Semantics-Preserving Evasion of LLM Vulnerability Detectors
Luze Sun, Alina Oprea, Eric Wong
TL;DR
This work tackles the problem that LLM-based vulnerability detectors can be evaded by semantics-preserving code edits, potentially bypassing security checks. It introduces a carrier-constrained, gradient-guided threat model using a universal adversarial string learned via Greedy Coordinate Gradient (GCG) and evaluates attacks on a unified C/C++ benchmark of $N=5000$ functions, with four carrier families (identifier substitutions, comments, preprocessor directives, and dead-branch code). The study defines robust metrics—Conditional Attack Success Rate $ASR_{cond}$, Complete Resistance $CR$, and End-to-End Recall Drop $\Delta TPR$—and demonstrates widespread fragility: more than 87% of true vulnerabilities can be flipped to BENIGN under semantics-preserving edits, with transfer from surrogate models enabling high attack success on black-box APIs. Sanitization can block targeted carriers but often shifts the detector’s decision boundary, and the gap between transfer and on-target attacks reveals complex interactions across models and carriers. Collectively, the results show that clean accuracy is not a reliable security proxy, and they propose integrity-oriented evaluation and defense strategies, including diverse adversarial training and deploying Complete Resistance alongside traditional metrics to harden detectors.
Abstract
LLM-based vulnerability detectors are increasingly deployed in security-critical code review, yet their resilience to evasion under behavior-preserving edits remains poorly understood. We evaluate detection-time integrity under a semantics-preserving threat model by instantiating diverse behavior-preserving code transformations on a unified C/C++ benchmark (N=5000), and introduce a metric of joint robustness across different attack methods/carriers. Across models, we observe a systemic failure of semantic invariant adversarial transformations: even state-of-the-art vulnerability detectors perform well on clean inputs while predictions flip under behavior-equivalent edits. Universal adversarial strings optimized on a single surrogate model remain effective when transferred to black-box APIs, and gradient access can further amplify evasion success. These results show that even high-performing detectors are vulnerable to low-cost, semantics-preserving evasion. Our carrier-based metrics provide practical diagnostics for evaluating LLM-based code detectors.
