Exploring the Security Threats of Knowledge Base Poisoning in Retrieval-Augmented Code Generation

TL;DR

This paper investigates the security risks of knowledge base poisoning in Retrieval-Augmented Code Generation systems, revealing how maliciously injected code can significantly compromise the security of generated software.

Contribution

It is the first comprehensive study analyzing how poisoned code in knowledge bases affects the security of LLM-generated code, with extensive experiments across multiple models and scenarios.

Findings

Poisoned code can compromise up to 48% of generated code.

Even a single poisoned sample poses a significant security threat.

The study offers practical mitigation strategies for RACG security.

Abstract

The integration of Large Language Models (LLMs) into software development has revolutionized the field, particularly through the use of Retrieval-Augmented Code Generation (RACG) systems that enhance code generation with information from external knowledge bases. However, the security implications of RACG systems, particularly the risks posed by vulnerable code examples in the knowledge base, remain largely unexplored. This risk is particularly concerning given that public code repositories, which often serve as the sources for knowledge base collection in RACG systems, are usually accessible to anyone in the community. Malicious attackers can exploit this accessibility to inject vulnerable code into the knowledge base, making it toxic. Once these poisoned samples are retrieved and incorporated into the generated code, they can propagate security vulnerabilities into the final product. This paper presents the first comprehensive study on the security risks associated with RACG systems, focusing on how vulnerable code in the knowledge base compromises the security of generated code. We investigate the LLM-generated code security across different settings through extensive experiments using four major LLMs, two retrievers, and two poisoning scenarios. Our findings highlight the significant threat of knowledge base poisoning, where even a single poisoned code example can compromise up to 48% of generated code. Our findings provide crucial insights into vulnerability introduction in RACG systems and offer practical mitigation recommendations, thereby helping improve the security of LLM-generated code in future works.