Fixing Vulnerabilities with Large Language Models
Learning Objectives
- You know that large language models can be used to fix vulnerabilities in code.
As large language models can be used to detect vulnerabilities in code and to generate code, they can also be used to fix vulnerabilities. As an example, we can ask the large language model to provide a fix for the code if there is something to fix, while otherwise to respond with the text No bugs, as shown below.
I want you to act as a vulnerability detection system that can fix code with security vulnerabilities. Your task is to detect whether the following function is buggy. If the function is buggy, respond only with the code where the bug is fixed. If the function is not buggy, respond only with the text No bugs.
def insert_user(cursor, name):
cursor.execute(f"INSERT INTO users (name) VALUES ({name}";)
def insert_user(cursor, name):
cursor.execute("INSERT INTO users (name) VALUES (%s)", (name,))
When we replace the broken code with the fixed one in the prompt, the large language model now responds with the text “No bugs”.
I want you to act as a vulnerability detection system that can fix code with security vulnerabilities. Your task is to detect whether the following function is buggy. If the function is buggy, respond only with the code where the bug is fixed. If the function is not buggy, respond only with the text No bugs.
def insert_user(cursor, name):
cursor.execute("INSERT INTO users (name) VALUES (%s)", (name,))
No bugs
Functionality for fixing code and vulnerabilities can be integrated into programming environments. As an example, as e.g. GitHub Copilot already allows, it is possible to highlight areas in a code editor, and ask an integrated AI assistant — typically a large language model -driven software — to suggest fixes for code if issues exist.
Like with much of the work on large language models in general, much of the work on this area is still ongoing, and the performance of the models will likely improve over time. Similarly, studies exploring ways to prompt large language models for more accurate outputs are still emerging, as discussed also in the article A Comprehensive Study of the Capabilities of Large Language Models for Vulnerability Detection mentioned in the last chapter.