TMV-ORCA: TLS & Lyman-α Tomography

• TMV-ORCA is a dual-domain framework that automates TLS vulnerability analysis in Android via dynamic instrumentation and LLM-based classification, while also optimizing 3D Lyman-α reconstructions using constrained multiscale annealing.
• For TLS, the system deploys ART-TI with live MitM probes to capture detailed calling contexts, achieving classification precision of up to 0.97 for vulnerability taxonomy assignment.
• For cosmology, the ORCA algorithm minimizes voxel RMS error by 10–20% compared to Wiener filters, ensuring physical constraints on absorption and enhanced computational efficiency with GPU-based solvers.

TMV-ORCA denotes a class of methods and frameworks in two distinct domains: (1) attribution and root-cause analysis of Transport Layer Security Man-in-the-Middle vulnerabilities in Android applications, and (2) the Optimized Reconstruction with Constraints on Absorption (ORCA) algorithm for Lyman-α forest tomography when the pipeline incorporates a Transfer-Matrix Variance (TMV) approach. This article provides a technical overview of both uses, their algorithms, evaluation metrics, taxonomy, and applications, as documented in recent peer-reviewed literature (Yang et al., 30 Jan 2026, Li et al., 2021).

1. TMV-ORCA for TLS Man-in-the-Middle Vulnerabilities in Android

TMV-ORCA is the attribution and analysis component within the Okara framework, developed to automate the localization, categorization, and attribution of TLS Man-in-the-Middle (MitM) vulnerabilities in Android applications. The methodology integrates dynamic instrumentation with a LLM-based code classifier to systematically analyze discovered TLS validation pathways and identify their root causes (Yang et al., 30 Jan 2026).

1.1 Architectural Modules

TMV-ORCA consists of two synergistic modules:

• Dynamic Instrumentation & Trace Collection: Utilizes the Android Runtime Tooling Interface (ART-TI) to monitor Java class load events, immediately hooking TLS validation entry points such as X509TrustManager.checkServerTrusted, HostnameVerifier.verify, and WebViewClient.onReceivedSslError. It records full calling contexts for each observed TLS flow, including certificate chains, hostnames or URLs, stack traces, and outcome status. Live MitM probes further disambiguate execution paths.
• Vulnerable Code Classification: Extracts the hooked method's code snippet and interface type, forwarding them to an LLM-based classifier. The classifier assigns fine-grained labels from a bespoke taxonomy and outputs a structured mapping associating discovered issues to apps, FQDNs, code snippets, and taxonomy categories.

Both modules together automate the previously manual process of code localization and vulnerability taxonomy assignment at scale.

2. LLM-Based Vulnerable Code Classification

2.1 Input Representation and Prediction

Let $S = \{s_1, ..., s_N\}$ be the set of extracted code snippets and $Y$ the set of taxonomy labels ($|Y| \approx 20$). For snippet $s_i$, the input is $$x_i = \langle \text{code} = s_i, \text{interface} = I_i \rangle$$. The LLM parameterizes the conditional distribution $P(y \mid x_i; \theta)$, and predicted labels are $$\hat{y}_i = \operatorname{argmax}_{y \in Y} P(y \mid x_i; \theta)$$. Few-shot in-context learning using examples of the form $(x^{(j)}, y^{(j)})$ is used in practice.

An implicit feature extractor $\phi: s_i \mapsto \mathbb{R}^d$ projects code to an embedding vector; a linear classification head with softmax produces $$P(y \mid x_i) = \operatorname{softmax}(W \cdot \phi(x_i) + b)_y$$. Prompt engineering includes templates with an “Unknown” category to accommodate obfuscated or indeterminate code.

2.2 Taxonomy of TLS Validation Vulnerabilities

TMV-ORCA defines a hierarchical, interface-partitioned taxonomy, including:

• TrustManager ($X509TrustManager$)
  • T0: Secure TrustManager
  • T1: Empty TrustManager
  • T2: Non-empty but insecure TrustManager, with subcategories (e.g., T2-A: checks only certificate validity, T2-C: checks only subject fields, etc.)
  • TU: Unknown TrustManager
• WebViewClient ($onReceivedSslError$)
  • W0: Secure handling (e.g., handler.cancel())
  • W1: Unconditional ignore (handler.proceed())
  • W2: Conditional ignore (with subtypes: user dialogs, error-specific, state-dependent)
  • WU: Unknown WebViewClient
• HostnameVerifier
  • H0: Secure verify()
  • H1: Always returns true
  • H2: Flawed logic (H2-A: compares input hostname, H2-B: partial match)
  • HU: Unknown HostnameVerifier

Snippet-to-label mapping is direct: $label(s_i) = \hat{y}_i \in Y$.

3. Attribution Methodology and Pipeline

3.1 Trace-to-Vulnerability Correlation

For each execution trace tuple $$\tau = (\text{appID}, \text{FQDN}, m, c, \text{accept/reject})$$ and set $D_{vuln}$ of vulnerable FQDNs from TMV-Hunter:

• Hostname correlation: $m$ receives a hostname $d$ and $d \in D_{vuln}$
• Certificate correlation: Match Common Name and SANs in $c$ to $D_{vuln}$, accommodating wildcards
• Live MitM probe: When multiple domains share a certificate, only code paths accepting invalid certs under MitM are considered vulnerable

3.2 Third-Party Library Attribution

The procedure identifies the responsible party for each snippet via package prefix aggregation:

1. Extract package prefix $p$ from $m$
2. Cross-reference $p$ against known app-local prefixes
3. Prefixes present in $\geq 2$ apps are library candidates
4. Manual mapping via SDK index or code search assigns a library name
5. Assign $$responsible\_party(m) \in \{\text{app developer}, \text{library name}\}$$

