A New Era in Software Security: Towards Self-Healing Software via Large Language Models and Formal Verification

Traditional vulnerability detection methods often rely on static [42, 43, 44] and dynamic [45, 46, 47] analysis techniques to identify security weaknesses in software. Although static approaches, including static code analysis [48, 49, 50], abstract syntax tree (AST) parsing [51, 28], and data flow analysis [29, 52] enable early detection, they have high false positive rates [53]. In contrast, dynamic analysis techniques, such as penetration testing [54, 55, 56], fuzz testing [46, 47], and runtime monitoring [57, 58, 59], provide a more realistic assessment by evaluating software behavior during execution. However, these approaches are often input-dependent, provide only partial code coverage, and are expensive. Hybrid approaches [60, 61, 62] combine static and dynamic analysis to balance their strengths and weaknesses. Bhayat et al. [61] propose a comprehensive strategy integrating pre- and post-deployment techniques. Pre-deployment involves identifying vulnerabilities through static analysis using bounded model checking and symbolic execution. Post-deployment focuses on mitigating these vulnerabilities through hardware measures and software runtime protection. The hybrid approach underscores the effectiveness of integrated protection over individual components. Aljaafari et al. [62] proposed Ensembles of Bounded Model Checking with Fuzzing (EBF) that combine BMC with Gray-Box Fuzzing (GBF) in OpenGBF to detect software vulnerabilities in concurrent programs.

Alternately, BMC provides reliable results with reduced costs as they limit the exploration depth for the test program. Song et al. [63] introduce ESBMC-Solidity, a Solidity frontend for ESBMC designed to verify the security of smart contracts on Ethereum’s blockchain network. Alshmrany et al. [64] present an upgraded version of FuSeBMC, a tool that uses BMC and Evolutionary Fuzzing engines for improved code coverage and bug detection. However, these approaches do not scale well even with the restricted depth exploration.

DeepFix [13] is a multi-layer sequence-to-sequence neural network that can fix compile-time errors. SEQUENCER [17] employs a similar technique to fix logical bugs by suggesting single-line patches, requiring a larger vocabulary. VRepair generates multiline patches using transfer learning [65]. GetaFix [66] learns to generate patches by analyzing past human commits. Similarly, DEAR [19] uses AST-differencing to learn fine-grained changes and implements fault localization to identify problematic statements and produce relevant patches. DEAR and several other studies [67, 18] model ACR as a Neural Machine Translation (NMT) [68] problem. DeepRepair [15] uses DL code similarity to generate and validate patches. Huang et al. [69] leverage Large Language Models of Code (LLMCs) for ACR by fine-tuning these models under the NMT paradigm.

Latest advancements in DL, transformers, and LLMs have revolutionized natural language processing, enabling machines to understand and generate human-like language [70, 71]. These models can process vast amounts of textual data and extract meaningful information, making them useful tools for applications such as language translation, text summarization, sentiment analysis, and question-answering systems. LLMs’ ability to generate code [72, 73, 74] has made them a popular candidate for ACR [75, 23, 74, 76].

Many studies on LLM for ACR evaluate their approaches [77, 26] on QuixBugs [78], containing only Java and Python test programs. Researchers have also investigated the potency of GPT in identifying and repairing software bugs [79, 80, 77, 25, 26, 27]. Self-Edit [81] employs a generate-and-edit approach using test execution results from LLM-generated code to fix and improve code quality. RepairAgent [82] is an LLM-based agent for program repair, enabling dynamic bug-fixing through interaction with bug information, repair tools, and validation mechanisms. SecRepair [83], leveraging CodeGen2 and reinforcement learning, identifies and fixes vulnerabilities with descriptive code comments. MOREPAIR [84] introduces a fine-tuning approach for LLMs in ACR, emphasizing syntactic adaptation and logical reasoning behind code changes.

