(no title)

You're correct that ORMs work correctly 99.9% of the time. That's exactly the point. The paper argues that "correct 99.9% of the time" isn't a security model. When we analyzed ORM-related CVEs, 88% were Interface Hazards: vulnerabilities that exist because the string layer underneath is still reachable. Custom SQL extensions (like you mention), raw query escapes, edge cases in query generation. The ORM does its job until it doesn't — and when it doesn't, the hazard manifests identically to not having an ORM at all.

The existence of any ORM CVEs proves the thesis: mitigation layers cannot fix a broken protocol. They reduce attack surface, they don't eliminate the hazard. A type-safe interface would make these CVEs impossible by construction — there would be no string layer to escape to.