Instruction Tuning for Secure Code Generation

TL;DR

SafeCoder addresses the gap in instruction tuning for secure code by introducing a security-centric fine-tuning phase that jointly optimizes safety and utility. It combines a masked language modeling loss on secure code with a masked unlikelihood loss on insecure code, trained alongside standard instruction-tuning data, and relies on an automated GitHub-CodeQL data pipeline to assemble diverse vulnerability samples. Empirical results across multiple coding and general-purpose LMs show substantial security gains (~30% improvement) with minimal impact on utility across benchmarks like HumanEval and MBPP, while revealing limited generalization to unseen CWEs and outlining the need for future work in broader generalization and reinforcement learning approaches. The work also provides an automated, scalable data collection pipeline and open-sources its resources, enabling broader adoption and further advances in secure code generation.

Abstract

Modern language models (LMs) have gained widespread acceptance in everyday and professional contexts, particularly in programming. An essential procedure enabling this adoption is instruction tuning, which substantially enhances LMs' practical utility by training them to follow user instructions and human preferences. However, existing instruction tuning schemes overlook a crucial aspect: the security of generated code. As a result, even the state-of-the-art instruction-tuned LMs frequently produce unsafe code, posing significant security risks. In this work, we introduce SafeCoder to address this gap. SafeCoder performs security-centric fine-tuning using a diverse and high-quality dataset that we collected using an automated pipeline. We integrate the security fine-tuning with standard instruction tuning, to facilitate a joint optimization of both security and utility. Despite its simplicity, we show that SafeCoder is effective across a variety of popular LMs and datasets. It is able to drastically improve security (by about 30%), while preserving utility.

Figures (5)

• Figure 1: Left: state-of-the-art instruction-tuned LMs frequently produce insecure code, regardless of model size and family. Right: SafeCoder significantly enhances the security of instruction-tuned LMs with minimal compromise on utility, e.g., Pass@1 score on the HumanEval benchmark DBLP:journals/corr/abs-2107-03374.
• Figure 2: An illustrative example of SafeCoder's instruction tuning dataset $\mathcal{D}^{\mathrm{sec}}$. This example is adapted from a GitHub commit* that fixes an "Inadequate Encryption Strength" vulnerability (CWE-326). For RSA, the key size is recommended to be at least 2048.
• Figure 3: Results of our ablation studies that cover two LMs. "no collected data": ablating the training data collected by us in \ref{['sec:data']}. "no loss masks": ablating the masks $\mathbf{m}^{\mathrm{sec}}$ and $\mathbf{m}^{\mathrm{vul}}$ used in \ref{['eq:sec', 'eq:vul']}. "no unlikelihood": ablating the unlikelihood loss in \ref{['eq:vul']}.
• Figure 4: Effect of the oversampling parameter $k$ on code security evaluated on StarCoder-1B. Increasing $k$ leads to a higher mean security rate while also reducing the variance of it. However, beyond $k=20$, further increasing the oversampling parameter provides only diminishing returns.
• Figure : Combining standard and security instruction tuning. We show only one training epoch for simplicity.