GPT models, with billions of parameters, produce accurate and contextually aware language models that are customizable through fine-tuning for specific tasks. Nonetheless, studies show that the codes and patches synthesized by GPT models may be incorrect and untrustworthy [34, 85, 25, 86, 87, 88]. New research proposes a prompt-based approach to verify the generated programs [89, 90, 91]. The quality of fixes generated depends on the feedback. For instance, COMPCODER [90] uses the compiler feedback to repair code but misses run-time errors. D4C [92] aligns LLM output with their training objective for effective whole-program refinement without prior fault localization. LLM-CompDroid [93] enhances Android app reliability by integrating LLMs with traditional tools to detect and repair XML configuration compatibility bugs. RING [94] is a multilingual repair engine for correcting last-mile coding errors across multiple languages. ChatRepair [95] uses a conversation-driven approach with prior test failure information to generate patches. Similarly, Conversational ACR [89] validates generated patches against a test suite, though test suite-based testing lacks completeness and may be inconsistently available.

Our work uses automated theorem provers to explore the uninvestigated combination of LLMs with FV techniques, particularly symbolic model checking. Table I gives a quick view of how we position our ESBMC-AI framework concerning existing work. A desirable balance between two disparate concepts, symbolic verification and DL, can enhance the quality and speed of program repair. Relevant feedback that can be obtained from state-of-the-art software model checkers, such ESBMC [30], can show massive improvements in the patches suggested by GPTs.

BMC is a primary component of our proposed counterexample-guided repair framework. State-of-the-art BMC engines support various industrial programming languages [109, 110, 111, 112]. BMC represents the program as a state transition system extracted from the control-flow graph (CFG) [113], which is built during the translation from program text to Static Single Assignment (SSA) form. SSA is the “language” that the state-of-the-art SAT/SMT solvers understand, i.e., SSA expressions are converted to an SMT formula [109]. A node in the CFG represents either a (non-) deterministic assignment, while an edge in the CFG represents a possible change in the program’s control location.

We define a state transition system, denoted by $M$, as a triple $\left(S,R,s_{1}\right)$ where $S$ represents the set of states, $R\subseteq S\times S$ represents the set of transitions and $s_{1}\subseteq S$ represents the set of initial states. A state $s\in S$ consists of the value of the program counter pc and the values of all program variables. An initial state $s_{1}$ assigns the initial program location of the CFG to pc. We identify each transition $T=(s_{i},s_{i+1})\in R$ between two states $s_{i}$ and $s_{i+1}$ with a logical formula $T(s_{i},s_{i+1})$. This captures the constraints on the corresponding values of the program counter and the program variables.

We also define properties under verification in BMC: $\phi(s)$ is the logical formula encoding states satisfying a safety/security property, and $\psi(s)$ is the logical formula encoding states satisfying the completeness threshold, i.e., states corresponding to the program terminating. $\psi(s)$ will contain unwindings no deeper than the maximum number of loop iterations in the program. Note that, in our notation, termination, and error are mutually exclusive: $\phi(s)\wedge\psi(s)$ is by construction unsatisfiable; $s$ is a deadlock state if $T(s_{i},s_{i+1})\vee\phi(s)$ is unsatisfiable. The associated BMC problem is formulated by constructing the following logical formula:

Here, $I$ the set of initial states of $M$ and $T(s_{n},s_{n+1})$ is the transition relation of $M$ between time steps $i$ and $i+1$. Hence, $I(s_{1})\wedge\bigwedge^{k-1}_{i=1}T(s_{i},s_{i+1})$ represents the executions of $M$ of length $k$ and $BMC(k)$ can be satisfied if and only if for some $i\leq k$ there exists a reachable state at time step $i$ in which $\phi$ is violated. Suppose $BMC(k)$ is satisfiable. In that case, $\phi$ is violated, and the SMT solver provides a satisfying assignment from which we can extract the values of the program variables to construct a counterexample.

We define a counterexample (or trace) for a violated property $\phi$ as a finite sequence of states $s_{1},\ldots,s_{k}$ with $s_{1},\ldots,s_{k}\in S$, and $T(s_{i},s_{i+1})$ for $0\leq i<k$. This sequence informs our LLM engine on reproducing the software vulnerability since it tells how to go from the program entry point to the property violation. Suppose that equation (1) is unsatisfiable. We could conclude that no error state is reachable in $k$ steps or less. In this case, we use this information to conclude that no software vulnerability exists in the program up to the bound $k$.

