688416}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8679999709129333},{"id":"https://openalex.org/C2779639559","wikidata":"https://www.wikidata.org/wiki/Q7661178","display_name":"Symbolic execution","level":3,"score":0.8190000057220459},{"id":"https://openalex.org/C36299963","wikidata":"https://www.wikidata.org/wiki/Q1369844","display_name":"Observability","level":2,"score":0.7300000190734863},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.6021000146865845},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.5184000134468079},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.4779999852180481},{"id":"https://openalex.org/C60048249","wikidata":"https://www.wikidata.org/wiki/Q37437","display_name":"Syntax","level":2,"score":0.4697999954223633},{"id":"https://openalex.org/C2775941552","wikidata":"https://www.wikidata.org/wiki/Q25212305","display_name":"Isolation (microbiology)","level":2,"score":0.4050000011920929},{"id":"https://openalex.org/C65620979","wikidata":"https://www.wikidata.org/wiki/Q7661176","display_name":"Symbolic data analysis","level":2,"score":0.3880999982357025},{"id":"https://openalex.org/C199519371","wikidata":"https://www.wikidata.org/wiki/Q942695","display_name":"Source lines of code","level":3,"score":0.38100001215934753},{"id":"https://openalex.org/C58646249","wikidata":"https://www.wikidata.org/wiki/Q127380","display_name":"Abstract syntax tree","level":3,"score":0.37299999594688416},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.3720000088214874},{"id":"https://openalex.org/C113174947","wikidata":"https://www.wikidata.org/wiki/Q2859736","display_name":"Tree (set theory)","level":2,"score":0.36570000648498535},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.3637000024318695},{"id":"https://openalex.org/C110251889","wikidata":"https://www.wikidata.org/wiki/Q1569697","display_name":"Model checking","level":2,"score":0.3310999870300293},{"id":"https://openalex.org/C92446256","wikidata":"https://www.wikidata.org/wiki/Q3306762","display_name":"Data validation","level":2,"score":0.3276999890804291},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.32109999656677246},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.3199999928474426},{"id":"https://openalex.org/C111498074","wikidata":"https://www.wikidata.org/wiki/Q173326","display_name":"Formal verification","level":2,"score":0.3005000054836273},{"id":"https://openalex.org/C81669768","wikidata":"https://www.wikidata.org/wiki/Q2359161","display_name":"Precision and recall","level":2,"score":0.29660001397132874},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.29120001196861267},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.29019999504089355},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.28290000557899475},{"id":"https://openalex.org/C79403827","wikidata":"https://www.wikidata.org/wiki/Q3988","display_name":"Real-time computing","level":1,"score":0.27900001406669617},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.27709999680519104},{"id":"https://openalex.org/C122783720","wikidata":"https://www.wikidata.org/wiki/Q183065","display_name":"Interpreter","level":2,"score":0.2703999876976013},{"id":"https://openalex.org/C2779907942","wikidata":"https://www.wikidata.org/wiki/Q7239630","display_name":"Predicate abstraction","level":3,"score":0.2687999904155731},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.26660001277923584},{"id":"https://openalex.org/C125411270","wikidata":"https://www.wikidata.org/wiki/Q18653","display_name":"Encoding (memory)","level":2,"score":0.2574999928474426},{"id":"https://openalex.org/C23123167","wikidata":"https://www.wikidata.org/wiki/Q7661193","display_name":"Symbolic trajectory evaluation","level":3,"score":0.2558000087738037},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.25459998846054077}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.22058","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.22058","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.22058","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.22058","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.7473322153091431,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Trusted":[0],"Execution":[1],"Environments":[2],"(TEEs)":[3],"provide":[4],"hardware-enforced":[5],"isolation":[6],"that":[7,92,135],"protects":[8],"sensitive":[9],"code":[10,90],"and":[11,31,38,98,131,140,163,191],"data":[12],"from":[13],"untrusted":[14],"software.":[15],"Despite":[16],"their":[17],"strong":[18],"security":[19,182],"guarantees,":[20],"analyzing":[21],"TEE":[22,36,71,76,89],"applications":[23,72],"remains":[24],"challenging":[25],"due":[26],"to":[27,87,107,179],"the":[28,44,110,161],"high":[29],"cost":[30,154],"complexity":[32],"of":[33,155,165,169],"configuring":[34],"complete":[35],"build":[37],"runtime":[39],"environments,":[40],"as":[41,43],"well":[42],"limited":[45],"observability":[46],"imposed":[47],"by":[48,80],"hardware":[49],"isolation.":[50],"This":[51],"paper":[52],"presents":[53],"SymTEE,":[54],"a":[55,188],"novel":[56],"large":[57],"language":[58],"model":[59],"(LLM)-assisted":[60],"symbolic":[61,123,171],"execution":[62,120],"framework":[63,193],"for":[64,122,194],"detecting":[65,144],"missing":[66,145],"input":[67,96,146],"validation":[68,147],"issues":[69],"in":[70,104,143],"without":[73,184],"requiring":[74],"real":[75],"setups.":[77],"SymTEE":[78,136],"begins":[79],"leveraging":[81],"Abstract":[82],"Syntax":[83],"Tree":[84],"(AST)":[85],"analysis":[86,153,183],"extract":[88],"slices":[91,112],"may":[93],"lack":[94],"sufficient":[95],"validation,":[97],"then":[99],"employs":[100],"an":[101,151],"LLM":[102],"(GPT-5":[103],"our":[105],"case)":[106],"automatically":[108],"convert":[109],"extracted":[111],"into":[113],"KLEE-compatible":[114],"harness":[115],"programs":[116],"containing":[117],"lightweight":[118],"mock":[119,177],"environments":[121,178],"analysis.":[124],"Evaluations":[125],"on":[126],"26":[127],"vulnerabilities":[128,148],"(11":[129],"real-world":[130],"15":[132],"synthetic)":[133],"show":[134],"achieves":[137],"100%":[138],"precision":[139],"92.3%":[141],"recall":[142],"while":[149],"incurring":[150],"average":[152],"only":[156],"$0.05.":[157],"These":[158],"results":[159],"demonstrate":[160],"effectiveness":[162],"practicality":[164],"SymTEE's":[166],"pioneering":[167],"paradigm":[168],"LLM-assisted":[170],"execution,":[172],"where":[173],"LLMs":[174],"autonomously":[175],"generate":[176],"enable":[180],"automated":[181],"complex":[185],"setup,":[186],"providing":[187],"more":[189],"accessible":[190],"scalable":[192],"trusted":[195],"computing":[196],"systems.":[197]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-05-23T00:00:00"}