Zichen Xie

I am a senior undergraduate student at Zhejiang University (ZJU), currently applying for a PhD position for 25fall. Now, I am conducting research as an intern at the University of Illinois Urbana-Champaign (UIUC), under the supervision of Professor Lingming Zhang. Additionally, I serve as a research assistant in the NESA Lab at Zhejiang University, advised by Professor Shouling Ji.

I am a member of ACEE (Advanced Honor Class for Engineering Education) in Chu Kochen Honors College.

My research interests lie in the areas of Software Engineering, Software Security and Machine Learning, especially in leveraging AI technologies for program analysis, code generation and improving the reliability of software systems. I am now working on leveraging LLMs for static analysis and code generation.

To date, my work has uncovered more than 100 previously unknown bugs in different open-source projects, including Apache Druid and Netty, as well as 41 bugs in the Linux kernel.

selected publications

Pre-print
Exploring Automatic Cryptographic API Misuse Detection in the Era of LLMs

Yifan Xia, Zichen Xie, Peiyu Liu, and 4 more authors

arXiv preprint arXiv:2407.16576, 2024

Abs Bib HTML

While the automated detection of cryptographic API misuses has progressed significantly, its precision diminishes for intricate targets due to the reliance on manually defined patterns. Large Language Models (LLMs), renowned for their contextual understanding, offer a promising avenue to address existing shortcomings. However, applying LLMs in this security-critical domain presents challenges, particularly due to the unreliability stemming from LLMs’ stochastic nature and the well-known issue of hallucination. To explore the prevalence of LLMs’ unreliable analysis and potential solutions, this paper introduces a systematic evaluation framework to assess LLMs in detecting cryptographic misuses, utilizing a comprehensive dataset encompassing both manually-crafted samples and real-world projects. Our in-depth analysis of 11,940 LLM-generated reports highlights that the inherent instabilities in LLMs can lead to over half of the reports being false positives. Nevertheless, we demonstrate how a constrained problem scope, coupled with LLMs’ self-correction capability, significantly enhances the reliability of the detection. The optimized approach achieves a remarkable detection rate of nearly 90%, surpassing traditional methods and uncovering previously unknown misuses in established benchmarks. Moreover, we identify the failure patterns that persistently hinder LLMs’ reliability, including both cryptographic knowledge deficiency and code semantics misinterpretation. Guided by these insights, we develop an LLM-based workflow to examine open-source repositories, leading to the discovery of 63 real-world cryptographic misuses. Of these, 46 have been acknowledged by the development community, with 23 currently being addressed and 6 resolved. Reflecting on developers’ feedback, we offer recommendations for future research and the development of LLM-based security tools.
@article{xia2024exploring, title = {Exploring Automatic Cryptographic API Misuse Detection in the Era of LLMs}, author = {Xia, Yifan and Xie, Zichen and Liu, Peiyu and Lu, Kangjie and Liu, Yan and Wang, Wenhai and Ji, Shouling}, journal = {arXiv preprint arXiv:2407.16576}, year = {2024}, }

internships

Jul. 2024 - Aug. 2024	Tencent CDG, Wechat Ads, Software Testing Engineer