Many low-level code bases (such as the Linux kernel, OpenSSL, etc.) are security-sensitive, but they are unfortunately also complex and contain bugs. One way to find bugs in such code bases is to define rules and patterns for code, and then scan the code base for violations against them. However, such complex code bases often depend on many unwritten rules and assumptions that are never documented. Developers might not even explicitly know all these rules themselves. As a consequence, they cannot write all these rules down. While some techniques exist that try to automatically derive such rules from a given code base, they are slow and scale badly: developers would not be able to use them at all. In this project, we will research new techniques to statically derive such unwritten rules from complex code bases and then find violations against these rules. The focus will be on techniques that are scalable such that developers can easily run them themselves.