Enregistré dans:
Détails bibliographiques
Auteurs principaux: Goetz, Stefan, Schaad, Andreas
Format: Preprint
Publié: 2024
Sujets:
Accès en ligne:https://arxiv.org/abs/2408.07106
Tags: Ajouter un tag
Pas de tags, Soyez le premier à ajouter un tag!
_version_ 1866910565014700032
author Goetz, Stefan
Schaad, Andreas
author_facet Goetz, Stefan
Schaad, Andreas
contents We witness an increasing usage of AI-assistants even for routine (classroom) programming tasks. However, the code generated on basis of a so called "prompt" by the programmer does not always meet accepted security standards. On the one hand, this may be due to lack of best-practice examples in the training data. On the other hand, the actual quality of the programmers prompt appears to influence whether generated code contains weaknesses or not. In this paper we analyse 4 major LLMs with respect to the security of generated code. We do this on basis of a case study for the Python and Javascript language, using the MITRE CWE catalogue as the guiding security definition. Our results show that using different prompting techniques, some LLMs initially generate 65% code which is deemed insecure by a trained security engineer. On the other hand almost all analysed LLMs will eventually generate code being close to 100% secure with increasing manual guidance of a skilled engineer.
format Preprint
id arxiv_https___arxiv_org_abs_2408_07106
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle "You still have to study" -- On the Security of LLM generated code
Goetz, Stefan
Schaad, Andreas
Software Engineering
Cryptography and Security
Machine Learning
We witness an increasing usage of AI-assistants even for routine (classroom) programming tasks. However, the code generated on basis of a so called "prompt" by the programmer does not always meet accepted security standards. On the one hand, this may be due to lack of best-practice examples in the training data. On the other hand, the actual quality of the programmers prompt appears to influence whether generated code contains weaknesses or not. In this paper we analyse 4 major LLMs with respect to the security of generated code. We do this on basis of a case study for the Python and Javascript language, using the MITRE CWE catalogue as the guiding security definition. Our results show that using different prompting techniques, some LLMs initially generate 65% code which is deemed insecure by a trained security engineer. On the other hand almost all analysed LLMs will eventually generate code being close to 100% secure with increasing manual guidance of a skilled engineer.
title "You still have to study" -- On the Security of LLM generated code
topic Software Engineering
Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2408.07106