DeepCode AI Fix: Fixing Security Vulnerabilities with Large Language Models

Berkay Berabi,Alexey Gronskiy,Veselin Raychev,Gishor Sivanrupan,Victor Chibotaru,Martin Vechev
2024-02-20
Abstract:The automated program repair field has attracted substantial interest over the years, but despite significant research efforts, creating a system that works well for complex semantic bugs such as security vulnerabilities has proven difficult. A promising direction to solve this challenge is by leveraging large language models (LLMs), which are increasingly used to solve various programming tasks. In this paper, we investigate the effectiveness of LLMs for solving code-repair task. We show that the task is difficult as it requires the model to learn long-range code relationships, a task that inherently relies on extensive amounts of training data. At the same time, creating a large, clean dataset for complex program bugs and their corresponding fixes is non-trivial. We propose a technique to address these challenges with a new approach for querying and fine-tuning LLMs. The idea is to use program analysis to limit the LLM's attention mechanism on the portions of code needed to perform the fix, drastically reducing the amount of required training data. Concretely, for training and inference, rather than feeding the entire program to the LLM, we reduce its code to a much shorter snippet that contains the reported defect together with the necessary context - and use that instead. Our evaluation shows that this code reduction approach substantially improves available models such as GPT-4 using few-shot learning, as well as fine-tuning models. To train and evaluate our system, we created a comprehensive code fixing dataset by extensively labeling 156 bug patterns (including 40 security rules), requiring complex interprocedural dataflow to discover. Our best system with Mixtral-8x7B can remove more than 80% of the reported defects while exactly matching the human fix in between 10 and 50% of cases, outperforming baselines based on GPT-3.5 and GPT-4, or based on window-based models like TFix.
Cryptography and Security,Machine Learning,Software Engineering,Programming Languages
What problem does this paper attempt to address?
The paper attempts to address the problem in the field of automated program repair, specifically focusing on how to effectively utilize large language models (LLMs) to improve the performance of repair tasks for complex semantic errors such as security vulnerabilities. Specifically, the paper focuses on the following key challenges: 1. **Difficulty in obtaining training data**: For complex program errors, it is very difficult to obtain large-scale, clean datasets that contain erroneous code and its repaired versions. Although the history of open-source projects provides rich resources, extracting effective repair samples from them is not easy because, in many cases, code changes eliminate error reports but do not actually solve the problem. 2. **Need to learn long-distance dependencies**: Repairing semantic errors usually requires understanding long-distance dependencies in the code, which requires the model to handle complex attention mechanisms, and this requires a large amount of training data. However, as mentioned above, such data is difficult to obtain. Moreover, even if this data is obtained, existing large language models have limitations in handling long contexts, such as input length and output token number restrictions. To address these challenges, the paper proposes a new method that combines static code analysis and code reduction techniques (CodeReduce) to optimize the application of large language models in program repair tasks. This method not only reduces the amount of training data required but also improves the model's ability to understand long-distance dependencies, thereby significantly enhancing the accuracy of repair tasks.