Late Lucid Lectures Guild

Science, softly spoken.

Generative AI

  • Harnessing LLMs for Automated Vulnerability Validation: A New Era in Cybersecurity

    Automated Vulnerability Validation and Verification: A Large Language Model Approach

    By Alireza Lotfi, Charalampos Katsis, Elisa Bertino

    DOI https://doi.org/10.48550/arXiv.2509.24037

    Abstract

    Software vulnerabilities remain a critical security challenge, providing entry points for attackers into enterprise networks. Despite advances in security practices, the lack of high-quality datasets capturing diverse exploit behavior limits effective vulnerability assessment and mitigation. This paper introduces an end-to-end multi-step pipeline leveraging generative AI, specifically large language models (LLMs), to address the challenges of orchestrating and reproducing attacks to known software vulnerabilities. Our approach extracts information from CVE disclosures in the National Vulnerability Database,augments it with external public knowledge (e.g., threat advisories, code snippets) using Retrieval-Augmented Generation (RAG), and automates the creation of containerized environments and exploit code for each vulnerability. The pipeline iteratively refines generated artifacts, validates attack success with test cases, and supports complex multi-container setups. Our methodology overcomes key obstacles, including noisy and incomplete vulnerability descriptions, by integrating LLMs and RAG to fill information gaps. We demonstrate the effectiveness of our pipeline across different vulnerability types, such as memory overflows, denial of service, and remote code execution,spanning diverse programming languages, libraries and years. In doing so, we uncover significant inconsistencies in CVE descriptions, emphasizing the need for more rigorous verification in the CVE disclosure process. Our approach is model-agnostic, working across multiple LLMs, and we open-source the artifacts to enable reproducibility and accelerate security research. To the best of our knowledge, this is the first system to systematically orchestrate and exploit known vulnerabilities in containerized environments by combining general-purpose LLM reasoning with CVE data and RAG-based context enrichment.

    Introduction

    Software vulnerabilities have been exploited in high-profile cyberattacks, leading to significant security breaches. For instance, the Clop Ransomware Attack and issues in the Ivanti VPN have highlighted how easily attackers can capitalize on unaddressed vulnerabilities. Despite many vulnerabilities being disclosed monthly, effectively assessing their potential for exploitation is hampered by a lack of comprehensive information on how these vulnerabilities behave. Thus, the paper outlines a solution centered around automating the reproduction of attacks on software vulnerabilities to deepen understanding and improve defenses.

    Problem Scope

    The authors focus on creating automated methods for reproducing known vulnerabilities (CVE entries). Their pipeline aims to:

    1. Generate containerized environments to safely execute attacks.
    2. Automate the setup of these environments, including necessary software components.
    3. Create exploitation code for actual attack execution.

    Challenges

    Several challenges obstruct the progress in this area:

    • Vulnerability descriptions are often unclear and inconsistent.
    • Disclosures frequently lack details on how exploits function.
    • There is a general scarcity of public exploit code available for many vulnerabilities.

    Proposed Approach

    The proposed approach leverages LLMs in a structured multi-step pipeline to analyze CVE disclosures, extract critical information, and generate exploitable environments and code. The methodology also incorporates an iterative refinement process that improves the generated artifacts based on results from previous attempts. The system operates in containerized environments to ensure safe and reproducible testing.

    Key Findings

    1. Pipeline Effectiveness: The pipeline was tested on 102 CVEs spanning multiple programming languages and libraries, successfully reproducing 71 (approximately 70%) of them. This includes vulnerabilities that had no public proofs of concept available.

    2. Issues with CVE Descriptions: The study highlights substantial inconsistencies within the descriptions provided by the CVE. For successful attack reproductions, the quality of the information in these disclosures is critical. It indicates that better and more standardized reporting would benefit security researchers and practitioners.

    3. Integration of External Knowledge: By implementing Retrieval-Augmented Generation (RAG), the pipeline enriches its understanding beyond the raw CVE data, enhancing the context from which attack vectors can be derived.

    4. Containerization: The use of Docker containers allows for the creation of isolated environments needed to test vulnerabilities without the risks associated with running tests on live systems. This reduces the complexity of reproducing multi-step attacks.

    5. Open-Source Contribution: The authors have made their pipeline and generated artifacts openly available to encourage further research and reproducibility in vulnerability exploitation studies.

    Conclusion

    The paper concludes that their novel pipeline successfully addresses many challenges posed by software vulnerabilities while providing a robust framework for automating vulnerability validation and verification. The findings underline the importance of improving the quality of CVE disclosures and suggest areas for future work that could expand the pipeline’s capabilities into more complex scenarios, such as multi-step attacks.

    Future directions include better integration of concrete attack information to enhance CVE reports and the pursuit of tailored exploitations for proprietary systems. The study emphasizes that a combination of increased rigor in vulnerability documentation and refined detection methods can significantly bolster software security efforts.

