ZeroLeak: Using LLMs for Scalable and Cost Effective Side-Channel
Patching
- URL: http://arxiv.org/abs/2308.13062v1
- Date: Thu, 24 Aug 2023 20:04:36 GMT
- Title: ZeroLeak: Using LLMs for Scalable and Cost Effective Side-Channel
Patching
- Authors: M. Caner Tol and Berk Sunar
- Abstract summary: Security critical software, e.g., OpenSSL, comes with numerous side-channel leakages left unpatched due to a lack of resources or experts.
We explore the use of Large Language Models (LLMs) in generating patches for vulnerable code with microarchitectural side-channel leakages.
- Score: 6.556868623811133
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Security critical software, e.g., OpenSSL, comes with numerous side-channel
leakages left unpatched due to a lack of resources or experts. The situation
will only worsen as the pace of code development accelerates, with developers
relying on Large Language Models (LLMs) to automatically generate code. In this
work, we explore the use of LLMs in generating patches for vulnerable code with
microarchitectural side-channel leakages. For this, we investigate the
generative abilities of powerful LLMs by carefully crafting prompts following a
zero-shot learning approach. All generated code is dynamically analyzed by
leakage detection tools, which are capable of pinpointing information leakage
at the instruction level leaked either from secret dependent accesses or
branches or vulnerable Spectre gadgets, respectively. Carefully crafted prompts
are used to generate candidate replacements for vulnerable code, which are then
analyzed for correctness and for leakage resilience. From a cost/performance
perspective, the GPT4-based configuration costs in API calls a mere few cents
per vulnerability fixed. Our results show that LLM-based patching is far more
cost-effective and thus provides a scalable solution. Finally, the framework we
propose will improve in time, especially as vulnerability detection tools and
LLMs mature.
Related papers
- Utilizing Precise and Complete Code Context to Guide LLM in Automatic False Positive Mitigation [3.0538467265507574]
Application Security Testing(SAST) tools are crucial for early bug detection and code quality but often generate false positives that slow development.
Large Language Models, adept at understanding natural language and code, offer promising ways to improve the accuracy and usability of SAST tools.
Our work emphasizes the critical impact of precise and complete code context and highlights the potential of combining program analysis with LLMs.
arXiv Detail & Related papers (2024-11-05T13:24:56Z) - Aligning LLMs to Be Robust Against Prompt Injection [55.07562650579068]
We show that alignment can be a powerful tool to make LLMs more robust against prompt injection attacks.
Our method -- SecAlign -- first builds an alignment dataset by simulating prompt injection attacks.
Our experiments show that SecAlign robustifies the LLM substantially with a negligible hurt on model utility.
arXiv Detail & Related papers (2024-10-07T19:34:35Z) - PromSec: Prompt Optimization for Secure Generation of Functional Source Code with Large Language Models (LLMs) [4.2913589403278225]
Large language models (LLMs) are used to generate high-quality source code.
LLMs often introduce security vulnerabilities due to training on insecure open-source data.
This paper introduces PromSec, an algorithm for prom optimization for secure and functioning code generation.
arXiv Detail & Related papers (2024-09-19T12:14:10Z) - An Exploratory Study on Fine-Tuning Large Language Models for Secure Code Generation [17.69409515806874]
We present an exploratory study on whether fine-tuning pre-trained LLMs on datasets of vulnerability-fixing commits can promote secure code generation.
We crawled a fine-tuning dataset for secure code generation by collecting code fixes of confirmed vulnerabilities from open-source repositories.
Our exploration reveals that fine-tuning LLMs can improve secure code generation by 6.4% in C language and 5.4% in C++ language.
arXiv Detail & Related papers (2024-08-17T02:51:27Z) - Exploring Automatic Cryptographic API Misuse Detection in the Era of LLMs [60.32717556756674]
This paper introduces a systematic evaluation framework to assess Large Language Models in detecting cryptographic misuses.
Our in-depth analysis of 11,940 LLM-generated reports highlights that the inherent instabilities in LLMs can lead to over half of the reports being false positives.
The optimized approach achieves a remarkable detection rate of nearly 90%, surpassing traditional methods and uncovering previously unknown misuses in established benchmarks.
arXiv Detail & Related papers (2024-07-23T15:31:26Z) - Harnessing Large Language Models for Software Vulnerability Detection: A Comprehensive Benchmarking Study [1.03590082373586]
We propose using large language models (LLMs) to assist in finding vulnerabilities in source code.
The aim is to test multiple state-of-the-art LLMs and identify the best prompting strategies.
We find that LLMs can pinpoint many more issues than traditional static analysis tools, outperforming traditional tools in terms of recall and F1 scores.
arXiv Detail & Related papers (2024-05-24T14:59:19Z) - A Wolf in Sheep's Clothing: Generalized Nested Jailbreak Prompts can Fool Large Language Models Easily [51.63085197162279]
Large Language Models (LLMs) are designed to provide useful and safe responses.
adversarial prompts known as 'jailbreaks' can circumvent safeguards.
We propose ReNeLLM, an automatic framework that leverages LLMs themselves to generate effective jailbreak prompts.
arXiv Detail & Related papers (2023-11-14T16:02:16Z) - Can LLMs Patch Security Issues? [1.3299507495084417]
Large Language Models (LLMs) have shown impressive proficiency in code generation.
LLMs share a weakness with their human counterparts: producing code that inadvertently has security vulnerabilities.
We propose Feedback-Driven Security Patching (FDSP), where LLMs automatically refine generated, vulnerable code.
arXiv Detail & Related papers (2023-11-13T08:54:37Z) - SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks [99.23352758320945]
We propose SmoothLLM, the first algorithm designed to mitigate jailbreaking attacks on large language models (LLMs)
Based on our finding that adversarially-generated prompts are brittle to character-level changes, our defense first randomly perturbs multiple copies of a given input prompt, and then aggregates the corresponding predictions to detect adversarial inputs.
arXiv Detail & Related papers (2023-10-05T17:01:53Z) - Red Teaming Language Model Detectors with Language Models [114.36392560711022]
Large language models (LLMs) present significant safety and ethical risks if exploited by malicious users.
Recent works have proposed algorithms to detect LLM-generated text and protect LLMs.
We study two types of attack strategies: 1) replacing certain words in an LLM's output with their synonyms given the context; 2) automatically searching for an instructional prompt to alter the writing style of the generation.
arXiv Detail & Related papers (2023-05-31T10:08:37Z) - LLMDet: A Third Party Large Language Models Generated Text Detection
Tool [119.0952092533317]
Large language models (LLMs) are remarkably close to high-quality human-authored text.
Existing detection tools can only differentiate between machine-generated and human-authored text.
We propose LLMDet, a model-specific, secure, efficient, and extendable detection tool.
arXiv Detail & Related papers (2023-05-24T10:45:16Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.