Asleep at the Keyboard? Assessing the Security of GitHub Copilot's Code Contributions. Pearce, H., Ahmad, B., Tan, B., Dolan-Gavitt, B., & Karri, R. December, 2021. Number: arXiv:2108.09293 arXiv:2108.09293 [cs]
Asleep at the Keyboard? Assessing the Security of GitHub Copilot's Code Contributions [link]Paper  abstract   bibtex   
There is burgeoning interest in designing AI-based systems to assist humans in designing computing systems, including tools that automatically generate computer code. The most notable of these comes in the form of the first self-described `AI pair programmer', GitHub Copilot, a language model trained over open-source GitHub code. However, code often contains bugs - and so, given the vast quantity of unvetted code that Copilot has processed, it is certain that the language model will have learned from exploitable, buggy code. This raises concerns on the security of Copilot's code contributions. In this work, we systematically investigate the prevalence and conditions that can cause GitHub Copilot to recommend insecure code. To perform this analysis we prompt Copilot to generate code in scenarios relevant to high-risk CWEs (e.g. those from MITRE's "Top 25" list). We explore Copilot's performance on three distinct code generation axes – examining how it performs given diversity of weaknesses, diversity of prompts, and diversity of domains. In total, we produce 89 different scenarios for Copilot to complete, producing 1,689 programs. Of these, we found approximately 40% to be vulnerable.
@misc{pearce_asleep_2021,
	title = {Asleep at the {Keyboard}? {Assessing} the {Security} of {GitHub} {Copilot}'s {Code} {Contributions}},
	shorttitle = {Asleep at the {Keyboard}?},
	url = {http://arxiv.org/abs/2108.09293},
	abstract = {There is burgeoning interest in designing AI-based systems to assist humans in designing computing systems, including tools that automatically generate computer code. The most notable of these comes in the form of the first self-described `AI pair programmer', GitHub Copilot, a language model trained over open-source GitHub code. However, code often contains bugs - and so, given the vast quantity of unvetted code that Copilot has processed, it is certain that the language model will have learned from exploitable, buggy code. This raises concerns on the security of Copilot's code contributions. In this work, we systematically investigate the prevalence and conditions that can cause GitHub Copilot to recommend insecure code. To perform this analysis we prompt Copilot to generate code in scenarios relevant to high-risk CWEs (e.g. those from MITRE's "Top 25" list). We explore Copilot's performance on three distinct code generation axes -- examining how it performs given diversity of weaknesses, diversity of prompts, and diversity of domains. In total, we produce 89 different scenarios for Copilot to complete, producing 1,689 programs. Of these, we found approximately 40\% to be vulnerable.},
	urldate = {2022-06-04},
	publisher = {arXiv},
	author = {Pearce, Hammond and Ahmad, Baleegh and Tan, Benjamin and Dolan-Gavitt, Brendan and Karri, Ramesh},
	month = dec,
	year = {2021},
	note = {Number: arXiv:2108.09293
arXiv:2108.09293 [cs]},
	keywords = {\#broken, Computer Science - Artificial Intelligence, Computer Science - Cryptography and Security, Jab/\#Pre},
}
Downloads: 0
About
Documentation
Keywords
Search
Users
Terms and Conditions of Use
Privacy Policy
Sitemap
© BibBase.org 2021