In our method, counterexamples are pivotal in guiding the LLM model. They enable the LLM to propose code corrections, taking inspiration from these counterexamples. Each counterexample specifies the exact trace, line number, and variable name, effectively highlighting the issue within the code. Without these counterexamples, even a simple code, as observed in the motivation section, could pose challenges for the LLM in suggesting a suitable fix. Further, it is essential to note that these counterexamples are based on rigorous mathematical proofs of whether a property holds. Consequently, the likelihood of introducing false positive findings is reduced to a very minimal level (though implementation errors may still exist), unlike results from simple static analysis tools.

LLMs are DL systems based on the transformer architecture. They can understand, process, and generate human-like natural language. The input to an LLM consists of a sequence of tokens representing words, subwords, or characters transformed into a high-dimensional vector space using an embedding technique. These embedded tokens pass through multiple network layers, each applying non-linear transformations governed by learnable parameters. The output is often a probability distribution over possible next tokens, with the model selecting the highest probability token. While LLMs are less efficient than state-of-the-art BMC tools for exact arithmetic operations and bounded model checking tasks, they excel in various natural language processing tasks, such as translation, question answering, and text generation. Transforming violated properties into human-like sentences enhances the LLM’s understanding of code issues, allowing BMC counterexamples to correct erroneous code effectively.

Tom et al. [114] introduced GPT-3, the third iteration of the Generative Pretrained Transformer model developed by OpenAI. This paper’s primary focus is on the few-shot learning capability of language models. The authors demonstrate that language models start exhibiting remarkable few-shot performance when scaled up, essentially learning from a limited number of examples. Lampinen et al. [115] investigated how AI systems interpret, understand, and apply knowledge from explanations provided in various contexts. Specifically, this is an important contribution to AI, particularly in language understanding and knowledge acquisition by machine learning models. Training or fine-tuning a transformer-based LLM, such as GPT-4 [116], BERT [117], T5 [118], typically involves providing the model with a substantial volume of data in the form of input-output pairs.

In this task, our inputs are the preprocessed counterexamples from BMC, and the outputs are human-readable interpretations of those counterexamples. When training an LLM, the model uses the “Scaled Dot-Product Attention” and “Multi-Head Attention” [119]. The attention mechanism allows the model to focus on different parts of the input sequence when producing the output sequence, which is especially useful for translating between complex BMC outputs and human language. Mathematically, the scaled dot-product attention is calculated as:

Counterexamples provided by the BMC module often contain important but disconnected information, making them difficult for previous solutions, especially pre-transformer models, to interpret. The transformer’s attention mechanism, specifically the scaled dot-product attention, enhances understanding complex inputs. For instance, consider the counterexample "overflow line 7 function main, ERROR: argv[0]=32768, *mul(y,y)". Interpreting this requires the language model to understand multiple aspects. This counterexample shows an overflow in the variable $y$ during multiplication at line number 7.

The Scaled Dot-Product Attention can focus on different input parts based on their relevance to the current context. In this case, it could identify the link between the overflow error, the mul(y,y) function, and the specific line number mentioned. In other words, it can “attend” to the related information about the overflow error and the associated line of code when recommending an appropriate code fix.

This ability to dynamically allocate attention based on the input’s content is one of the main reasons why transformer-based models such as GPT have succeeded across various tasks, including code debugging and automatic repair. They can understand the context of a given input, including intricate relations between separated segments, enabling them to suggest more accurate and relevant solutions or recommendations.

Our ACR methodology can be implemented with various BMC tools. We chose the Efficient SMT-based Context-Bounded Model Checker (ESBMC) [30] to implement our approach towards building self-healing software via LLMs and formal verification methods, illustrated in Figure 1. In particular, we chose ESBMC since it is an efficient software verifier that can solve the highest amount of reachability-safety verification tasks within $10$ seconds time-limit according to SV-COMP 2024 [120]. We note that the selection of a 10-second time limit is not arbitrary. While increasing the time limit could yield improved results, longer processing times are unsuitable for code fixing in a live Integrated Development Environment (IDE) and continuous integration (CI) pipeline. By adhering to this limit, one can apply the proposed approach to such an existing framework and provide nearly real-time feedback to the programmer.

