ShadowProbe: Language-Extensible Detection of Hidden Algorithmic Complexity Vulnerabilities

📅 2026-07-06
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
Algorithmic complexity vulnerabilities (ACVs) stem from hidden “shadow complexity” in standard library APIs, potentially causing severe performance degradation or denial-of-service. This work proposes the first language-extensible framework for ACV detection, integrating lightweight static analysis, symbolic execution–based context reconstruction, and large language model–guided test input generation—eliminating the need for heavy runtime instrumentation or manual test harnesses. Evaluated on the WISE benchmark, the approach substantially improves analysis efficiency and uncovers multiple previously unknown ACVs in real-world systems including CPython, JDK, Zig, Rustc, and vLLM, most of which have been acknowledged and patched by their respective maintainers.
📝 Abstract
Algorithmic Complexity Vulnerabilities (ACVs) arise when adversarial inputs trigger worst-case execution behavior, causing severe performance degradation or Denial-of-Service conditions. A key but underexplored source is shadow complexity: non-trivial computational costs hidden inside seemingly benign standard library APIs. Because these costs are invisible at call sites, attackers can exploit them to induce unexpected superlinear runtime behavior. Existing ACV detectors often rely on fuzzing, symbolic execution, or hybrid analysis, but they are usually language-specific, require substantial manual effort to construct harnesses, and depend on heavy runtime instrumentation. We present ShadowProbe, a scalable and language-extensible framework for discovering ACVs through lightweight static analysis, automated reconstruction of execution contexts, and Large Language Model (LLM) assisted test generation. ShadowProbe uses a structured multi-stage pipeline: it statically screens for candidate functions guided by shadow-complexity signals, reconstructs minimal executable contexts from project-level symbols, and synthesizes size-controlled inputs to probe worst-case behavior. It then validates candidates using execution-time measurements and robust statistical growth inference, separating true algorithmic blowups from runtime noise such as garbage collection and JIT compilation effects. We evaluate ShadowProbe on the WISE benchmark, where it consistently improves analysis efficiency over existing approaches. We further apply it to large-scale systems including CPython, the JDK, Zig, Rustc, and vLLM, uncovering many previously unknown ACVs, many of which have been confirmed and partially remediated by maintainers. These results show that ShadowProbe can identify hidden algorithmic risks across diverse real-world codebases.
Problem

Research questions and friction points this paper is trying to address.

Algorithmic Complexity Vulnerabilities
Shadow Complexity
Denial-of-Service
Standard Library APIs
Worst-case Execution
Innovation

Methods, ideas, or system contributions that make the work stand out.

Algorithmic Complexity Vulnerabilities
Shadow Complexity
Language-Extensible Analysis
LLM-Assisted Test Generation
Static-Dynamic Hybrid Detection
🔎 Similar Papers
No similar papers found.
Y
Yuanmin Xie
Tsinghua University
X
Xiangfan Wu
Ocean University of China, QI-ANXIN Technology Research Institute
W
Wenhao Wu
Southeast University, QI-ANXIN Technology Research Institute
L
Lingyun Ying
QI-ANXIN Technology Research Institute
P
Puzhuo Liu
Tsinghua University
H
Haipeng Qu
Ocean University of China
Z
Zhongyuan Chen
Ocean University of China, QI-ANXIN Technology Research Institute
Min Zhou
Min Zhou
Tsinghua University
Software EngineeringModel Checking
Chengnian Sun
Chengnian Sun
Associate Professor of Computer Science, University of Waterloo
Software EngineeringProgramming Languages