An Empirical Security Evaluation of LLM-Generated Cryptographic Rust Code

TL;DR

This study empirically evaluates the security of 240 LLM-generated Rust cryptographic codes, revealing low compilation success and vulnerabilities, highlighting limitations of current code generation and analysis tools.

Contribution

It provides the first large-scale empirical analysis of LLM-generated cryptographic Rust code, demonstrating significant vulnerabilities and the inadequacy of general static analysis tools.

Findings

Only 23.3% of generated code compiled successfully.

Crypto-specific analyzer found vulnerabilities in 57% of compiled samples.

Prompt strategy significantly affects code quality, with chain-of-thought prompting performing worse.

Abstract

Developers and organizations are using Large Language Models (LLMs) to generate security-critical code more frequently than ever, including cryptographic solutions for their products. This study presents an empirical evaluation of cryptographic security in 240 Rust code samples for two crypto algorithms (AES-256-GCM and ChaCha20-Poly1305) generated by three LLMs (Gemini 2.5 Pro, GPT-4o, and DeepSeek Coder) using four different prompt strategies. For each successfully compiled code sample, CodeQL static analysis and our rule-based crypto-specific analyzer were used to detect vulnerabilities, which are also associated with Common Weakness Enumeration (CWE). The evaluation results revealed that only 23.3% of the generated code samples were successfully compiled. Among the compiled code, CodeQL produced only two false positives, while our rule-based crypto-specific analyzer identified vulnerabilities in 57% of the compiled samples with zero false positives. This demonstrates that general-purpose analysis tools are insufficient for code validation for the experimented crypto algorithms. The compilation success of the two algorithms varied significantly (AES-256-GCM 34.2% versus ChaCha20-Poly1305 12.5%), showing a gap in code generation capabilities. While model choice had no significant effect on compilation success, prompt strategy significantly influenced outcomes (P = 0.002), with chain-of-thought prompting performing 5 times worse than zero-shot. All three models exhibit systematic failures, including nonce reuse and API hallucinations.