Abstract:Recent advances in code-specific large language models (LLMs) have greatly enhanced code generation and refinement capabilities. However, the safety of code LLMs remains under-explored, posing potential risks as insecure code generated by these models may introduce vulnerabilities into real-world systems. Previous work proposes to collect security-focused instruction-tuning dataset from real-world vulnerabilities. It is constrained by the data sparsity of vulnerable code, and has limited applicability in the iterative post-training workflows of modern LLMs. In this paper, we propose ProSec, a novel proactive security alignment approach designed to align code LLMs with secure coding practices. ProSec systematically exposes the vulnerabilities in a code LLM by synthesizing error-inducing coding scenarios from Common Weakness Enumerations (CWEs), and generates fixes to vulnerable code snippets, allowing the model to learn secure practices through advanced preference learning objectives. The scenarios synthesized by ProSec triggers 25 times more vulnerable code than a normal instruction-tuning dataset, resulting in a security-focused alignment dataset 7 times larger than the previous work. Experiments show that models trained with ProSec is 29.2% to 35.5% more secure compared to previous work, with a marginal negative effect of less than 2 percentage points on model's utility.

What problem does this paper attempt to address?

### Problems the paper attempts to solve This paper aims to address the security issues of large - language models (LLMs) for code generation. Although code - specific large - language models have made significant progress in code generation and optimization, the insecure code generated by these models may introduce vulnerabilities and pose potential risks to real - world systems. Existing methods attempt to solve this problem by collecting security - focused instruction - tuning datasets from actual vulnerabilities, but these methods are limited by the scarcity of actual vulnerability data and have limited application in the post - training process of modern LLMs. ### Main contributions of the paper 1. **Propose a new post - training security alignment process**: This process systematically addresses the security risks in the code - generation process. 2. **Develop an automated pipeline**: For synthesizing active security - alignment data for a given programming language and vulnerability type. 3. **Release a synthesized vulnerability - inducing instruction dataset**: This dataset can effectively expose the weaknesses of code LLMs. 4. **Through targeted security alignment**: Demonstrate that PROSEC can improve the ability of code LLMs to generate secure code without sacrificing code - generation capabilities, applicable to multiple models, languages, and vulnerability types. ### Method overview #### 1. Background and problem definition Suppose an organization decides to deploy a pre - trained and post - trained code LLM, but needs to incorporate certain security - related coding practices (e.g., input validation to prevent command injection) before use. For each programming language, there is a set of common problems (CWE), and each problem has a set of good (secure) and bad (problematic) coding practices. The organization needs a paired dataset for alignment training, and each data entry contains a coding instruction, a better - coded sample, and a sub - optimal - coded sample. #### 2. PROSEC's data - synthesis pipeline PROSEC's data - synthesis pipeline is shown in Figure 1. It synthesizes error - inducing coding instructions from a standard instruction - tuning dataset, and then uses the code LLM to generate normal, vulnerable, and fixed code snippets. The alignment dataset contains fixed (win) and vulnerable (lose) code pairs, as well as normal (win) and fixed (lose) code pairs. The former aligns the code LLM to secure coding practices, and the latter prevents the code LLM from over - fitting to the security pattern, thereby reducing the impact on the code LLM's utility. #### 3. Error - inducing - instruction synthesis PROSEC synthesizes error - inducing instructions by fusing CWE - related program scenarios into normal instructions. The specific steps are as follows: 1. Given a programming language and CWE, query ChatGPT to enumerate program scenarios that may trigger CWE. 2. Select instructions related to the programming language from the instruction - tuning dataset. 3. For each relevant normal instruction, instruct ChatGPT to combine the normal instruction and the program scenario that may trigger the vulnerability to form an error - inducing instruction. #### 4. Alignment - dataset construction Alignment training is more effective when the paired data is generated by the model. Therefore, given a code LLM to be aligned, PROSEC uses πθ to infer on dataset E and construct an alignment dataset. The specific steps are as follows: 1. Use the code LLM to implement error - inducing instructions and normal instructions to generate potentially vulnerable code snippets and normal code snippets. 2. Utilize a static analyzer to ensure that the potentially vulnerable code does indeed contain insecure coding practices. 3. Instruct the code LLM to fix the vulnerabilities in the vulnerable code. 4. Verify whether the fixed code snippets are indeed secure. 5. Construct an alignment dataset, including secure and vulnerable code pairs, as well as normal and fixed code pairs. ### Experimental setup - **Instruction - tuning dataset**: Use the code - related part of Infinity - Instruct as the seed instruction dataset. - **Static code analyzer**: Use the static analyzer commonly used in previous work to detect insecure coding practices. - **Test dataset**: Use PurpleLlama as the test dataset for code - model security, and the multilingual versions of Humaneval and MBPP as the test datasets for utility. ### Experimental results - **Secure code generation**: The experimental results show that the model generated using the PROSEC - aligned dataset is more secure than the model generated using the SafeCoder - aligned dataset, with an improvement of 35 respectively.

ProSec: Fortifying Code LLMs with Proactive Security Alignment

CoSec: On-the-Fly Security Hardening of Code LLMs Via Supervised Co-Decoding

Is Your AI-Generated Code Really Safe? Evaluating Large Language Models on Secure Code Generation with CodeSecEval

Enhancing Large Language Models for Secure Code Generation: A Dataset-driven Study on Vulnerability Mitigation

SecCoder: Towards Generalizable and Robust Secure Code Generation

Large Language Models for Code: Security Hardening and Adversarial Testing

PromSec: Prompt Optimization for Secure Generation of Functional Source Code with Large Language Models (LLMs)

An Exploratory Study on Fine-Tuning Large Language Models for Secure Code Generation

Code Security Vulnerability Repair Using Reinforcement Learning with Large Language Models

From Solitary Directives to Interactive Encouragement! LLM Secure Code Generation by Natural Language Prompting

Can LLMs Patch Security Issues?

Security Attacks on LLM-based Code Completion Tools

How Well Do Large Language Models Serve as End-to-End Secure Code Producers?

LLM-Powered Code Vulnerability Repair with Reinforcement Learning and Semantic Reward

Instruction Tuning for Secure Code Generation

CodeLMSec Benchmark: Systematically Evaluating and Finding Security Vulnerabilities in Black-Box Code Language Models

Can We Trust Large Language Models Generated Code? A Framework for In-Context Learning, Security Patterns, and Code Evaluations Across Diverse LLMs

SecCodePLT: A Unified Platform for Evaluating the Security of Code GenAI

HexaCoder: Secure Code Generation via Oracle-Guided Synthetic Training Data

Enhancing Source Code Security with LLMs: Demystifying The Challenges and Generating Reliable Repairs

An Insight into Security Code Review with LLMs: Capabilities, Obstacles and Influential Factors