A Small Leak Sinks All: Exploring the Transferable Vulnerability of Source Code Models
Weiye Li, Wenyi Tang
TL;DR
The paper investigates transferable adversarial vulnerabilities across traditional source code models (SCMs) and modern LLM-based code systems (LLM4Code). It introduces HABITAT, a victim-agnostic framework that uses a hierarchical contextual bandit approach and memory augmentation to craft perturbations without access to downstream classifiers, achieving up to $64\%$ ASR against LLM4Code and outperforming prior methods on traditional SCMs by over $15\%$. The analysis identifies dominant factors shaping transferability, including insertion positions, transformation types, attention distributions, code complexity, and semantic disparities, and demonstrates cross-architecture vulnerability patterns through comprehensive experiments on CodeBERT, CodeT5, UniXcoder, and LLM4Code models. The findings underscore persistent security weaknesses across the SCM ecosystem and offer guidance for robust defenses and transferability-aware training. Practically, the work highlights the need for ecosystem-wide defenses that account for cross-model knowledge leakage and cross-architecture vulnerabilities in modern software development pipelines.
Abstract
Source Code Model learn the proper embeddings from source codes, demonstrating significant success in various software engineering or security tasks. The recent explosive development of LLM extends the family of SCMs,bringing LLMs for code that revolutionize development workflows. Investigating different kinds of SCM vulnerability is the cornerstone for the security and trustworthiness of AI-powered software ecosystems, however, the fundamental one, transferable vulnerability, remains critically underexplored. Existing studies neither offer practical ways, i.e. require access to the downstream classifier of SCMs, to produce effective adversarial samples for adversarial defense, nor give heed to the widely used LLM4Code in modern software development platforms and cloud-based integrated development environments. Therefore, this work systematically studies the intrinsic vulnerability transferability of both traditional SCMs and LLM4Code, and proposes a victim-agnostic approach to generate practical adversarial samples. We design HABITAT, consisting of a tailored perturbation-inserting mechanism and a hierarchical Reinforcement Learning framework that adaptively selects optimal perturbations without requiring any access to the downstream classifier of SCMs. Furthermore, an intrinsic transferability analysis of SCM vulnerabilities is conducted, revealing the potential vulnerability correlation between traditional SCMs and LLM4Code, together with fundamental factors that govern the success rate of victim-agnostic transfer attacks. These findings of SCM vulnerabilities underscore the critical focal points for developing robust defenses in the future. Experimental evaluation demonstrates that our constructed adversarial examples crafted based on traditional SCMs achieve up to 64% success rates against LLM4Code, surpassing the state-of-the-art by over 15%.