Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Enhancing Security of AI-Based Code Synthesis with GitHub Copilot via Cheap and Efficient Prompt-Engineering

Jakub Res, Ivan Homoliak, Martin Perešíni, Aleš Smrčka, Kamil Malinka, Petr Hanacek

TL;DR

This work addresses the security of AI-generated code by proposing a low-cost, generalizable prompt-engineering framework. It evaluates three methods—scenario-specific prompts, iterative security-focused prompting, and general alignment shifting—on GitHub Copilot using OpenVPN as a realistic testbed, showing reductions in insecure outputs (up to 16%) and increases in secure outputs (up to 8%). The study emphasizes that such prompt-based techniques can improve code safety without access to model internals, making them applicable to proprietary code synthesizers. The findings suggest a viable path for safer AI-assisted software development and prompt a broader exploration across languages and platforms.

Abstract

AI assistants for coding are on the rise. However one of the reasons developers and companies avoid harnessing their full potential is the questionable security of the generated code. This paper first reviews the current state-of-the-art and identifies areas for improvement on this issue. Then, we propose a systematic approach based on prompt-altering methods to achieve better code security of (even proprietary black-box) AI-based code generators such as GitHub Copilot, while minimizing the complexity of the application from the user point-of-view, the computational resources, and operational costs. In sum, we propose and evaluate three prompt altering methods: (1) scenario-specific, (2) iterative, and (3) general clause, while we discuss their combination. Contrary to the audit of code security, the latter two of the proposed methods require no expert knowledge from the user. We assess the effectiveness of the proposed methods on the GitHub Copilot using the OpenVPN project in realistic scenarios, and we demonstrate that the proposed methods reduce the number of insecure generated code samples by up to 16\% and increase the number of secure code by up to 8\%. Since our approach does not require access to the internals of the AI models, it can be in general applied to any AI-based code synthesizer, not only GitHub Copilot.

Enhancing Security of AI-Based Code Synthesis with GitHub Copilot via Cheap and Efficient Prompt-Engineering

TL;DR

This work addresses the security of AI-generated code by proposing a low-cost, generalizable prompt-engineering framework. It evaluates three methods—scenario-specific prompts, iterative security-focused prompting, and general alignment shifting—on GitHub Copilot using OpenVPN as a realistic testbed, showing reductions in insecure outputs (up to 16%) and increases in secure outputs (up to 8%). The study emphasizes that such prompt-based techniques can improve code safety without access to model internals, making them applicable to proprietary code synthesizers. The findings suggest a viable path for safer AI-assisted software development and prompt a broader exploration across languages and platforms.

Abstract

AI assistants for coding are on the rise. However one of the reasons developers and companies avoid harnessing their full potential is the questionable security of the generated code. This paper first reviews the current state-of-the-art and identifies areas for improvement on this issue. Then, we propose a systematic approach based on prompt-altering methods to achieve better code security of (even proprietary black-box) AI-based code generators such as GitHub Copilot, while minimizing the complexity of the application from the user point-of-view, the computational resources, and operational costs. In sum, we propose and evaluate three prompt altering methods: (1) scenario-specific, (2) iterative, and (3) general clause, while we discuss their combination. Contrary to the audit of code security, the latter two of the proposed methods require no expert knowledge from the user. We assess the effectiveness of the proposed methods on the GitHub Copilot using the OpenVPN project in realistic scenarios, and we demonstrate that the proposed methods reduce the number of insecure generated code samples by up to 16\% and increase the number of secure code by up to 8\%. Since our approach does not require access to the internals of the AI models, it can be in general applied to any AI-based code synthesizer, not only GitHub Copilot.
Paper Structure (20 sections, 8 figures, 1 table)

This paper contains 20 sections, 8 figures, 1 table.

Table of Contents

  1. Introduction
  2. Contributions
  3. Organization
  4. Background and design space
  5. Design Space
  6. Proposed approach
  7. Scenario-Specific
  8. Iterative
  9. General Alignment Shifting
  10. Experiments
  11. Methodology
  12. Dataset
  13. OpenVPN Project
  14. Assessment of Code Security
  15. Related work
  16. ...and 5 more sections

Figures (8)

  • Figure 1: Example of security issue generated by AI. The scenario comes from the dataset proposed in asleepatkeyboard.
  • Figure 2: Potential improvements of code synthesis.
  • Figure 3: Preliminary results of prompt enhancing.
  • Figure 4: Example of input prompt alteration.
  • Figure 5: Rule set for the iterative method.
  • ...and 3 more figures