VulKey: Automated Vulnerability Repair Guided by Domain-Specific Repair Patterns

TL;DR

VulKey introduces a hierarchical, knowledge-guided approach for automated vulnerability repair using large language models, significantly improving accuracy and generalizability over existing methods.

Contribution

The paper presents VulKey, a novel framework that leverages hierarchical expert security knowledge to guide LLM-based vulnerability repair, enhancing effectiveness and cross-language applicability.

Findings

VulKey achieves 31.5% repair accuracy on PrimeVul, outperforming baselines.

The approach surpasses VulMaster and GPT-5 in real-world vulnerability repair.

VulKey demonstrates strong cross-language and cross-model generalizability.

Abstract

The increasing prevalence of software vulnerabilities highlights the need for effective Automatic Vulnerability Repair (AVR) tools. While LLM-based approaches are promising, they struggle to incorporate structured security knowledge from sources like CWE and NVD. Current methods either use this information superficially by concatenating the CWE-ID into the input prompt, yielding negligible benefits, or rely on few-shot learning with rigid, non-generalizable examples, which limits their effectiveness in real-world scenarios. To address this gap, we propose VulKey, an LLM-based AVR framework that leverages a hierarchical abstraction of expert knowledge to guide patch generation. Our novel three-level abstraction formulates repair strategies in terms of CWE type, syntactic actions, and semantic key elements. This approach captures the essence of a security fix with greater generality than concrete examples and more semantic richness than traditional syntax-based templates, overcoming the coverage limitations of prior methods. VulKey is implemented as a two-stage pipeline: first, expert knowledge matching predicts an appropriate repair pattern for the vulnerability; second, repair code generation uses a pattern-guided, fine-tuned LLM to produce secure patches. On the real-world C/C++ dataset PrimeVul, VulKey achieves 31.5% repair accuracy, surpassing the best baseline by 7.6% and outperforming leading tools such as VulMaster and GPT-5. Moreover, VulKey demonstrates cross-language and cross-model generalizability, with state-of-the-art performance on the Java benchmark Vul4J. These results underscore the importance of structured expert knowledge in advancing AVR effectiveness. Our work demonstrates that explicitly modeling and integrating expert security knowledge through hierarchical patterns is a crucial step toward building more effective and reliable AVR tools.