Automations for Zero-Day Vulnerability Discovery

Abstract: The discovery of zero-day vulnerabilities remains one of the most significant challenges in computer security, traditionally reliant on the manual expertise of seasoned security researchers. As software complexity scales exponentially, manual auditing alone can no longer keep pace with the vast attack surfaces of modern codebases. This lecture explores the evolution of automated vulnerability discovery, centering on the development and application of the Code Property Graph (CPG) — a unified program representation that has bridged the gap between academic static analysis and industrial-scale security auditing.

We will begin by examining the theoretical foundations of the CPG, which merges abstract syntax trees (ASTs), control flow graphs (CFGs), and program dependence graphs (PDGs) into a single, queryable data structure. This representation allows for the elegant modeling of complex vulnerability patterns — such as taint-style flaws and missing checks — using expressive graph traversals.

Moving from theory to practice, the session will detail the challenges and “street smarts” required to implement these concepts in a production environment. Drawing on experience from the open-source platform Joern and its commercial counterparts, we will discuss:

• Scalability: How to perform deep data-flow tracking across millions of lines of code within modern CI/CD time constraints (e.g., < 10 minutes).
• Abstraction Levels: Handling diverse instruction sets and programming languages through a language-agnostic intermediate representation.
• Human-in-the-Loop Automation: Shifting the focus from “black-box” scanners to extensible “analyst workbench” tools that augment the auditor’s capabilities.

The lecture concludes with a look at the future of the field, including the integration of machine learning and large language models (LLMs) with graph-based analysis to further refine the precision of automated bug hunting.

Bio: Prof. Dr. Fabian Yamaguchi is co-founder and CTO of Whirly Labs, Adjunct Professor for Computer Security at Stellenbosch University, and Chief Scientist Emeritus at Qwiet.ai (formerly ShiftLeft Inc.). He is a seasoned expert in cyber security with over 20 years of experience, both as an individual contributor and in leadership roles.

Most recently, he was a founding team member of ShiftLeft Inc where he built and led the R&D team that designed and implemented the technology for automated vulnerability discovery at the heart of the product offering — based on his 2015 award-winning PhD thesis “Pattern-Based Vulnerability Discovery”.

Throughout his career, he has identified previously unknown vulnerabilities in widely used software such as Microsoft Windows and Linux kernels, the Squid proxy server, and the VLC media player. He has presented his findings and techniques at both major industry conferences such as BlackHat USA, DefCon, First, and CCC, and renowned academic security conferences such as ACSAC, IEEE Security and Privacy, and CCS.

He is the inventor of the code property graph and lead developer of the open-source code analysis platform Joern. Fabian holds a PhD in computer science from the University of Goettingen and a master’s degree in computer engineering from Technical University Berlin.

© Marco Squarcina