Papers
Topics
Authors
Recent
2000 character limit reached

LLM Security Guard for Code (2405.01103v2)

Published 2 May 2024 in cs.SE and cs.CR

Abstract: Many developers rely on LLMs to facilitate software development. Nevertheless, these models have exhibited limited capabilities in the security domain. We introduce LLMSecGuard, a framework to offer enhanced code security through the synergy between static code analyzers and LLMs. LLMSecGuard is open source and aims to equip developers with code solutions that are more secure than the code initially generated by LLMs. This framework also has a benchmarking feature, aimed at providing insights into the evolving security attributes of these models.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (28)
  1. Evaluation of Static Vulnerability Detection Tools With Java Cryptographic API Benchmarks. IEEE Transactions on Software Engineering 49, 2 (2023), 485–497. https://doi.org/10.1109/TSE.2022.3154717
  2. Is GitHub’s Copilot as bad as humans at introducing vulnerabilities in code? Empirical Software Engineering 28, 6 (23 Sep 2023), 129. https://doi.org/10.1007/s10664-023-10380-1
  3. Purple Llama CyberSecEval: A Secure Coding Benchmark for Language Models. arXiv preprint arXiv:2312.04724 (2023).
  4. Noah Bühlmann and Mohammad Ghafari. 2022. How Do Developers Deal with Security Issue Reports on GitHub?. In Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing (Virtual Event) (SAC ’22).
  5. Idea: Benchmarking Android Data Leak Detection Tools. In Engineering Secure Software and Systems: 10th International Symposium (Paris, France) (ESSoS ’18). 116–123. https://doi.org/10.1007/978-3-319-94496-8_9
  6. An Extensive Comparison of Static Application Security Testing Tools. In 28th International Conference on Evaluation and Assessment in Software Engineering (Salerno, Italy) (EASE ’24).
  7. Large Language Models for Software Engineering: Survey and Open Problems. arXiv:2310.03533
  8. Security Weaknesses of Copilot Generated Code in GitHub. arXiv preprint arXiv:2310.02059 (2023).
  9. Security code smells in Android ICC. Empirical Software Engineering 24, 5 (01 Oct 2019), 3046–3076. https://doi.org/10.1007/s10664-018-9673-y
  10. Security Smells Pervade Mobile App Servers. In Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (Bari, Italy) (ESEM ’21). https://doi.org/10.1145/3475716.3475780
  11. Security Smells in Android. In 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM). 121–130. https://doi.org/10.1109/SCAM.2017.24
  12. GitHub. 2023. GitHub Copilot for Business is Now Available. https://github.blog/2023-02-14-github-copilot-for-business-is-now-available/ Accessed on January 28, 2024.
  13. CodeLMSec Benchmark: Systematically Evaluating and Finding Security Vulnerabilities in Black-Box Code Language Models. In 2nd IEEE Conference on Secure and Trustworthy Machine Learning (Toronto, Canada) (SaTML ’24).
  14. M. Hazhirpasand and M. Ghafari. 2021. Worrisome Patterns in Developers: A Survey in Cryptography. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW). 185–190. https://doi.org/10.1109/ASEW52652.2021.00045
  15. The Impact of Developer Experience in Using Java Cryptography. In 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement.
  16. Java Cryptography Uses in the Wild. In Proceedings of the 14th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).
  17. Large Language Models for Software Engineering: A Systematic Literature Review. arXiv:2308.10620 [cs.SE]
  18. A Survey on Hallucination in Large Language Models: Principles, Taxonomy, Challenges, and Open Questions. arXiv:2311.05232 [cs.CL]
  19. Meta AI. Year of publication or last update. LLAMA: Language Model for Many Applications. https://ai.meta.com/llama/ Accessed on January 28, 2024.
  20. An Investigation into Misuse of Java Security APIs by Large Language Models.
  21. Asleep at the keyboard? assessing the security of github copilot’s code contributions. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 754–768.
  22. Semgrep. Year of the latest commit or release. Semgrep: Lightweight static analysis for many languages. https://github.com/semgrep/semgrep. Accessed on January 28, 2024.
  23. Security Risks of Porting C Programs to Webassembly. In Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing (Virtual Event) (SAC ’22). Association for Computing Machinery.
  24. JIT feedback: what experienced developers like about static analysis. In Proceedings of the 26th Conference on Program Comprehension (Gothenburg, Sweden) (ICPC ’18). 64–73.
  25. The Effectiveness of Large Language Models (ChatGPT and CodeBERT) for Security-Oriented Code Analysis. (2023). https://doi.org/10.2139/ssrn.4567887
  26. Weggli-RS. Year of the latest commit or release. Weggli: A Rust implementation of the Wegman-Carter Universal Hashing scheme. https://github.com/weggli-rs/weggli. Accessed on January 28, 2024.
  27. Insecure by Design in the Backbone of Critical Infrastructure. In Proceedings of Cyber-Physical Systems and Internet of Things Week 2023 (San Antonio, TX, USA) (CPS-IoT Week ’23). Association for Computing Machinery.
  28. Automatic Detection of Java Cryptographic API Misuses: Are We There Yet? IEEE Transactions on Software Engineering 49, 1 (2023), 288–303.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Slide Deck Streamline Icon: https://streamlinehq.com

Whiteboard

Dice Question Streamline Icon: https://streamlinehq.com

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

Sign up for free to view the 4 tweets with 9 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free