ProSec: Fortifying Code LLMs with Proactive Security Alignment

TL;DR

ProSec introduces a proactive security alignment method for code LLMs by synthesizing vulnerability scenarios, significantly enhancing the models' security without sacrificing utility.

Contribution

ProSec systematically generates vulnerability scenarios from CWEs to improve security alignment of code LLMs, surpassing previous data limitations.

Findings

Models trained with ProSec are 25.2% to 35.4% more secure.

ProSec's synthesized scenarios trigger 25x more vulnerable code.

The security-focused dataset is 7x larger than previous work.

Abstract

While recent code-specific large language models (LLMs) have greatly enhanced their code generation capabilities, the safety of these models remains under-explored, posing potential risks as insecure code generated by these models may introduce vulnerabilities into real-world systems. Existing methods collect security-focused datasets from real-world vulnerabilities for instruction tuning in order to mitigate such issues. However, they are largely constrained by the data sparsity of vulnerable code, and have limited applicability in the multi-stage post-training workflows of modern LLMs. In this paper, we propose ProSec, a novel proactive security alignment approach designed to align code LLMs with secure coding practices. ProSec systematically exposes the vulnerabilities in a code LLM by synthesizing vulnerability-inducing coding scenarios from Common Weakness Enumerations (CWEs) and generates fixes to vulnerable code snippets, allowing the model to learn secure practices through preference learning objectives. The scenarios synthesized by ProSec trigger 25x more vulnerable code than a normal instruction-tuning dataset, resulting in a security-focused alignment dataset 7x larger than the previous work. Experiments show that models trained with ProSec are 25.2% to 35.4% more secure compared to previous work without degrading models' utility.