  • Navigating Generative AI: Bangladeshi Journalists’ Insights and Challenges

    Generative Artificial Intelligence Adoption Among Bangladeshi Journalists: Exploring Journalists’ Awareness, Acceptance, Usage, and Organizational Stance on Generative AI

    By H. M. Murtuza, Md Oliullah

    DOI https://doi.org/10.48550/arXiv.2511.10862

    Abstract

    Newsrooms and journalists across the world are adopting Generative AI (GenAI).Drawing on in-depth interviews with 23 journalists, this study identifies Bangladeshi journalists’ awareness, acceptance, usage patterns, and their media organizations’ stance toward Gen AI. This study finds Bangladeshi journalists’high reliance on Gen AI like their Western colleagues despite limited institutional support and the near absence of AI policy. Despite this contrast,concerns over Gen AI’s implications in journalism between the West and non-West were mostly identical. Moreover, this study contributes to the Unified Theory of Acceptance and Use of Technology (UTAUT) by proposing two changes regarding Gen AI adoption among journalists in non-Western settings. First, this study identifies the non-contribution of facilitating conditions in shaping behavioral intent in Gen AI adoption in non-Western contexts. Second, social influence works in a horizontal order through informal peer pressure or professional motivation in the absence of formal institutional hierarchical pressure. Voluntariness in the context of Bangladeshi journalists is underpinned by their professional compulsion. Therefore, this study contributes to understanding how contextual factors shape technology adoption trajectories in non-Western journalism.

    Summary of the Study on Generative Artificial Intelligence Adoption Among Bangladeshi Journalists

    Overview

    This academic paper explores how journalists in Bangladesh are adopting Generative Artificial Intelligence (AI) technologies, examining their awareness, acceptance, usage, and the stance of their organizations towards these technologies. Through interviews with 23 journalists, the study finds substantial reliance on AI despite limited institutional support and absence of formal policies for its use.

    Abstract Analysis

    The study reveals that Bangladeshi journalists use Generative AI similarly to their Western counterparts, despite the significant lack of institutional frameworks and AI policies in their newsrooms. The findings show that concerns regarding AI’s implications for journalism—such as accuracy and ethical issues—are consistent with those identified in Western contexts. The study also contributes to the Unified Theory of Acceptance and Use of Technology by suggesting modifications specific to non-Western contexts.

    Introduction Analysis

    The introduction sets the stage by noting the global emergence and significance of Generative AI, with specific reference to tools such as ChatGPT. It highlights how this new technology, capable of generating high-quality content using natural language processing, has altered journalism practices globally. Despite earlier AI tools being used, the innovative capabilities of Generative AI in content creation mark a notable shift in journalism.

    The paper emphasizes that while previous studies have focused largely on Western audiences, understanding the adoption of AI in non-Western, developing contexts like Bangladesh is crucial due to differing socio-economic conditions, technology accessibility, and institutional support levels.

    Methodology

    The researchers conducted semi-structured interviews with journalists from various levels of experience and different types of news organizations, including newspapers, online portals, and television. The qualitative data were analyzed through open, axial, and selective coding, allowing for a deep understanding of the themes related to AI adoption.

    Findings

    Awareness and Usage Patterns

    • Awareness: The journalists reported increasing awareness of Generative AI tools. Many learned about these tools informally from colleagues and peers.
    • Usage Patterns: AI is commonly used for various tasks including information gathering, scriptwriting, brainstorming, editing, and multimedia assistance. Notable tools mentioned include ChatGPT, Google Translate, and Grammarly.

    Benefits of AI Adoption

    1. Efficiency: Journalists noted a significant increase in efficiency and productivity, with many able to complete tasks more quickly using AI tools.
    2. Quality of Work: AI tools provide support in drafting and editing, improving overall content quality and helping to manage large volumes of information.
    3. Competitive Necessity: The pressure to adopt AI to stay competitive in the growing digital landscape was emphasized, with journalists feeling compelled to utilize AI to avoid falling behind.

    Concerns Over AI Integration

    • Accuracy and Reliability: Many journalists expressed concerns about the accuracy of AI outputs, noting that AI could sometimes provide outdated or misleading information.
    • Cognitive Impact: There were fears that reliance on AI could reduce critical thinking and creativity, making journalists overly reliant on technology for information and content generation.
    • Job Security: Concerns about potential job losses due to AI automation were prominent, particularly in a country with high unemployment rates.

    Institutional Stance

    The study found that most news organizations in Bangladesh did not have formal policies regarding the use of AI. The absence of institutional support for training and managing risks related to AI adoption represents a significant gap that contrasts sharply with practices in the West.

    Conclusion

    The research concludes that while Bangladeshi journalists are quickly adopting Generative AI, the lack of institutional guidance and structured policies raises ethical and operational concerns. It suggests that the adoption in Bangladesh operates under different motivations compared to the West, pertaining to professional necessities rather than organizational mandates. The study’s implications highlight the need for contextual adaptations of technology acceptance theories, particularly in developing regions.

    Proposed Modifications to UTAUT for Non-Western Contexts

    1. Facilitating Conditions: The role of institutional support may not be as critical as previously thought in predicting AI adoption.
    2. Social Influence: Informal peer pressures play a significant role in the adoption process within journalistic settings.
    3. Voluntary-Compulsion Spectrum: Journalists may adopt AI out of professional necessity rather than voluntary choice, reflecting the unique pressures of the Bangladeshi media landscape.

    In summary, this study emphasizes the complex dynamics of Generative AI adoption in Bangladeshi journalism, highlighting both the advancements and challenges faced by journalists in a developing country context.