Pseudocode:

for each code snippet s_i: p ← package_prefix(s_i) if p ∈ ThirdPartyPrefixes: owner_i ← lookupLibrary(p) else: owner_i ← "app developer"

4. Evaluation and Empirical Results

4.1 Locator Coverage Metrics

Key metrics for code localization coverage include:

Metric	Definition	Observed Value
$C_\text{FQDN}$	Fraction of vulnerable FQDNs with located root cause code snippets: $$C_\text{FQDN} = |{d: located\_code(d)} \cap D_{vuln}| / |D_{vuln}|$$	$\approx 30.3\%$
$C_\text{flow}$	Fraction of vulnerable TLS flows with code localization: $$C_\text{flow} = |{flow~f: located\_code(f)} \cap F_{vuln}|/|F_{vuln}|$$	$\approx 10.3\%$
App-All	Fraction of apps where all vulnerabilities are explained by code localization	$9\%$
App-One	Fraction with at least one explained issue	$43\%$

4.2 Classifier Accuracy

On a held-out set of 365 manually labeled snippets:

Category	Precision	Recall	$F_1$ Score
All	0.97	0.97	0.97
T2 Subcategories	0.92	0.90	0.90
W2 Subcategories	0.96	0.95	0.95
H2 Subcategories	1.00	0.88	0.94

4.3 Real-World Attributions

• Total vulnerable apps detected: 8,374
• Code snippets located: 8,065 (3,904 unique classes)
• Third-party origin: $\approx 41\%$ of snippets, affecting 48.98% of vulnerable apps and 28.9% of vulnerable FQDNs
• Most prevalent third-party libraries include JPush (Aurora SDK), UMeng+, Baidu Map SDK, and Bugly (Tencent)
• Example T2-A snippet:

  public void checkServerTrusted(X509Certificate[] chain, String authType) { chain[0].checkValidity(); return; }

5. Limitations and Prospective Enhancements

5.1 Known Limitations

• Java-only coverage: No visibility into native (C/C++, e.g. libcurl) TLS logic
• Dynamic-only analysis: Paths unexercised by GUI agent are not analyzed
• App anti-instrumentation defense may hinder analysis
• Manual effort required for novel library/prefix mapping

5.2 Future Directions

• Incorporate eBPF or low-overhead native hooks for native TLS logic
• Symbolic/concolic execution to increase code path exploration
• Semi-automated library mapping by code similarity search
• LLM fine-tuning for improved taxonomy assignment
• iOS extension to Objective-C and related API categories

6. TMV-ORCA: Optimized Reconstruction with Constraints on Absorption

In cosmological large-scale structure tomography, TMV-ORCA denotes a variant of ORCA employing a Transfer-Matrix Variance scheme in multiscale annealing pipelines (Li et al., 2021). ORCA optimizes the voxelized 3D Lyman-α flux field reconstruction given absorption constraints, outperforming Wiener filter baselines.

6.1 Mathematical Formulation

• Let $d \in \mathbb{R}^{N_d}$: observed, continuum-normalized Lyman-α transmitted flux along all sight lines ($d_i = F_i/\langle F \rangle - 1$)
• Let $s \in \mathbb{R}^{N_s}$: binned 3D flux contrast (voxelized field)
• Linear model: $d = R s + n$ ($R$: skewer-selector, $n \sim \mathcal{N}(0, N)$)
• ORCA finds $s$ minimizing:

$J(s) = \chi^2(s) + \lambda\, C(s)$

• $\chi^2(s) = (d - R s)^\top N^{-1}(d - R s)$
• Absorption constraint penalty:

$$C(s) = \sum_{j=1}^{N_s} \left[ \max(0, s_j - 1) + \max(0, \alpha - s_j) \right]$$

• Regularization parameters $k_1,k_2,k_3,\alpha$ selected empirically.

6.2 Algorithmic Implementation

• Composite multiscale loss:

$$\mathcal{L}(s) = k_1\|S_m s - s\|^2 + \chi^2(s) + k_2\sum \max(0, s-1) + k_3 \sum \max(0, \alpha - s)$$

• Gaussian smoothing $S_m$, with “annealing” (start with large scale, decrease to fine).
• Solver: L-BFGS (quasi-Newton), gradient by automatic differentiation.

6.3 Performance Metrics and Empirical Results

Metric	WF Baseline	ORCA
Voxel RMS error	Reference	Reduced by 10–20%
Void overlap fraction	55.9%	58.0%
Equivalent ∆sight-lines	—	+30–40%

On CLAMATO survey data, ORCA identified voids with 70.5% overlap to WF catalog and matched mock redshift-space void fractions.

6.4 Physical Impact and Limitations

• By enforcing $0 < s < 1$, ORCA eliminates non-physical “overshoots,” yielding improved reconstructions in under- and over-dense regions.
• Computational efficiency: GPU L-BFGS is 10–100× faster than PCG Wiener methods for the same voxel grid.
• Limitation: Constraints are less effective as sight-line density decreases ($$\langle d_{LOS} \rangle \gtrsim 5\, h^{-1}\,\text{Mpc}$$), with behavior reverting to WF-like.

7. Summary

TMV-ORCA encompasses advanced methods for vulnerability attribution in Android TLS logic and for regularized 3D reconstruction in cosmological Lyman-α tomography. Both domains leverage algorithmic innovations—LLMs and quasi-Newton optimizers respectively—to outperform traditional baselines, automate complex root-cause analyses, and facilitate large-scale, systematic research and remediation (Yang et al., 30 Jan 2026, Li et al., 2021).