system: OPERATIONAL
← back to all hacks
RESEARCH MEDIUM NEW

Antaeus: repository-grounded LLM reasoning for logic vulnerabilities

A July 1, 2026 paper grounds LLM reasoning in whole-repository context to find access-control and info-exposure logic bugs — detecting 15 of 28 where frontier agents caught at most 4.

2026-07-05 // 6 min affects: llm-vulnerability-detectors, coding-agents, opus-4.8, gpt-5.4, c-cpp-codebases

What is this?

On July 1, 2026, Michele Armillotta, Nicolò Romandini, Rebecca Montanari and Lorenzo Cavallaro published Antaeus: Hunting Repository-Level Logic Vulnerabilities via Context-Grounded LLM Reasoning (arXiv:2607.01138). It is a defensive tooling paper, not an attack: a pipeline that finds logic vulnerabilities — improper access control and exposure of sensitive information — in large C and C++ codebases by grounding a language model’s reasoning in the surrounding repository rather than in one isolated function.

Logic bugs are the class that classic tools handle worst. A memory-safety bug shows up as an invalid access, and a dataflow bug as tainted propagation from source to sink, but a logic flaw is the absence of a check that the application’s own conventions require. The authors’ motivating case is a 2020 access-control flaw in libvirt: a public entry point that configured a guest-agent timeout was locally correct on every line, yet missing a single read-only guard, so a read-only client could set the timeout to zero and cause a denial of service. Every line looked benign in isolation; the vulnerability lived in the repository’s trust model. The paper’s central finding is that even frontier agentic models struggle here, and that structured context grounding closes much of the gap.

How it works

Antaeus runs a repository-scale pipeline in four stages. Prioritization first prunes to C/C++ source, applies loose keyword heuristics to keep only functions touching authorization, access control, trust boundaries or configuration, then compresses each surviving function to its signature plus the callees it invokes. An agentic model ranks these compact representations, cutting the functions that receive detailed analysis by roughly 29–33×.

Contextual grounding then builds the evidence needed to judge a prioritized function: local augmentation (the types, macros, constants and callee bodies that pin down what each line means) plus a repository-level view of what the application is for, which resources it mediates and where its trust boundaries lie. Structured reasoning asks the model to name the security-sensitive sinks in the function, derive the safety conditions required for each to be safe, and check whether those conditions are locally satisfied. Finally, comparative validation — an embedding-based stage — prunes findings that merely reflect project-wide norms rather than distinctive violations, and the tool reports the sink, the violated condition and the supporting evidence.

Why it matters

Evaluated on 28 real-world repositories drawn from a repository-level CVE dataset (12 information-exposure and 16 access-control cases, each with its full project as ground truth), Antaeus detected and explained 15 of 28 vulnerabilities using one frontier model and 12 of 28 with another, and reproduced 15 of 28 on a newer model version. Every configuration of the baselines — single-function LLM prompts and autonomous agentic scanners over both raw and pre-ranked repositories — topped out at 4 of 28. The agentic baselines kept false positives low mainly by examining less code: given the same ranked function set, they still curtailed the search internally, so extra effort produced more spurious findings rather than reaching the flaw. The lesson is that a frontier “agent, go audit this repo” pass is not a complete logic-bug review; recall came from exhaustive analysis of prioritized code plus grounding, not from a smarter model alone.

Defenses

For defenders the practical takeaways are concrete. Do not treat an autonomous agent’s repository scan as coverage for logic vulnerabilities — the agents in this study silently limited how much code they inspected. Prefer tools whose output names the sink, the specific safety condition that is unmet, and the evidence, because that structure is what makes triage tractable and a finding actionable rather than a vague flag. For the underlying classes, enforce access-control invariants at every public entry point and trust boundary (a read-only or privilege check on each state-changing operation), audit what crosses a boundary for sensitive-information exposure, and write project security invariants down so they can be checked mechanically. Finally, note the dual-use reality: the same context-grounding that lifts defensive recall also strengthens offensive discovery, so teams shipping large C/C++ code should adopt these methods now to keep remediation ahead of attackers.

Status

Antaeus is a research prototype. No exploit or weaponized tooling is released; the work is an evaluation of a detection pipeline against known, patched flaws.

ItemDetail
PublicationarXiv:2607.01138, July 1, 2026
TypeDefensive detection framework + evaluation (no exploit released)
ScopeRepository-level logic vulnerabilities in C/C++ (CWE-284 improper access control, CWE-200 sensitive-information exposure)
Result15/28 detected and explained; strongest baseline 4/28
Motivating CVECVE-2020-10701 (libvirt read-only access-control flaw)

Sources