Lost at C: A User Study on the Security Implications of Large Language Model Code Assistants

TL;DR

This study investigates whether large language model code assistants introduce security vulnerabilities in C programming, finding that their use does not significantly increase critical security bugs in student-written code.

Contribution

It provides empirical evidence that LLM-based code assistants do not substantially elevate security risks in low-level C programming tasks.

Findings

Security bug rate increased by no more than 10% with LLM assistance.

Participants' code quality remained comparable between assisted and unassisted groups.

LLMs do not significantly compromise security in low-level C coding tasks.

Abstract

Large Language Models (LLMs) such as OpenAI Codex are increasingly being used as AI-based coding assistants. Understanding the impact of these tools on developers' code is paramount, especially as recent work showed that LLMs may suggest cybersecurity vulnerabilities. We conduct a security-driven user study (N=58) to assess code written by student programmers when assisted by LLMs. Given the potential severity of low-level bugs as well as their relative frequency in real-world projects, we tasked participants with implementing a singly-linked 'shopping list' structure in C. Our results indicate that the security impact in this setting (low-level C with pointer and array manipulations) is small: AI-assisted users produce critical security bugs at a rate no greater than 10% more than the control, indicating the use of LLMs does not introduce new security risks.