LLM-Powered Code Vulnerability Repair with Reinforcement Learning and Semantic Reward

TL;DR

This paper introduces SecRepair, an LLM-powered system that identifies and repairs code vulnerabilities, providing detailed explanations and leveraging reinforcement learning with semantic rewards to improve security fixes.

Contribution

The paper presents a novel reinforcement learning approach with semantic rewards for vulnerability repair, including an instruction-based dataset and application to real-world IoT OS vulnerabilities.

Findings

Reinforcement learning with semantic rewards improves vulnerability repair accuracy.

SecRepair effectively identifies and fixes vulnerabilities in open-source IoT OS code.

The system provides comprehensive vulnerability descriptions and fixes, aiding developers.

Abstract

In software development, the predominant emphasis on functionality often supersedes security concerns, a trend gaining momentum with AI-driven automation tools like GitHub Copilot. These tools significantly improve developers' efficiency in functional code development. Nevertheless, it remains a notable concern that such tools are also responsible for creating insecure code, predominantly because of pre-training on publicly available repositories with vulnerable code. Moreover, developers are called the "weakest link in the chain" since they have very minimal knowledge of code security. Although existing solutions provide a reasonable solution to vulnerable code, they must adequately describe and educate the developers on code security to ensure that the security issues are not repeated. Therefore we introduce a multipurpose code vulnerability analysis system \texttt{SecRepair}, powered by a large language model, CodeGen2 assisting the developer in identifying and generating fixed code along with a complete description of the vulnerability with a code comment. Our innovative methodology uses a reinforcement learning paradigm to generate code comments augmented by a semantic reward mechanism. Inspired by how humans fix code issues, we propose an instruction-based dataset suitable for vulnerability analysis with LLMs. We further identify zero-day and N-day vulnerabilities in 6 Open Source IoT Operating Systems on GitHub. Our findings underscore that incorporating reinforcement learning coupled with semantic reward augments our model's performance, thereby fortifying its capacity to address code vulnerabilities with improved efficacy.