I am a member of ACEE (Advanced Honor Class for Engineering Education) in Chu Kochen Honors College.
My research interests lie in the areas of Software Engineering, Software Security and Machine Learning, especially in Verifiable Code Generation and Software Testing.
To date, my work has uncovered more than 150 previously unknown bugs in different open-source projects, including Apache Druid and Netty, as well as 92 bugs in the Linux Kernel.
While the automated detection of cryptographic API misuses has progressed significantly, its precision diminishes for intricate targets due to the reliance on manually defined patterns. Large Language Models (LLMs) offer a promising context-aware understanding to address this shortcoming, yet the stochastic nature and the hallucination issue pose challenges to their applications in precise security analysis. This paper presents the first systematic study to explore LLMs’ application in cryptographic API misuse detection. Our findings are noteworthy: The instability of directly applying LLMs results in over half of the initial reports being false positives. Despite this, the reliability of LLM-based detection could be significantly enhanced by aligning detection scopes with realistic scenarios and employing a novel code & analysis validation technique, achieving a nearly 90% detection recall. This improvement substantially surpasses traditional methods and leads to the discovery of previously unknown vulnerabilities in established benchmarks. Nevertheless, we identify recurring failure patterns that illustrate current LLMs’ blind spots. Leveraging these findings, we deploy an LLM-based detection system and uncover 63 new vulnerabilities (47 confirmed, 7 already fixed) in open-source Java and Python repositories, including prominent projects like Apache.
@article{xia2025beyond,title={Beyond Static Pattern Matching? Rethinking Automatic Cryptographic API Misuse Detection in the Era of LLMs},author={Xia, Yifan and Xie, Zichen and Liu, Peiyu and Lu, Kangjie and Liu, Yan and Wang, Wenhai and Ji, Shouling},journal={Proceedings of the ACM on Software Engineering},volume={2},number={ISSTA},pages={113--136},year={2025},publisher={ACM New York, NY, USA},}
SOSP 2025
KNighter: Transforming Static Analysis with LLM-Synthesized Checkers
Chenyuan Yang, Zijie Zhao, Zichen Xie, and 2 more authors
@article{yang2025knighter,title={KNighter: Transforming Static Analysis with LLM-Synthesized Checkers},author={Yang, Chenyuan and Zhao, Zijie and Xie, Zichen and Li, Haoyu and Zhang, Lingming},journal={arXiv preprint arXiv:2503.09002},year={2025},}