CWEval: Outcome-driven Evaluation on Functionality and Security of LLM Code Generation

TL;DR

CWEval introduces an outcome-driven framework and benchmark for evaluating both the functionality and security of code generated by large language models, addressing previous benchmarks' limitations and revealing security issues in LLM outputs.

Contribution

The paper presents CWEval, a novel evaluation framework and multilingual benchmark that accurately assesses both functionality and security in LLM-generated code.

Findings

A significant portion of functionally correct code is insecure.

Previous benchmarks are inaccurate in evaluating security.

CWEval reveals security flaws overlooked by prior methods.

Abstract

Large Language Models (LLMs) have significantly aided developers by generating or assisting in code writing, enhancing productivity across various tasks. While identifying incorrect code is often straightforward, detecting vulnerabilities in functionally correct code is more challenging, especially for developers with limited security knowledge, which poses considerable security risks of using LLM-generated code and underscores the need for robust evaluation benchmarks that assess both functional correctness and security. Current benchmarks like CyberSecEval and SecurityEval attempt to solve it but are hindered by unclear and impractical specifications, failing to assess both functionality and security accurately. To tackle these deficiencies, we introduce CWEval, a novel outcome-driven evaluation framework designed to enhance the evaluation of secure code generation by LLMs. This framework not only assesses code functionality but also its security simultaneously with high-quality task specifications and outcome-driven test oracles which provides high accuracy. Coupled with CWEval-bench, a multilingual, security-critical coding benchmark, CWEval provides a rigorous empirical security evaluation on LLM-generated code, overcoming previous benchmarks' shortcomings. Through our evaluations, CWEval reveals a notable portion of functional but insecure code produced by LLMs, and shows a serious inaccuracy of previous evaluations, ultimately contributing significantly to the field of secure code generation. We open-source our artifact at: https://github.com/Co1lin/CWEval .