Can generative AI detect and fix real-world cryptographic misuses?

IF 4.1 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Systems and Software Pub Date : 2025-10-16 DOI:10.1016/j.jss.2025.112650

Ehsan Firouzi, Mohammad Ghafari

引用次数: 0

Abstract

We evaluate ChatGPT’s ability to detect and fix cryptographic API misuses. We show that GPT-4o can achieve F1 scores above 0.90 on two established benchmarks. We also assess the model on real-world code: on the GitHub samples, it attains an F1 score of 0.84 and a Matthews Correlation Coefficient (MCC) of 0.81; on the Android samples, it achieves an F1 score of 0.85 but a slightly lower MCC of 0.76. We noted that several factors such as naming conventions and code structure influence GPT’s performance. However, when it correctly flags a misuse, it is often able to suggest effective fixes. We also reported the identified misuses in GitHub repositories and received promising feedback from developers. Finally, a comparison between GPT and a state-of-the-art crypto-misuse detector shows GPT’s strong potential for adoption in real-world settings.

查看原文本刊更多论文

生成式人工智能可以检测和修复现实世界中的密码滥用吗？

我们评估ChatGPT检测和修复加密API滥用的能力。我们证明gpt - 40在两个既定基准上可以达到0.90以上的F1分数。我们还在现实世界的代码上评估了模型：在GitHub样本上，它的F1得分为0.84，马修斯相关系数（MCC）为0.81；在Android样本中，它的F1得分为0.85，但MCC略低，为0.76。我们注意到命名约定和代码结构等几个因素会影响GPT的性能。但是，当它正确标记错误时，它通常能够提出有效的修复建议。我们还报告了在GitHub存储库中发现的错误，并收到了开发人员的积极反馈。最后，GPT和最先进的密码滥用检测器之间的比较显示了GPT在现实环境中采用的强大潜力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.