VulnLLMEval:评估软件漏洞检测和修补中大型语言模型的框架

Arastoo Zibaeirad, Marco Vieira
{"title":"VulnLLMEval:评估软件漏洞检测和修补中大型语言模型的框架","authors":"Arastoo Zibaeirad, Marco Vieira","doi":"arxiv-2409.10756","DOIUrl":null,"url":null,"abstract":"Large Language Models (LLMs) have shown promise in tasks like code\ntranslation, prompting interest in their potential for automating software\nvulnerability detection (SVD) and patching (SVP). To further research in this\narea, establishing a benchmark is essential for evaluating the strengths and\nlimitations of LLMs in these tasks. Despite their capabilities, questions\nremain regarding whether LLMs can accurately analyze complex vulnerabilities\nand generate appropriate patches. This paper introduces VulnLLMEval, a\nframework designed to assess the performance of LLMs in identifying and\npatching vulnerabilities in C code. Our study includes 307 real-world\nvulnerabilities extracted from the Linux kernel, creating a well-curated\ndataset that includes both vulnerable and patched code. This dataset, based on\nreal-world code, provides a diverse and representative testbed for evaluating\nLLM performance in SVD and SVP tasks, offering a robust foundation for rigorous\nassessment. Our results reveal that LLMs often struggle with distinguishing\nbetween vulnerable and patched code. Furthermore, in SVP tasks, these models\ntend to oversimplify the code, producing solutions that may not be directly\nusable without further refinement.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"VulnLLMEval: A Framework for Evaluating Large Language Models in Software Vulnerability Detection and Patching\",\"authors\":\"Arastoo Zibaeirad, Marco Vieira\",\"doi\":\"arxiv-2409.10756\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Large Language Models (LLMs) have shown promise in tasks like code\\ntranslation, prompting interest in their potential for automating software\\nvulnerability detection (SVD) and patching (SVP). To further research in this\\narea, establishing a benchmark is essential for evaluating the strengths and\\nlimitations of LLMs in these tasks. Despite their capabilities, questions\\nremain regarding whether LLMs can accurately analyze complex vulnerabilities\\nand generate appropriate patches. This paper introduces VulnLLMEval, a\\nframework designed to assess the performance of LLMs in identifying and\\npatching vulnerabilities in C code. Our study includes 307 real-world\\nvulnerabilities extracted from the Linux kernel, creating a well-curated\\ndataset that includes both vulnerable and patched code. This dataset, based on\\nreal-world code, provides a diverse and representative testbed for evaluating\\nLLM performance in SVD and SVP tasks, offering a robust foundation for rigorous\\nassessment. Our results reveal that LLMs often struggle with distinguishing\\nbetween vulnerable and patched code. Furthermore, in SVP tasks, these models\\ntend to oversimplify the code, producing solutions that may not be directly\\nusable without further refinement.\",\"PeriodicalId\":501278,\"journal\":{\"name\":\"arXiv - CS - Software Engineering\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-09-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Software Engineering\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2409.10756\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.10756","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

摘要

大型语言模型(LLM)在代码翻译等任务中大有可为,这促使人们对其在软件漏洞自动检测(SVD)和修补(SVP)方面的潜力产生了兴趣。为了进一步推动这一领域的研究,建立一个基准对于评估 LLM 在这些任务中的优势和局限性至关重要。尽管 LLM 功能强大,但人们对其能否准确分析复杂的漏洞并生成适当的补丁仍存有疑问。本文介绍了 VulnLLMEval,这是一个旨在评估 LLMs 在识别和修补 C 代码中的漏洞方面的性能的框架。我们的研究包括从 Linux 内核中提取的 307 个真实世界的漏洞,创建了一个经过精心整理的数据集,其中既包括易受攻击的代码,也包括已打补丁的代码。这个基于真实世界代码的数据集为评估 LLM 在 SVD 和 SVP 任务中的性能提供了一个多样化且具有代表性的测试平台,为严格的评估奠定了坚实的基础。我们的结果表明,LLM 在区分易受攻击代码和已打补丁代码方面经常遇到困难。此外,在 SVP 任务中,这些模型倾向于过度简化代码,产生的解决方案在没有进一步完善的情况下可能无法直接使用。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
VulnLLMEval: A Framework for Evaluating Large Language Models in Software Vulnerability Detection and Patching
Large Language Models (LLMs) have shown promise in tasks like code translation, prompting interest in their potential for automating software vulnerability detection (SVD) and patching (SVP). To further research in this area, establishing a benchmark is essential for evaluating the strengths and limitations of LLMs in these tasks. Despite their capabilities, questions remain regarding whether LLMs can accurately analyze complex vulnerabilities and generate appropriate patches. This paper introduces VulnLLMEval, a framework designed to assess the performance of LLMs in identifying and patching vulnerabilities in C code. Our study includes 307 real-world vulnerabilities extracted from the Linux kernel, creating a well-curated dataset that includes both vulnerable and patched code. This dataset, based on real-world code, provides a diverse and representative testbed for evaluating LLM performance in SVD and SVP tasks, offering a robust foundation for rigorous assessment. Our results reveal that LLMs often struggle with distinguishing between vulnerable and patched code. Furthermore, in SVP tasks, these models tend to oversimplify the code, producing solutions that may not be directly usable without further refinement.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信