Code-Augur: Agentic Vulnerability Detection via Specification Inference

๐Ÿ“… 2026-06-16
๐Ÿ“ˆ Citations: 0
โœจ Influential: 0
๐Ÿ“„ PDF
๐Ÿค– AI Summary
Current autonomous LLM agents for vulnerability detection suffer from opaque reasoning and reliance on unverified implicit assumptions, often leading to false negatives and low credibility. This work proposes a novel โ€œsecurity specifications firstโ€ paradigm: it explicitly infers component-level security specifications and encodes them as source-code assertions, then employs runtime-guided fuzzing in a closed-loop process to falsify and iteratively refine these specifications, yielding a verifiable and iterative detection workflow. The approach uniquely integrates specification inference with LLM-based vulnerability detection, combining static analysis, specification generation, guided fuzzing, and assertion injection. Evaluated on real-world open-source projects, it discovers 22 previously unknown vulnerabilities, significantly outperforming existing agent-based methods and specialized models such as Claude Mythos.
๐Ÿ“ Abstract
The advent of agentic vulnerability detection is already becoming a watershed moment for software security. Audits conducted entirely by autonomous LLM agents are uncovering critical vulnerabilities in fundamental software underpinning digital society. Many of these vulnerabilities remained masked for years, surfacing only now with AI agents. Yet the reasoning behind these discoveries remains alarmingly opaque and unvalidated. What assumptions did the agent make about a function's inputs when it deemed that function to be secure? Failures in reasoning and incorrect assumptions can lead to missed vulnerabilities and reduce trust in agentic analysis. We propose a security-specification-first paradigm that (1) exposes the agent's tacit assumptions explicitly as security specifications and (2) continuously refines those specifications via runtime falsification. We realize our approach in Code-Augur, a novel harness for agentic vulnerability detection. Given a codebase, Code-Augur analyzes each component of the system for vulnerable code. When it deems a component to be secure, it commits the local invariants behind that judgment as in-source assertions. In parallel, Code-Augur leverages a guided fuzzer to attempt to falsify those assumptions. When the fuzzer triggers an assertion, this either reveals a genuine vulnerability or a flawed specification to refine. In both cases, this process grounds the agent's understanding, aligning its view of code intent with how the code actually behaves. On real-world subjects, Code-Augur effectively leverages security specifications to detect more vulnerabilities than other state-of-the-art agents. Additionally, Code-Augur found 22 new vulnerabilities in key open-source projects. Compared to curated specialized models like Claude Mythos, Code-Augur offers effective agentic vulnerability detection built on widely available LLMs like Sonnet and DeepSeek.
Problem

Research questions and friction points this paper is trying to address.

agentic vulnerability detection
security specification
reasoning opacity
assumption validation
software security
Innovation

Methods, ideas, or system contributions that make the work stand out.

specification inference
agentic vulnerability detection
runtime falsification
guided fuzzing
security assertions
๐Ÿ”Ž Similar Papers
No similar papers found.