Evaluating Large Language Models for Real-World Vulnerability Repair in C/C++ Code

Lan Zhang, Qingtian Zou, Anoop Singhal, Xiaoyan Sun, Peng Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

The advent of Large Language Models (LLMs) has enabled advancement in automated code generation, translation, and summarization. Despite their promise, evaluating the use of LLMs in repairing real-world code vulnerabilities remains underexplored. In this study, we address this gap by evaluating the capability of advanced LLMs, such as ChatGPT-4 and Claude, in fixing memory corruption vulnerabilities in real-world C/C++ code. We meticulously curated 223 real-world C/C++ code snippets encompassing a spectrum of memory corruption vulnerabilities, ranging from straightforward memory leaks to intricate buffer errors. Our findings demonstrate the proficiency of LLMs in rectifying simple memor errors like leaks, where fixes are confined to localized code segments. However, their effectiveness diminishes when addressing complicated vulnerabilities necessitating reasoning about cross-cutting concerns and deeper program semantics. Furthermore, we explore techniques for augmenting LLM performance by incorporating additional knowledge. Our results shed light on both the strengths and limitations of LLMs in automated program repair on genuine code, underscoring the need for advancements in reasoning abilities for handling complex code repair tasks.

Original languageEnglish (US)
Title of host publicationIWSPA 2024 - Proceedings of the 10th ACM International Workshop on Security and Privacy Analytics
PublisherAssociation for Computing Machinery, Inc
Pages49-58
Number of pages10
ISBN (Electronic)9798400705557
DOIs
StatePublished - Jun 21 2024
Event10th ACM International Workshop on Security and Privacy Analytics, IWSPA 2024 - Porto, Portugal
Duration: Jun 21 2024 → …

Publication series

NameIWSPA 2024 - Proceedings of the 10th ACM International Workshop on Security and Privacy Analytics

Conference

Conference10th ACM International Workshop on Security and Privacy Analytics, IWSPA 2024
Country/TerritoryPortugal
CityPorto
Period6/21/24 → …

All Science Journal Classification (ASJC) codes

  • Artificial Intelligence
  • Computer Networks and Communications
  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality
  • Modeling and Simulation

Fingerprint

Dive into the research topics of 'Evaluating Large Language Models for Real-World Vulnerability Repair in C/C++ Code'. Together they form a unique fingerprint.

Cite this