Table of Contents
Fetching ...

Semantics-Preserving Evasion of LLM Vulnerability Detectors

Luze Sun, Alina Oprea, Eric Wong

TL;DR

This work tackles the problem that LLM-based vulnerability detectors can be evaded by semantics-preserving code edits, potentially bypassing security checks. It introduces a carrier-constrained, gradient-guided threat model using a universal adversarial string learned via Greedy Coordinate Gradient (GCG) and evaluates attacks on a unified C/C++ benchmark of $N=5000$ functions, with four carrier families (identifier substitutions, comments, preprocessor directives, and dead-branch code). The study defines robust metrics—Conditional Attack Success Rate $ASR_{cond}$, Complete Resistance $CR$, and End-to-End Recall Drop $\Delta TPR$—and demonstrates widespread fragility: more than 87% of true vulnerabilities can be flipped to BENIGN under semantics-preserving edits, with transfer from surrogate models enabling high attack success on black-box APIs. Sanitization can block targeted carriers but often shifts the detector’s decision boundary, and the gap between transfer and on-target attacks reveals complex interactions across models and carriers. Collectively, the results show that clean accuracy is not a reliable security proxy, and they propose integrity-oriented evaluation and defense strategies, including diverse adversarial training and deploying Complete Resistance alongside traditional metrics to harden detectors.

Abstract

LLM-based vulnerability detectors are increasingly deployed in security-critical code review, yet their resilience to evasion under behavior-preserving edits remains poorly understood. We evaluate detection-time integrity under a semantics-preserving threat model by instantiating diverse behavior-preserving code transformations on a unified C/C++ benchmark (N=5000), and introduce a metric of joint robustness across different attack methods/carriers. Across models, we observe a systemic failure of semantic invariant adversarial transformations: even state-of-the-art vulnerability detectors perform well on clean inputs while predictions flip under behavior-equivalent edits. Universal adversarial strings optimized on a single surrogate model remain effective when transferred to black-box APIs, and gradient access can further amplify evasion success. These results show that even high-performing detectors are vulnerable to low-cost, semantics-preserving evasion. Our carrier-based metrics provide practical diagnostics for evaluating LLM-based code detectors.

Semantics-Preserving Evasion of LLM Vulnerability Detectors

TL;DR

This work tackles the problem that LLM-based vulnerability detectors can be evaded by semantics-preserving code edits, potentially bypassing security checks. It introduces a carrier-constrained, gradient-guided threat model using a universal adversarial string learned via Greedy Coordinate Gradient (GCG) and evaluates attacks on a unified C/C++ benchmark of functions, with four carrier families (identifier substitutions, comments, preprocessor directives, and dead-branch code). The study defines robust metrics—Conditional Attack Success Rate , Complete Resistance , and End-to-End Recall Drop —and demonstrates widespread fragility: more than 87% of true vulnerabilities can be flipped to BENIGN under semantics-preserving edits, with transfer from surrogate models enabling high attack success on black-box APIs. Sanitization can block targeted carriers but often shifts the detector’s decision boundary, and the gap between transfer and on-target attacks reveals complex interactions across models and carriers. Collectively, the results show that clean accuracy is not a reliable security proxy, and they propose integrity-oriented evaluation and defense strategies, including diverse adversarial training and deploying Complete Resistance alongside traditional metrics to harden detectors.

Abstract

LLM-based vulnerability detectors are increasingly deployed in security-critical code review, yet their resilience to evasion under behavior-preserving edits remains poorly understood. We evaluate detection-time integrity under a semantics-preserving threat model by instantiating diverse behavior-preserving code transformations on a unified C/C++ benchmark (N=5000), and introduce a metric of joint robustness across different attack methods/carriers. Across models, we observe a systemic failure of semantic invariant adversarial transformations: even state-of-the-art vulnerability detectors perform well on clean inputs while predictions flip under behavior-equivalent edits. Universal adversarial strings optimized on a single surrogate model remain effective when transferred to black-box APIs, and gradient access can further amplify evasion success. These results show that even high-performing detectors are vulnerable to low-cost, semantics-preserving evasion. Our carrier-based metrics provide practical diagnostics for evaluating LLM-based code detectors.
Paper Structure (38 sections, 5 equations, 5 figures, 12 tables)

This paper contains 38 sections, 5 equations, 5 figures, 12 tables.

Figures (5)

  • Figure 1: Why carrier-constrained optimization matters.Left: Carrier-constrained GCG via identifier substitution preserves compilation and flips the detector to BENIGN. Middle: Naively appending a GCG-optimized string breaks compilation, so it is not a valid semantics-preserving evasion. Right: Unoptimized semantics-preserving edits remain compilable but typically fail to evade detection. Red denotes the GCG-optimized identifier, blue denotes a random identifier, and boldface highlights the original identifier.
  • Figure 2: Overall attack effectiveness across models. Solid bars: transfer attacks using universal strings from Qwen2.5-Coder-14B surrogate. Hatched bars: on-target optimization (Llama3.1-8B, CodeAstra only). (a) Union $\mathrm{ASR}_{\mathrm{cond}}$ across carriers. (b) End-to-end recall decrease ($\Delta\mathrm{TPR}$).
  • Figure 3: Robustness against Non-GCG Baselines. We compare prompt injection against random_idsub. While prompt injection achieves high success on some models (e.g., Llama3.1, CodeAstra), random perturbations ($\sim$10%) remain far less effective than our optimized attacks, confirming that code syntax requires targeted optimization rather than random noise.
  • Figure 4: CWE $\times$ attack method success heatmaps across models. Each cell gives the per-method conditional attack success rate $\mathrm{ASR}_{\mathrm{cond}}(A;M)$ for a given CWE type and attack method. This visualization highlights strong method & CWE interactions and model-specific attack profiles (e.g., CodeAstra's distinct behavior relative to other models).
  • Figure 5: Attack success rate versus code length (binned). Curves show per-carrier success rates across length ranges, complementing Table \ref{['tab:length_corr']} by revealing non-linear trends and saturation regimes.