Frame: Grounding LLM Vulnerability Detection with a Sound Separation-Logic Core
Frame introduces a neuro-symbolic Static Application Security Testing (SAST) architecture that combines a sound symbolic engine with an optional Large Language Model (LLM) layer to balance precision and recall. The symbolic core performs taint analysis and separation-logic verification using Z3, while the LLM acts as an agentic layer to detect context-dependent vulnerabilities, such as cross-file flows and missing controls, that symbolic engines often miss. All LLM-generated findings are rigorou
Analysis
TL;DR
- Frame introduces a neuro-symbolic Static Application Security Testing (SAST) architecture that combines a sound symbolic engine with an optional Large Language Model (LLM) layer to balance precision and recall.
- The symbolic core performs taint analysis and separation-logic verification using Z3, while the LLM acts as an agentic layer to detect context-dependent vulnerabilities, such as cross-file flows and missing controls, that symbolic engines often miss.
- All LLM-generated findings are rigorously grounded and verified against the symbolic engine's sink model, ensuring that unproven LLM outputs are tiered separately from symbolically proven results to maintain trustworthiness.
- In evaluations on a real-world corpus of five production applications, Frame achieved a recall of 0.67 and precision of 0.51 (F1 0.58), significantly outperforming Semgrep OSS (F1 0.45) and recovering approximately 65 vulnerabilities missed by both traditional symbolic engines and pattern scanners.
- The system employs a final triage pass to filter out confident false positives, particularly those arising from vendored libraries, and operates entirely on local models to ensure data privacy and determinism.
Why It Matters
This approach addresses the fundamental trade-off in security testing where high precision tools lack coverage and high-recall tools suffer from excessive noise. By using the symbolic engine to validate and tier LLM findings, Frame provides a practical blueprint for integrating generative AI into safety-critical infrastructure without sacrificing the soundness required for developer trust. It demonstrates that hybrid neuro-symbolic methods can effectively handle complex, context-aware vulnerabilities like missing security attributes or cross-file data flows, which are currently difficult for either pure symbolic or pure LLM-based scanners to detect reliably.
Technical Details
- Architecture: The system parses source code into an intermediate representation (SIL). The always-on symbolic core uses taint analysis and separation logic with the Z3 solver to prove vulnerabilities. An optional LLM layer runs as an agent with
read_fileandgreptools to explore the repository for broader context. - Verification Mechanism: LLM proposals are checked against the symbolic engine's sink model. Findings where the sink is recognized by the symbolic engine are promoted to a higher-confidence tier, while others remain lower-tier. This prevents the merging of unproven LLM hallucinations with symbolically verified facts.
- Performance Metrics: On the Endor Labs corpus (193 model-judged pooled vulnerabilities), Frame's full mode (symbolic + LLM + triage) achieved 0.67 recall and 0.51 precision. The symbolic core alone had lower recall (0.37) but higher precision (0.45). Semgrep OSS scored 0.52 recall and 0.40 precision.
- Vulnerability Types Detected: The LLM layer successfully identified specific issues like commented-out CSRF protection attributes (CWE-352) and cross-file flows, recovering 65 confirmed vulnerabilities that both the symbolic engine and Semgrep missed.
- Implementation: The LLM component runs on a local, OpenAI-compatible model, allowing for private, on-premise deployment. The system includes a dedicated triage pass to eliminate false positives, particularly those stemming from patterns in vendored/minified libraries.
Industry Insight
Security teams should consider adopting hybrid scanning strategies that leverage LLMs for breadth but enforce symbolic grounding for critical findings, rather than relying solely on either method. The tiered reporting mechanism demonstrated by Frame allows developers to prioritize symbolically proven risks while investigating LLM-suggested leads with appropriate caution, optimizing triage efficiency. As LLMs become integral to development workflows, ensuring their outputs are verifiable through formal methods or static analysis will be crucial for maintaining security posture without overwhelming engineering teams with noise.
Disclaimer: The above content is generated by AI and is for reference only.