{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T07:03:10Z","timestamp":1782975790542,"version":"3.54.5"},"reference-count":58,"publisher":"IEEE","license":[{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026,5,18]]},"DOI":"10.1109\/sp63933.2026.00206","type":"proceedings-article","created":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T19:34:20Z","timestamp":1782934460000},"page":"3396-3413","source":"Crossref","is-referenced-by-count":0,"title":["SpecAuditor: Generating Audit Specifications for LLM-Driven Bug Detection"],"prefix":"10.1109","author":[{"given":"Miaoqian","family":"Lin","sequence":"first","affiliation":[{"name":"The University of Hong Kong"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hao","family":"Chen","sequence":"additional","affiliation":[{"name":"The University of Hong Kong"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"Codeql: A semantic code-analysis engine for querying code as data","year":"2025"},{"key":"ref2","volume-title":"Clang Static Analyzer: A source code analysis tool for C, C++, and Objective-C","year":"2025"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1145\/2872362.2872389"},{"key":"ref4","article-title":"LinKriD: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution","volume-title":"Proceedings of the 31st USENIX Security Symposium (Security)","author":"Liu","year":"2022"},{"key":"ref5","article-title":"Detecting Missed Security Operations Through Differential Checking of Objectbased Similar Paths","volume-title":"Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS)","author":"Liu","year":"2021"},{"key":"ref6","article-title":"Knighter: Transforming static analysis with 11 m -synthesized checkers","volume":"abs\/2503.09002","author":"Yang","year":"2025","journal-title":"ArXiv"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833613"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24416"},{"key":"ref9","article-title":"The midas touch: Triggering the capability of 11 ms for rm-api misuse detection","volume":"abs\/2409.09380","author":"Yang","year":"2024","journal-title":"ArXiv"},{"key":"ref10","first-page":"21083","article-title":"RepoAudit: An Autonomous LLM-Agent for Repository-Level Code Auditing","volume-title":"International Conference on Machine Learning","author":"Guo"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-emnlp.217"},{"key":"ref12","article-title":"LLMxCPG: Context-Aware Vulnerability Detection Through Code Property Graph-Guided Large Language Models","volume":"abs\/2507.16585","author":"Lekssays","year":"2025","journal-title":"ArXiv"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00191"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3639117"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.241491"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.242001"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00043"},{"key":"ref18","article-title":"Automatically Detecting Error Handling Bugs Using Error Specifications","volume-title":"Proceedings of the 25th USENIX Security Symposium (Security)","author":"Jana","year":"2016"},{"key":"ref19","article-title":"AURC: Detecting errors in program code and documentation","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Hu","year":"2023"},{"key":"ref20","article-title":"Understanding and detecting disordered error handling with precise function pairing","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Wu","year":"2021"},{"key":"ref21","first-page":"1885","article-title":"Inference of Error Specifications and Bug Detection Using Structural Similarities","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Dossche","year":"2024"},{"key":"ref22","article-title":"Detecting api post-handling bugs using code and description in patches","volume-title":"USENIX Security Symposium","author":"Lin","year":"2023"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/3689031.3717487"},{"key":"ref24","article-title":"One Bug, Hundreds Behind: LLMs for Large-Scale Bug Discovery","author":"Wu","year":"2025","journal-title":"arXiv preprint"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2816639"},{"key":"ref26","article-title":"APISan: Sanitizing API Usages through Semantic Cross-Checking","volume-title":"Proceedings of the 25th USENIX Security Symposium (Security)","author":"Yun","year":"2016"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423360"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00032"},{"key":"ref29","volume-title":"LangChain Documentation","year":"2025"},{"key":"ref30","volume-title":"Chroma documentation: Configure collections","year":"2026"},{"key":"ref31","volume-title":"Chroma API","year":"2026"},{"key":"ref32","volume-title":"Weggli: Fast and robust semantic search for code using tree-sitter","year":"2025"},{"key":"ref33","volume-title":"tree-sitter","year":"2025"},{"key":"ref34","volume-title":"Semgrep: Lightweight static analysis for many languages","year":"2025"},{"key":"ref35","volume-title":"ast-grep: A cli tool for code structural search, lint, and rewriting","year":"2025"},{"key":"ref36","volume-title":"System card: Claude opus 4 & claude sonnet 4","year":"2025"},{"key":"ref37","volume-title":"Index - the linux kernel documentation","year":"2025"},{"key":"ref38","volume-title":"C-pack: Packaged resources to advance general chinese embedding","author":"Xiao","year":"2023"},{"key":"ref39","volume-title":"siliconflow","year":"2025"},{"key":"ref40","article-title":"Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences","volume-title":"Proceedings of the 28th USENIX Security Symposium (Security)","author":"Lu","year":"2019"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.241491"},{"key":"ref42","article-title":"Generating api parameter security rules with 11 m for api misuse detection","volume":"abs\/2409.09288","author":"Liu","year":"2024","journal-title":"ArXiv"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00090"},{"key":"ref44","volume-title":"CVE-2022\u201349785 - NVD Detail","year":"2026"},{"key":"ref45","first-page":"6977","article-title":"From alarms to real bugs: Multi-target multi-step directed greybox fuzzing for static analysis result verification","volume-title":"34th USENIX Security Symposium (USENIX Security 25)","author":"Bao","year":"2025"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE55347.2025.00131"},{"key":"ref48","article-title":"Llm-assisted static analysis for detecting security vulnerabilities","volume":"abs\/2405.17238","author":"Li","year":"2024","journal-title":"ArXiv"},{"key":"ref49","article-title":"Automated Static Vulnerability Detection via a Holistic Neurosymbolic Approach","volume":"abs\/2504.16057","author":"Li","year":"2025","journal-title":"ArXiv"},{"key":"ref50","article-title":"QLCoder: A Query Synthesizer For Static Analysis of Security Vulnerabilities","author":"Wang","year":"2025","journal-title":"arXiv preprint"},{"key":"ref51","article-title":"BugScope: Learn to Find Bugs Like Human","volume":"abs\/2507.15671","author":"Guo","year":"2025","journal-title":"ArXiv"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/3728875"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/3769082"},{"key":"ref54","article-title":"Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks","volume":"32","author":"Zhou","year":"2019","journal-title":"Advances in neural information processing systems"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/icse55347.2025.00038"},{"key":"ref56","article-title":"An llm agent for functional bug detection in network protocols","volume":"abs\/2506.00714","author":"Zheng","year":"2025","journal-title":"ArXiv"},{"key":"ref57","article-title":"Deepseekv3 technical report","volume":"abs\/2412.19437","author":"Liu","year":"2024","journal-title":"ArXiv"},{"key":"ref58","article-title":"Qwen3 technical report","volume":"abs\/2505.09388","year":"2025","journal-title":"ArXiv"}],"event":{"name":"2026 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2026,5,18]]},"end":{"date-parts":[[2026,5,21]]}},"container-title":["2026 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11573355\/11573356\/11573444.pdf?arnumber=11573444","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T05:35:30Z","timestamp":1782970530000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11573444\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,18]]},"references-count":58,"URL":"https:\/\/doi.org\/10.1109\/sp63933.2026.00206","relation":{},"subject":[],"published":{"date-parts":[[2026,5,18]]}}}