LoadDRP

LoadDRP is a static analysis tool for detecting remote code execution (RCE) risks in the large-model supply chain. It focuses on vulnerabilities introduced when AI frameworks load untrusted external resources, including pretrained models, datasets, prompt templates, configuration files, and other reusable third-party assets.

As LLM applications increasingly depend on dynamically loaded components, these resources may become attack vectors if they are not properly validated. LoadDRP addresses this risk by extracting cross-file, taint-aware function call chains, using a large language model (LLM) to assist source-function identification, and performing path-sensitive and field-sensitive data-flow analysis to detect propagation from untrusted inputs to sensitive sinks.

Key Features

• Extracts cross-file function call chains from Python projects.
• Identifies potential source functions with LLM assistance.
• Performs taint analysis with path-sensitive and field-sensitive tracking.
• Detects data-flow paths from untrusted external resources to security-sensitive APIs.
• Generates intermediate and final analysis results for inspection.

Experimental Environment

LoadDRP has been tested in the following environment:

• Operating system: Ubuntu 22.04
• Python: 3.13

Installation

Clone this repository and run the setup script:

bash setup.sh

The script creates a Python virtual environment under pysa/tutorial and installs the required analysis dependencies, including pyre-check, fb-sapp, and django-stubs.

Configuration

LoadDRP uses an LLM to help identify source functions. Before running the analysis, copy .env.example to .env and configure your API key:

cp .env.example .env

Then edit .env:

SILICONFLOW_API_KEY=your_api_key

Do not commit .env to GitHub. The repository keeps .env.example as a safe template.

By default, the LLM client in src/LLM_agent.py reads SILICONFLOW_API_KEY from the environment and calls the SiliconFlow chat-completions API with the Pro/deepseek-ai/DeepSeek-V3 model. Update the endpoint, model, or authentication logic in that file if you use a different provider.

Usage

Run LoadDRP from the src directory and pass the target project directory as an argument:

cd src
python main.py /path/to/target/project

For example:

cd src
python main.py ../example_project

Output

For each analyzed target, LoadDRP writes results to:

src/rce_data_result/<target_project_name>/

Typical output files include:

• final_result.txt: final call-chain analysis results.
• filtered_result.txt: filtered analysis results after post-processing.
• cost.txt: total analysis time, LLM call count, token usage, and estimated cost.
• pysa-runs/: Pysa and SAPP intermediate analysis artifacts.

The repository also includes analyze_data/, which contains example analysis outputs for several open-source projects. Confirmed public issue reports for real-world findings are stored separately in real_world_findings/.

Load4Shell Dataset

The repository includes a lightweight version of Load4Shell_dataset/, which collects metadata for Load4Shell-style vulnerabilities in AI/ML frameworks and related model-supply-chain components.

Each vulnerability entry follows this structure:

Load4Shell_dataset/
└── CVE-2017-16615/
    ├── metadata.json
    └── MLAlchemy-0.2.1/
        └── README.md

The dataset keeps only the vulnerability metadata and a placeholder directory for the affected upstream project version. Full upstream source trees are intentionally not bundled in this repository to keep the checkout small.

For each entry:

• metadata.json records the vulnerability identifier, affected repository, version/tag, source function, sink function, vulnerability category, and relevant source-code location.
• <project-version>/README.md explains where to download the corresponding upstream source from GitHub and points to the relevant file paths listed in metadata.json.
• If full source snapshots are needed, use the corresponding GitHub tag/archive link in the entry README, or download Load4Shell_dataset.zip if it is provided with the project release.

The dataset also contains a summary spreadsheet:

• Load4Shell_dataset/Load4shell.xlsx: a summary table of the collected vulnerabilities and related metadata.

If your editor cannot preview .xlsx files directly, install an Excel preview extension for VS Code or convert the table to CSV for easier browsing and diffing.

Baseline Artifacts

The repository includes baseline artifacts under baselines/ for reproducing and inspecting the comparison experiments.

• baselines/baseline_comparison.csv: supplementary comparison table for LoadDRP and baseline tools, including Snyk, CodeQL-default, CodeQL-custom, and Copilot.
• baselines/codeql_custom/: custom CodeQL queries used for the CodeQL-custom baseline.
• baselines/codeql_custom/simple.ql: combined taint-tracking query for selected sources, sinks, and additional flow steps.
• baselines/codeql_custom/jinja.ql: focused Jinja2 template-flow query.

These files are evaluation artifacts rather than part of the main LoadDRP analysis pipeline.

Prompts

The prompts used for LLM-assisted source identification are provided in:

• llm_prompt.txt
• llm_baseline_prompt.txt

Project Structure

LoadDRP/
├── analyze_data/              # Example analysis outputs
├── baselines/                 # Baseline comparison table and custom CodeQL queries
│   ├── baseline_comparison.csv
│   └── codeql_custom/
├── real_world_findings/       # Public issue links for confirmed findings
├── Load4Shell_dataset/        # Lightweight vulnerability metadata dataset
│   ├── Load4shell.xlsx        # Summary table for dataset entries
│   └── <CVE-or-advisory>/     # Per-vulnerability metadata and source placeholder
├── src/                       # Core implementation
│   ├── main.py                # Analysis entry point
│   ├── LLM_agent.py           # LLM prompt construction and API calls
│   ├── batch.py               # Call-chain extraction and preprocessing
│   ├── anal_pysa.py           # Pysa/SAPP result analysis
│   ├── filter.py              # Result filtering utilities
│   ├── sensitive_APIs.py      # Sensitive API definitions
│   ├── sources_sinks.pysa     # Pysa source/sink rules
│   └── taint.config           # Taint-analysis configuration
├── llm_prompt.txt             # Main LLM prompt
├── llm_baseline_prompt.txt    # Baseline LLM prompt
├── requirements.txt           # Python package requirements
├── .env.example               # Environment variable template
├── setup.sh                   # Environment setup script
└── readme.md                  # Project documentation

Notes

• Ensure that the target project is a Python project accessible from the local filesystem.
• The first run may take longer because Pysa/SAPP dependencies and analysis artifacts need to be prepared.
• LLM-based source identification requires network access and a valid API key.