RVAsec 2024 - Patch Perfect: Harmonizing with LLMs to Find Security Vulns

This talk led by Bishop Fox researchers Caleb Gross & Josh Shomo cuts through the hype and offers a practical perspective that’s grounded in real-world analysis of critical bugs in widely used products.

Are LLMs a revolutionary leap forward for security research—or just spicy auto-complete?

The truth lies somewhere in between. This talk led by Bishop Fox researchers Caleb Gross & Josh Shomo cuts through the hype and offers a practical perspective that’s grounded in real-world analysis of critical bugs in widely used products. We’ll walk through our process of harnessing large language models (LLMs) for patch-diffing in the context of N-day vulnerability research. 

Given a vague security advisory and some complicated code diffs, can an LLM get you closer to finding the right spot in the code to dig deeper? Which models work best for this task, and why? 

Let’s ditch the theory and get our hands dirty with iterative experimentation. Whether you’re a seasoned pentester, applied researcher, or budding practitioner, you'll take away tactical lessons for incorporating AI into your security toolkit.

Presented at RVAsec 2024: https://rvasec.com/

Check out Bishop Fox's new tool raink as featured in the presentation.

Caleb Gross Light Gray

About the author, Caleb Gross

Director of Capability Development

Caleb Gross is the Director of the Capability Development at Bishop Fox where he leads a team of offensive security professionals specializing in attack surface research and vulnerability intelligence. Prior to coming to Bishop Fox, he served as an exploitation operator in the US Department of Defense's most elite computer network exploitation (CNE) unit. As a top-rated military officer, Caleb led an offensive operations team in the US Air Force's premier selectively manned cyber attack squadron.
More by Caleb
Josh Shomo

About the author, Josh Shomo

Former Fox

Josh Shomo previously lead vulnerability research within the Bishop Fox Capability Development team. His passion lies at the intersection of vulnerability research and vulnerability intelligence. Josh leverages vulnerability intelligence to prioritize his research efforts and conducts in-depth technical investigations to identify vulnerable technologies more effectively. Prior to joining Bishop Fox, Josh experienced rapid growth in the NSA’s CNODP program, where he gained invaluable training and expertise. In addition to his work, Josh actively volunteers at security conferences in the Washington D.C. area, including BSides Washington D.C., BSides Charm, and MACCDC. Josh has also volunteered at Bsides London.

More by Josh

Extend Your Knowledge

Check out these related resources.

Scanner RAINK new security tool logo on purple background.
Tech

Jan 14, 2025

raink: Use LLMs for Document Ranking

By Caleb Gross

Broken Hill tool logo featuring broken chain and bolt cutter
Tech

Sep 24, 2024

Broken Hill: A Productionized Greedy Coordinate Gradient Attack Tool for Use Against Large Language Models

By Ben Lincoln

Headshot of Derek Rush with title of blog.
Tech

Sep 11, 2024

Exploring Large Language Models: Local LLM CTF & Lab

By Derek Rush

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.