Search papers, labs, and topics across Lattice.
This paper introduces SecVecCoder, a novel method that utilizes task-vector arithmetic to enhance the functionality and security of code generated by large language models (LLMs). By integrating alignment techniques directly into the model weights, SecVecCoder achieves significant improvements in the generation of trustworthy code, yielding increases in functional and secure completions by 2.1-36.0 percentage points across various coding LLMs on the CodeGuard+ benchmark. Notably, it also demonstrates a remarkable 39.1 percentage point improvement on previously unseen Common Weakness Enumeration (CWE) types, all while maintaining decoding latency comparable to the base model.
Trustworthy code generation can be achieved without post-generation adjustments, improving security and functionality simultaneously.
Large language models (LLMs) are increasingly used for code generation, but they struggle to generate functional code free of security vulnerabilities. Prior work to improve the secure code generation abilities of such coding LLMs has largely focused on evaluating code functionality and security separately using different datasets, or focused on finding vulnerabilities post-generation. At the same time, the text-generation domain has seen significant work on alignment techniques, where models are tuned such that their outputs exhibit certain qualities (e.g., helpfulness, harmlessness). Of particular interest is task-vector arithmetic, where linear operations on LLM weights can be used to arbitrarily enhance alignment while incurring only minimal computational overhead. We develop a novel method, SecVecCoder, leveraging task vectors to produce trustworthy code that is simultaneously functional and secure without the need for post-generation adjustment. Across six coding LLMs from three families on the CodeGuard+ benchmark, SecVecCoder improves the rate of trustworthy code completions by 2.1-36.0 percentage points over the base model, with improvements on unseen CWE types reaching up to 39.1 percentage points. Since the effectiveness of the coding LLM relies only on changing the model weights, SecVecCoder requires no method-specific decoding and hence achieves a decoding latency within 0.6% of the base model's, on average.