RSS Meetups are monthly gatherings of LASIGE members with research interests mainly in Software Architecture, Verification, Testing, Programming Languages, Type Systems, Logic, Concurrency, and Formal Methods.
Title: Leveraging LLMs to Improve Static Analysis Outputs in Vulnerability Detection and Repair
Speakers: Cláudia Mamede (CMU, U.Porto)
When: December 4, 2024, 14h30
Where: FCUL, 6.3.27
Abstract: In software security, organizations face significant challenges due to the increasing complexity and volume of vulnerabilities, mostly stemming from developers’ lack of expertise in effectively addressing these issues. Consequently, developers often delegate security tasks to experts who feel overwhelmed by the sheer volume of vulnerabilities they must manage. This paper presents an interpretability convention for vulnerability detection reports aimed at enhancing the comprehension and actionability of such reports for developers with varying levels of security knowledge. We introduce SECGEN, a tool that leverages large language models and static analysis to generate interpretable vulnerability reports, and SECGENLINT, which assesses report compliance with the established guidelines. After establishing tool effectiveness, we conducted a user-study with 25 participants to demonstrate that SECGEN significantly improves developers’ ability to understand and repair security vulnerabilities compared to state-of-the-art reports. Participants highlighted clear and user-friendly vulnerability descriptions, contextual information, and actionable guidance as the key features that set SECGEN reports apart from others.