Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DeepCode AI Fix: Fixing Security Vulnerabilities with Large Language Models

Berkay Berabi, Alexey Gronskiy, Veselin Raychev, Gishor Sivanrupan, Victor Chibotaru, Martin Vechev

TL;DR

DeepCode AI Fix tackles the difficulty of automatically repairing complex security bugs by combining static-analysis-guided code reduction with large-language-model repairs. The approach preserves essential alarm-causing information within a compact code snippet (CodeReduce) and uses a MergeBack step to apply fixes to the original file, enabling efficient learning and real-time applicability. It builds a large, high-quality dataset of buggy/fixed JavaScript code across 156 bug patterns (including 40 security rules) and demonstrates substantial improvements over baselines like TFix and GPT-based approaches on Pass@$k$ and ExactMatch@$k$, across multiple models and data flavors. This work highlights how program analysis can dramatically improve learning-based repair by reducing context and focusing attention on the core problematic regions, enabling practical, end-to-end automated bug fixing with LLMs in real-world development environments.

Abstract

The automated program repair field has attracted substantial interest over the years, but despite significant research efforts, creating a system that works well for complex semantic bugs such as security vulnerabilities has proven difficult. A promising direction to solve this challenge is by leveraging large language models (LLMs), which are increasingly used to solve various programming tasks. In this paper, we investigate the effectiveness of LLMs for solving code-repair task. We show that the task is difficult as it requires the model to learn long-range code relationships, a task that inherently relies on extensive amounts of training data. At the same time, creating a large, clean dataset for complex program bugs and their corresponding fixes is non-trivial. We propose a technique to address these challenges with a new approach for querying and fine-tuning LLMs. The idea is to use program analysis to limit the LLM's attention mechanism on the portions of code needed to perform the fix, drastically reducing the amount of required training data. Concretely, for training and inference, rather than feeding the entire program to the LLM, we reduce its code to a much shorter snippet that contains the reported defect together with the necessary context - and use that instead. Our evaluation shows that this code reduction approach substantially improves available models such as GPT-4 using few-shot learning, as well as fine-tuning models. To train and evaluate our system, we created a comprehensive code fixing dataset by extensively labeling 156 bug patterns (including 40 security rules), requiring complex interprocedural dataflow to discover. Our best system with Mixtral-8x7B can remove more than 80% of the reported defects while exactly matching the human fix in between 10 and 50% of cases, outperforming baselines based on GPT-3.5 and GPT-4, or based on window-based models like TFix.

DeepCode AI Fix: Fixing Security Vulnerabilities with Large Language Models

TL;DR

DeepCode AI Fix tackles the difficulty of automatically repairing complex security bugs by combining static-analysis-guided code reduction with large-language-model repairs. The approach preserves essential alarm-causing information within a compact code snippet (CodeReduce) and uses a MergeBack step to apply fixes to the original file, enabling efficient learning and real-time applicability. It builds a large, high-quality dataset of buggy/fixed JavaScript code across 156 bug patterns (including 40 security rules) and demonstrates substantial improvements over baselines like TFix and GPT-based approaches on Pass@ and ExactMatch@, across multiple models and data flavors. This work highlights how program analysis can dramatically improve learning-based repair by reducing context and focusing attention on the core problematic regions, enabling practical, end-to-end automated bug fixing with LLMs in real-world development environments.

Abstract

The automated program repair field has attracted substantial interest over the years, but despite significant research efforts, creating a system that works well for complex semantic bugs such as security vulnerabilities has proven difficult. A promising direction to solve this challenge is by leveraging large language models (LLMs), which are increasingly used to solve various programming tasks. In this paper, we investigate the effectiveness of LLMs for solving code-repair task. We show that the task is difficult as it requires the model to learn long-range code relationships, a task that inherently relies on extensive amounts of training data. At the same time, creating a large, clean dataset for complex program bugs and their corresponding fixes is non-trivial. We propose a technique to address these challenges with a new approach for querying and fine-tuning LLMs. The idea is to use program analysis to limit the LLM's attention mechanism on the portions of code needed to perform the fix, drastically reducing the amount of required training data. Concretely, for training and inference, rather than feeding the entire program to the LLM, we reduce its code to a much shorter snippet that contains the reported defect together with the necessary context - and use that instead. Our evaluation shows that this code reduction approach substantially improves available models such as GPT-4 using few-shot learning, as well as fine-tuning models. To train and evaluate our system, we created a comprehensive code fixing dataset by extensively labeling 156 bug patterns (including 40 security rules), requiring complex interprocedural dataflow to discover. Our best system with Mixtral-8x7B can remove more than 80% of the reported defects while exactly matching the human fix in between 10 and 50% of cases, outperforming baselines based on GPT-3.5 and GPT-4, or based on window-based models like TFix.
Paper Structure (25 sections, 4 equations, 13 figures, 7 tables, 2 algorithms)

This paper contains 25 sections, 4 equations, 13 figures, 7 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Key challenge: difficult to obtain training data
  3. Key challenge: the need to learn long-distance relationships
  4. This work: Code-Reduced Dataset & LLM-based Code Fixing
  5. Main Contributions
  6. Overview of DeepCode AI Fix
  7. Core Components of DeepCode AI Fix
  8. Code Analysis
  9. CodeReduce
  10. MergeBack
  11. Data Collection
  12. Experimental Evaluation
  13. Train/Test Split
  14. Metrics
  15. Training and Inference Configuration
  16. ...and 10 more sections

Figures (13)

  • Figure 1: Pipeline for automatic bug fixing with (a) only a large language model or (b) with complete process proposed by DeepCode AI Fix combining CodeReduce with a large language model.
  • Figure 2: An example run of our data creation pipeline on a diff containing a path traversal vulnerability OWASP-path-traversal fix (a)$\to$(b). Colors: red -/green +/gray represent standard diff notation, and marks the location of the vulnerability. CodeReduce is applied on (a), and a similar transformation is then applied on (b) to get (d), whereas MergeBack is applied to obtain (e) from (a) and the diff of (c)$\to$(d). Other real-world fix examples generated fixes by DeepCode AI Fix can be found in Appendix \ref{['sec:appendix_examples']}.
  • Figure 3: An example code reduction. The usage of the variable options remains in the reduced code, but its definition is deleted. The definition of express is not deleted because it is an import statement related to the vulnerability. The reduced code is not executable, but the analyzer can detect the path traversal vulnerability in both versions.
  • Figure 4: An example illustrating diff hunks between reduced code $c$ and prediction $p$ and the computed mapping $r_{c\to p}{}$ between them.
  • Figure 5: Overview of the data pipeline. See the main body for a detailed explanation of the steps.
  • ...and 8 more figures