Many programs involves operations and logic manipulating user privileges, which is essential for the security of an organization. Therefore, one common malicious goal of attackers is to obtain or escalate the privileges, causing privilege leakage. To protect the program and the organization against privilege leakage attacks, it is important to eliminate the vulnerabilities which can be exploited to achieve such attacks. Unfortunately, while memory vulnerabilities are less challenging to find, logic vulnerabilities are much more imminent, harmful and difficult to identify. Accordingly, many analysts choose to find user privilege related (UPR) variables first as start points to investigate the code where the UPR variables may be used to see if there exists any vulnerabilities, especially the logic ones. In this paper, we introduce a large language model (LLM) workflow that can assist analysts in identifying such UPR variables, which is considered to be a very time-consuming task. Specifically, our tool will audit all the variables in a program and output a UPR score, which is the degree of relationship (closeness) between the variable and user privileges, for each variable. The proposed approach avoids the drawbacks introduced by directly prompting a LLM to find UPR variables by focusing on leverage the LLM at statement level instead of supplying LLM with very long code snippets. Those variables with high UPR scores are essentially potential UPR variables, which should be manually investigated. Our experiments show that using a typical UPR score threshold (i.e., UPR score >0.8), the false positive rate (FPR) is only 13.49%, while UPR variable found is significantly more than that of the heuristic based method.

翻译：许多程序涉及操作和处理用户权限的逻辑，这对组织的安全性至关重要。因此，攻击者常见的恶意目标之一是获取或提升权限，导致权限泄露。为保护程序和组织免受权限泄露攻击，消除可被利用以实现此类攻击的漏洞至关重要。遗憾的是，虽然内存漏洞相对容易发现，但逻辑漏洞则更为紧迫、危害更大且难以识别。因此，许多分析人员选择首先查找用户权限相关（UPR）变量作为切入点，通过审查这些变量的使用代码来探查是否存在漏洞，尤其是逻辑漏洞。本文提出一种大语言模型（LLM）工作流，可协助分析人员识别此类UPR变量——这通常被认为是一项极其耗时的任务。具体而言，我们的工具将审计程序中的所有变量，并为每个变量输出一个UPR评分，该评分表示变量与用户权限的关联程度（紧密性）。该方法通过聚焦于在语句级别利用LLM，而非向LLM提供过长的代码片段，避免了直接提示LLM查找UPR变量时引入的缺陷。那些具有高UPR评分的变量本质上属于潜在的UPR变量，需要人工进一步核查。实验表明，采用典型的UPR评分阈值（即UPR评分>0.8）时，误报率（FPR）仅为13.49%，且发现的UPR变量数量显著超过基于启发式的方法。