Many programs involves operations and logic manipulating user privileges, which is essential for the security of an organization. Therefore, one common malicious goal of attackers is to obtain or escalate the privileges, causing privilege leakage. To protect the program and the organization against privilege leakage attacks, it is important to eliminate the vulnerabilities which can be exploited to achieve such attacks. Unfortunately, while memory vulnerabilities are less challenging to find, logic vulnerabilities are much more imminent, harmful and difficult to identify. Accordingly, many analysts choose to find user privilege related (UPR) variables first as start points to investigate the code where the UPR variables may be used to see if there exists any vulnerabilities, especially the logic ones. In this paper, we introduce a large language model (LLM) workflow that can assist analysts in identifying such UPR variables, which is considered to be a very time-consuming task. Specifically, our tool will audit all the variables in a program and output a UPR score, which is the degree of relationship (closeness) between the variable and user privileges, for each variable. The proposed approach avoids the drawbacks introduced by directly prompting a LLM to find UPR variables by focusing on leverage the LLM at statement level instead of supplying LLM with very long code snippets. Those variables with high UPR scores are essentially potential UPR variables, which should be manually investigated. Our experiments show that using a typical UPR score threshold (i.e., UPR score >0.8), the false positive rate (FPR) is only 13.49%, while UPR variable found is significantly more than that of the heuristic based method.

翻译：许多程序涉及操作和逻辑来操纵用户权限，这对组织安全至关重要。因此，攻击者常见的恶意目标之一是获取或提升权限，导致权限泄漏。为保护程序和组织免受权限泄漏攻击，必须消除可能被利用来实现此类攻击的漏洞。不幸的是，虽然内存漏洞较易发现，但逻辑漏洞更为紧迫、危害更大且难以识别。因此，许多分析师选择首先识别用户权限相关（UPR）变量，将其作为起点来调查可能使用UPR变量的代码，以判断是否存在漏洞（尤其是逻辑漏洞）。本文介绍了一种大型语言模型（LLM）工作流，可协助分析师识别此类UPR变量——这一任务通常被认为极其耗时。具体而言，我们的工具会审计程序中的所有变量，并为每个变量输出UPR分数，即变量与用户权限之间的关联程度（紧密性）。所提出的方法避免了直接提示LLM查找UPR变量带来的弊端，其核心思路是在语句级别利用LLM，而非向LLM提供超长代码片段。UPR分数高的变量本质上就是潜在的UPR变量，应进行人工调查。实验表明，使用典型的UPR分数阈值（即UPR分数>0.8）时，假阳性率（FPR）仅为13.49%，而发现的UPR变量数量显著超过基于启发式的方法。