About
DST (Deterministic Security Testing) is a phoneme-based static analysis engine that proves vulnerabilities exploitable. It generates deterministic proof certificates: the exact payload, delivery method, and verification oracle for each finding.
The Phoneme Architecture
The name "phoneme" comes from linguistics — the smallest unit of sound that
distinguishes meaning. In DST, a phoneme is the smallest unit of API behavior that
distinguishes security semantics. mysql_query and pg_query
sound different but mean the same thing: data goes to a database.
This decomposition makes DST language-neutral by ideology, not just architecture.
Adding a new language is ~200 lines of phoneme mappings. The graph and verifiers are shared.
The same insight extends naturally to AI security: openai.chat.completions.create()
is just another phoneme to classify.
The Numbers
| Benchmark | Result |
|---|---|
| OWASP BenchmarkJava (SQLi) | 92.7% (100% TPR, 7.3% FPR) |
| OWASP BenchmarkJava (all 2,740 files) | 83.7% composite |
| OWASP weakrand/crypto/hash/securecookie | 100/100 (0% FPR) |
| NIST Juliet Java | 100% (103/103 CWE categories) |
| Real-app false positive rate | 2.1% (Apache Shiro) |
| CWE properties checked per file | 783 |
| Languages | 10 |
Who Built This
Built by Nathaniel Prewett in Lafayette, Indiana, collaborating with AI instances across multiple sessions. The key insight was the phoneme architecture: decompose code into universal semantic shapes, build a graph, let the graph be the detection engine.
Open Source
DST is open source under the MIT license. View on GitHub.