Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Can Adversarial Code Comments Fool AI Security Reviewers -- Large-Scale Empirical Study of Comment-Based Attacks and Defenses Against LLM Code Analysis

Scott Thornton

TL;DR

This work builds a 100-sample benchmark across Python, JavaScript, and Java, each paired with eight comment variants ranging from no comments to adversarial strategies such as authority spoofing and technical deception, and finds that comment stripping reduces detection for weaker models by removing helpful context.

Abstract

AI-assisted code review is widely used to detect vulnerabilities before production release. Prior work shows that adversarial prompt manipulation can degrade large language model (LLM) performance in code generation. We test whether similar comment-based manipulation misleads LLMs during vulnerability detection. We build a 100-sample benchmark across Python, JavaScript, and Java, each paired with eight comment variants ranging from no comments to adversarial strategies such as authority spoofing and technical deception. Eight frontier models, five commercial and three open-source, are evaluated in 9,366 trials. Adversarial comments produce small, statistically non-significant effects on detection accuracy (McNemar exact p > 0.21; all 95 percent confidence intervals include zero). This holds for commercial models with 89 to 96 percent baseline detection and open-source models with 53 to 72 percent, despite large absolute performance gaps. Unlike generation settings where comment manipulation achieves high attack success, detection performance does not meaningfully degrade. More complex adversarial strategies offer no advantage over simple manipulative comments. We test four automated defenses across 4,646 additional trials (14,012 total). Static analysis cross-referencing performs best at 96.9 percent detection and recovers 47 percent of baseline misses. Comment stripping reduces detection for weaker models by removing helpful context. Failures concentrate on inherently difficult vulnerability classes, including race conditions, timing side channels, and complex authorization logic, rather than on adversarial comments.

Can Adversarial Code Comments Fool AI Security Reviewers -- Large-Scale Empirical Study of Comment-Based Attacks and Defenses Against LLM Code Analysis

TL;DR

This work builds a 100-sample benchmark across Python, JavaScript, and Java, each paired with eight comment variants ranging from no comments to adversarial strategies such as authority spoofing and technical deception, and finds that comment stripping reduces detection for weaker models by removing helpful context.

Abstract

AI-assisted code review is widely used to detect vulnerabilities before production release. Prior work shows that adversarial prompt manipulation can degrade large language model (LLM) performance in code generation. We test whether similar comment-based manipulation misleads LLMs during vulnerability detection. We build a 100-sample benchmark across Python, JavaScript, and Java, each paired with eight comment variants ranging from no comments to adversarial strategies such as authority spoofing and technical deception. Eight frontier models, five commercial and three open-source, are evaluated in 9,366 trials. Adversarial comments produce small, statistically non-significant effects on detection accuracy (McNemar exact p > 0.21; all 95 percent confidence intervals include zero). This holds for commercial models with 89 to 96 percent baseline detection and open-source models with 53 to 72 percent, despite large absolute performance gaps. Unlike generation settings where comment manipulation achieves high attack success, detection performance does not meaningfully degrade. More complex adversarial strategies offer no advantage over simple manipulative comments. We test four automated defenses across 4,646 additional trials (14,012 total). Static analysis cross-referencing performs best at 96.9 percent detection and recovers 47 percent of baseline misses. Comment stripping reduces detection for weaker models by removing helpful context. Failures concentrate on inherently difficult vulnerability classes, including race conditions, timing side channels, and complex authorization logic, rather than on adversarial comments.
Paper Structure (35 sections, 5 figures, 8 tables)

This paper contains 35 sections, 5 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Key Findings at a Glance
  3. Contributions
  4. Related Work
  5. Adversarial Attacks on LLM Code Systems
  6. Prompt Injection and LLM Manipulation
  7. LLM Security Benchmarks
  8. Hybrid SAST+LLM Defense Strategies
  9. Natural Language Cues in Code Reasoning
  10. Threat Model
  11. Methodology
  12. Benchmark Design
  13. Comment Variants
  14. Models Under Test
  15. System Prompt Conditions
  16. ...and 20 more sections

Figures (5)

  • Figure 1: Experimental pipeline. The primary experiment evaluates 100 vulnerable samples across 8 comment variants, 8 models (5 commercial, 3 open-source), and up to 3 system prompt conditions (9,366 evaluations). The defense branch evaluates 4 automated strategies across adversarial variants (4,646 evaluations). Total: 14,012 evaluations.
  • Figure 2: C0 vs. C4 paired comparison across all eight models. (a) Detection rates are nearly identical for both commercial and open-source models. (b) Forest plot of $\Delta$FNR with 95% CIs---all intervals span zero, none approaching significance.
  • Figure 3: Detection rates by model $\times$ comment variant (SP0). C5--C7 (right of dashed line) were tested on a 30-sample subset with higher baseline rates---see Section \ref{['sec:backfire']} for discussion of subset selection bias.
  • Figure 4: Detection rate by language $\times$ vulnerability category (C0+SP0). Java cryptography (50%) and access control (75%) are dramatically harder than their counterparts. Several cells have $n \leq 4$; rates should be interpreted as indicative.
  • Figure 5: Defense effectiveness comparison. SAST cross-referencing (D5) is the clear winner.