Can LLMs Patch Security Issues?

Kamel Alrashedy,Abdullah Aljasser,Pradyumna Tambwekar,Matthew Gombolay
2024-10-16
Abstract:Large Language Models (LLMs) have shown impressive proficiency in code generation. Unfortunately, these models share a weakness with their human counterparts: producing code that inadvertently has security vulnerabilities. These vulnerabilities could allow unauthorized attackers to access sensitive data or systems, which is unacceptable for safety-critical applications. In this work, we propose Feedback-Driven Security Patching (FDSP), where LLMs automatically refine generated, vulnerable code. Our approach leverages automatic static code analysis to empower the LLM to generate and implement potential solutions to address vulnerabilities. We address the research communitys needs for safe code generation by introducing a large-scale dataset, PythonSecurityEval, covering the diversity of real-world applications, including databases, websites and operating systems. We empirically validate that FDSP outperforms prior work that uses self-feedback from LLMs by up to 17.6% through our procedure that injects targeted, external feedback. Code and data are available at \url{<a class="link-external link-https" href="https://github.com/Kamel773/LLM-code-refine" rel="external noopener nofollow">this https URL</a>}
Cryptography and Security,Machine Learning
What problem does this paper attempt to address?
The problem that this paper attempts to solve is: **How to use large - language models (LLMs) to automatically fix security vulnerabilities in generated code**. Specifically, researchers are concerned that although current LLMs perform well in code generation, the code they generate may contain security vulnerabilities, which may allow unauthorized attackers to access sensitive data or systems, and this is unacceptable in critical applications. To address this challenge, the authors propose the **Feedback - Driven Security Patching (FDSP)** method. FDSP improves the code generated by LLMs through the following steps: 1. **Code Generation**: LLMs generate Python code based on natural - language descriptions. 2. **Code Testing**: Use static code analysis tools (such as Bandit) to detect potential security vulnerabilities in the generated code. 3. **Generate Potential Solutions**: LLMs generate multiple possible repair solutions based on the feedback provided by static code analysis tools. 4. **Code Optimization**: Feed each potential solution and the original vulnerable code back to the LLMs multiple times for further optimization until there are no more security issues in the code. In addition, the authors also introduce a large - scale dataset named **PythonSecurityEval**, which covers code examples in various real - world applications, including databases, websites, and operating systems, etc. Through this dataset, researchers can more comprehensively evaluate the ability of LLMs to generate secure code. In summary, the main contributions of this paper include: - Proposing the FDSP method, enabling LLMs to automatically generate code to repair security vulnerabilities based on the feedback from static code analysis tools. - Constructing the PythonSecurityEval dataset for evaluating the ability of LLMs to generate secure code. - Experimental verification shows that FDSP outperforms existing self - feedback methods in terms of fixing security vulnerabilities, with an improvement of up to 17.6%. Through this method, researchers hope to improve the security of code generated by LLMs, so as to be better applied in actual development scenarios.