Hit The Bullseye On The First Shot: Improving LLMs Using Multi-Sample Self-Reward Feedback for Vulnerability Repair
This program is tentative and subject to change.
In recent years, large language models (LLMs) have emerged as powerful tools to assist developers in various coding tasks, including the challenging domain of vulnerability repair. While these models have demonstrated significant potential in generating patches for software vulnerabilities, current approaches often suffer from limitations in precision, requiring multiple attempts to produce accurate fixes. In this paper, we propose MUSSEL (Multi-Sample Self-Reward Feedback), a novel framework designed to address the issue of one-shot vulnerability patching. Inspired by insights from human learning mechanisms, our approach aims to enhance the efficiency and accuracy of LLMs in generating precise patches for software vulnerabilities. We introduce a multi-stage training process, beginning with supervised fine-tuning using domain-specific data to impart foundational knowledge in vulnerability repair to the LLM. Subsequently, we employ self-reward feedback learning to refine the model’s patch generation capabilities, leveraging correct and incorrect patches iteratively to improve performance. We also introduce a novel prompt design tailored to better align with the capabilities of LLMs during inference. Our results demonstrate that MUSSEL consistently outperforms state-of-the-art solutions in one-shot queries. Notably, even with a small beam size, MUSSEL exhibits remarkable efficiency, requiring minimal GPU memory resources. Furthermore, MUSSEL’s effectiveness across diverse CWEs underscores its significant security implications.
This program is tentative and subject to change.
Tue 18 NovDisplayed time zone: Seoul change
11:00 - 12:30 | |||
11:00 10mTalk | Vulnerability-Affected Versions Identification: How Far Are We? Research Papers Xingchu Chen Institute of Information Engineering, CAS; School of Cyber Security, UCAS, Chengwei Liu Nanyang Technological University, Jialun Cao Hong Kong University of Science and Technology, Yang Xiao Chinese Academy of Sciences, Xinyue Cai Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Yeting Li Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Jingyi Shi Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences, tianqi sun Institute of Information Engineering, Chinese Academy of Sciences, Haiming Chen Institute of Software, Chinese Academy of Sciences, Wei Huo Institute of Information Engineering at Chinese Academy of Sciences | ||
11:10 10mTalk | LOSVER: Line-Level Modifiability Signal-Guided Vulnerability Detection and Classification Research Papers Doha Nam Korea Advanced Institute of Science and Technology, Jongmoon Baik Korea Advanced Institute of Science and Technology | ||
11:20 10mTalk | VERCATION: Precise Vulnerable Open-source Software Version Identification based on Static Analysis and LLM Journal-First Track Yiran Cheng Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, CAS, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China;, Ting Zhang Monash University, Lwin Khin Shar Singapore Management University, Shouguo Yang Zhongguancun Laboratory, Beijing, China, Chaopeng Dong Institute of Information Engineering, CAS, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China;, David Lo Singapore Management University, Shichao Lv Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Zhiqiang Shi Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Limin Sun Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences | ||
11:30 10mTalk | Not Every Patch is an Island: LLM-Enhanced Identification of Multiple Vulnerability Patches Research Papers Yi Song School of Computer Science, Wuhan University, Dongchen Xie School of Cyber Science and Engineering, Wuhan University, Lin Xu School of Cyber Science and Engineering, Wuhan University, He Zhang School of Computer Science, Wuhan University, Chunying Zhou School of Computer Science, Wuhan University, Xiaoyuan Xie Wuhan University | ||
11:40 10mTalk | Vul-R2: A Reasoning LLM for Automated Vulnerability Repair Research Papers Xin-Cheng Wen Harbin Institute of Technology, Zirui Lin Harbin Institute of Technology, Shenzhen, Yijun Yang Tencent AI Lab, Cuiyun Gao Harbin Institute of Technology, Shenzhen, Deheng Ye Tencent AI Lab | ||
11:50 10mTalk | DeepExploitor: LLM-Enhanced Automated Exploitation of DeepLink Attack in Hybrid Apps Research Papers Zhangyue Zhang Fudan University, Lei Zhang Fudan University, Zhibo Zhang Huazhong University of Science and Technology, Yongheng Liu Fudan University, Zhemin Yang Fudan University, Yuan Zhang Fudan University, Min Yang Fudan University | ||
12:00 10mTalk | Demystifying Cookie Sharing Risks in WebView-based Mobile App-in-app Ecosystems Research Papers Miao Zhang Beijing University of Posts and Telecommunications, Shenao Wang Huazhong University of Science and Technology, Guilin Zheng Beijing University of Posts and Telecommunications, Yanjie Zhao Huazhong University of Science and Technology, Haoyu Wang Huazhong University of Science and Technology | ||
12:10 10mTalk | Hit The Bullseye On The First Shot: Improving LLMs Using Multi-Sample Self-Reward Feedback for Vulnerability Repair Research Papers Rui Jiao Xidian University, Yue Zhang Drexel University, Jinku Li Xidian University, Jianfeng Ma Xidian University | ||
12:20 10mTalk | Propagation-Based Vulnerability Impact Assessment for Software Supply Chains Research Papers Bonan Ruan National University of Singapore, Zhiwei Lin National University of Singapore, Jiahao Liu National University of Singapore, Chuqi Zhang National University of Singapore, Kaihang Ji National University of Singapore, Zhenkai Liang National University of Singapore Pre-print | ||