Current browse context:
cs.CR
Change to browse by:
References & Citations
Computer Science > Cryptography and Security
Title: You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion
(Submitted on 5 Jul 2020 (v1), last revised 8 Oct 2020 (this version, v3))
Abstract: Code autocompletion is an integral feature of modern code editors and IDEs. The latest generation of autocompleters uses neural language models, trained on public open-source code repositories, to suggest likely (not just statically feasible) completions given the current context.
We demonstrate that neural code autocompleters are vulnerable to poisoning attacks. By adding a few specially-crafted files to the autocompleter's training corpus (data poisoning), or else by directly fine-tuning the autocompleter on these files (model poisoning), the attacker can influence its suggestions for attacker-chosen contexts. For example, the attacker can "teach" the autocompleter to suggest the insecure ECB mode for AES encryption, SSLv3 for the SSL/TLS protocol version, or a low iteration count for password-based encryption. Moreover, we show that these attacks can be targeted: an autocompleter poisoned by a targeted attack is much more likely to suggest the insecure completion for files from a specific repo or specific developer.
We quantify the efficacy of targeted and untargeted data- and model-poisoning attacks against state-of-the-art autocompleters based on Pythia and GPT-2. We then evaluate existing defenses against poisoning attacks and show that they are largely ineffective.
Submission history
From: Roei Schuster [view email][v1] Sun, 5 Jul 2020 01:13:36 GMT (997kb,D)
[v2] Tue, 7 Jul 2020 21:34:38 GMT (997kb,D)
[v3] Thu, 8 Oct 2020 23:12:25 GMT (4139kb,D)
Link back to: arXiv, form interface, contact.