You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion

TL;DR

Neural code autocompleters are vulnerable to poisoning attacks that can manipulate their suggestions, posing security risks, and current defenses are largely ineffective against such threats.

Contribution

This paper demonstrates the vulnerability of neural code autocompleters to poisoning attacks and evaluates the effectiveness of existing defenses.

Findings

Poisoning can cause autocompleters to suggest insecure code snippets.

Targeted attacks can influence suggestions for specific repositories or developers.

Existing defenses are largely ineffective against poisoning attacks.

Abstract

Code autocompletion is an integral feature of modern code editors and IDEs. The latest generation of autocompleters uses neural language models, trained on public open-source code repositories, to suggest likely (not just statically feasible) completions given the current context. We demonstrate that neural code autocompleters are vulnerable to poisoning attacks. By adding a few specially-crafted files to the autocompleter's training corpus (data poisoning), or else by directly fine-tuning the autocompleter on these files (model poisoning), the attacker can influence its suggestions for attacker-chosen contexts. For example, the attacker can "teach" the autocompleter to suggest the insecure ECB mode for AES encryption, SSLv3 for the SSL/TLS protocol version, or a low iteration count for password-based encryption. Moreover, we show that these attacks can be targeted: an autocompleter poisoned by a targeted attack is much more likely to suggest the insecure completion for files from a specific repo or specific developer. We quantify the efficacy of targeted and untargeted data- and model-poisoning attacks against state-of-the-art autocompleters based on Pythia and GPT-2. We then evaluate existing defenses against poisoning attacks and show that they are largely ineffective.