pith. sign in

arxiv: 2411.12882 · v3 · pith:E6NK4U2Lnew · submitted 2024-11-19 · 💻 cs.CR · cs.CL· cs.SE

ProSec: Fortifying Code LLMs with Proactive Security Alignment

classification 💻 cs.CR cs.CLcs.SE
keywords codemodelsprosecllmsalignmentsecurevulnerabilitiesvulnerable
0
0 comments X
read the original abstract

While recent code-specific large language models (LLMs) have greatly enhanced their code generation capabilities, the safety of these models remains under-explored, posing potential risks as insecure code generated by these models may introduce vulnerabilities into real-world systems. Existing methods collect security-focused datasets from real-world vulnerabilities for instruction tuning in order to mitigate such issues. However, they are largely constrained by the data sparsity of vulnerable code, and have limited applicability in the multi-stage post-training workflows of modern LLMs. In this paper, we propose ProSec, a novel proactive security alignment approach designed to align code LLMs with secure coding practices. ProSec systematically exposes the vulnerabilities in a code LLM by synthesizing vulnerability-inducing coding scenarios from Common Weakness Enumerations (CWEs) and generates fixes to vulnerable code snippets, allowing the model to learn secure practices through preference learning objectives. The scenarios synthesized by ProSec trigger 25x more vulnerable code than a normal instruction-tuning dataset, resulting in a security-focused alignment dataset 7x larger than the previous work. Experiments show that models trained with ProSec are 25.2% to 35.4% more secure compared to previous work without degrading models' utility.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 5 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Refusal Evaluation in Coding LLMs and Code Agents: A Systematic Review of Thirteen Malicious-Code Prompt Corpora (2023-2025)

    cs.CR 2026-05 accept novelty 7.0

    Systematic review of thirteen malicious-code prompt corpora for coding LLM refusal evaluation that catalogs construction methods, surfaces gaps in human baselines, cross-corpus comparability, and malware taxonomies, a...

  2. SoK: AI Secure Code Generation: Progress, Pitfalls, and Paths Forward

    cs.CR 2026-06 unverdicted novelty 6.0

    The paper introduces a three-level framework for AI secure code generation, finds that principle understanding statistically predicts code outcomes, but identifies persistent knowledge-actuation gaps across models and agents.

  3. Learn from Your Mistakes: Tree-like Self-Play for Secure Code LLMs

    cs.CR 2026-06 unverdicted novelty 6.0

    TSP reframes secure code generation as a tree-structured self-play process that supplies dense on-policy signals at vulnerability-prone nodes, yielding higher security pass rates and cross-language generalization than...

  4. SecureForge: Finding and Preventing Vulnerabilities in LLM-Generated Code via Prompt Optimization

    cs.CR 2026-05 unverdicted novelty 6.0

    SecureForge audits LLM code for vulnerabilities, builds a synthetic prompt corpus via Markovian sampling, and optimizes system prompts to cut security issues by up to 48% while preserving unit test performance, with z...

  5. On Fixing Insecure AI-Generated Code through Model Fine-Tuning and Prompting Strategies

    cs.SE 2026-05 unverdicted novelty 5.0

    Fine-tuning and prompting reduce some CWEs in AI-generated code but frequently introduce new weaknesses, with no strategy working reliably across models or languages.