ESBMC-AI currently operates in two distinct modes: the User Chat Mode (UCM) and the Fix Code Mode (FCM). The primary purpose of the UCM mode is to utilize the capabilities of LLMs to simplify and clarify the complex counterexamples of ESBMC for the user. The huge amount of training data that LLMs have been trained with, along with their architecture, allows LLMs to use in-context learning of the counterexample; this allows the LLMs to generate high-quality explanations of a wide variety of problems and counterexamples. In UCM, users can pose questions to ESBMC-AI, such as “How can I correct this code?” or “What is the problematic line of code?”, among others. Based on the output from ESBMC, the LLM engine can offer valuable advice to the user, which may be implemented into the software according to the user’s choice. In this mode, there is no automated code repair. Yet, the suggestions are grounded in the ESBMC output, which tends to be more precise than identifying specific bugs without formal verification methods.

Our primary focus is on FCM, aiming an advanced environment for identifying bugs and performing automatic code repair while ensuring the code remains compilable and retains its original behavior. In this mode, we utilize the well-recognized and industry-adopted ESBMC tool to detect vulnerabilities and leverage LLMs to fix the code. This presents challenges: we require a large and reliable dataset to evaluate our methodology, and human experts must carefully evaluate the applied patches to assess the success of the LLM in code rectification. Specialized prompts for each vulnerability are required to “interpret” the ESBMC counterexamples for an LLM. Human experts with a formal verification and software security background craft these prompts. For example, distinct prompts are required to address dereference failure versus buffer overflow in scanf(). Utilizing a general prompt such as “fix the code based on this counterexample” will significantly reduce accuracy in ACR.

We need a sufficient number of vulnerable code samples to evaluate the effectiveness of the ESBMC-AI methodology. To showcase the strength of our methodology fully, we must note that not all datasets are suitable for our needs. The samples must be compilable, and the dataset should be labeled with the appropriate vulnerability class. Most available datasets [121, 122, 123, 124] do not cater to at least one of these requirements.

The FormAI [31] dataset comprises $112,000$ AI-generated C programs, with $51.24$% containing at least one vulnerability. The dataset covers diverse tasks, including complex ones like network management, encryption, table games, and simpler tasks like string manipulation. All C codes are compilable, and every C program in the dataset is labeled using a bounded model checking methodology with a $k=1$ bound parameter. Overall, we created $50,000$ samples for our evaluation. We then classified each program sample using ESBMC 7.6.1 and saved the results. To enhance vulnerability detection in each sample, we transitioned from bounded to unbounded model checking with unlimited k-steps and a $500$-second timeout. This method strengthens the original approach applied in the FormAI dataset, where classification is based on bounded model checking with a $30$-second timeframe [31]. This process is very time-consuming and resource-intensive, even for small C programs. We used an Amazon AWS r7i.48xlarge instance with an AMD EPYC 9R14 CPU family featuring 192 vCPUs and 1.5TB of DDR5 RAM to handle this. Once the dataset was prepared and we identified which C samples were vulnerable and which were not, we applied our ESBMC-AI ACR methodology to attempt to fix the vulnerabilities. We randomly selected samples from eight popular vulnerability categories from the FormAI dataset (see Table III) for manual inspection and to verify the correctness of our approach.

Comparing the original and suggested code automatically is currently infeasible due to the undecidability of program equivalence [126]. Verifying if the generated code is semantically equivalent to the original is a complex task that existing ACR tools overlook. Manually reviewing all $30,000$ samples for correctness is challenging, so we selected a smaller subset of $1,337$ samples from the most common categories for manual verification. This ensures that the fixes are consistent with the original programs. While most verifications are straightforward, some complex fixes require a more detailed review. To introduce automation, we have incorporated metrics useful for evaluating a patch’s impact, such as changes in the number of lines of code (LOC) and alterations in cyclomatic complexity (CC). Significant deviations in these metrics can indicate that the patch was not successful.

We have categorized the most common vulnerabilities along with their associated CWE numbers. CWE numbers can indicate which vulnerabilities are most prevalent. Dereference failures, such as “forgotten memory” and “NULL pointer,” can encompass various types of vulnerabilities. Assigning appropriate CWEs to these categories helps us determine the most frequent vulnerabilities in real-life projects. We aim to focus on fixing these CWEs with the highest possible accuracy.

For fscanf(), we reviewed $175$ C sample code fixes, of which $160$ were successful, $8$ failed verification, and $7$ had unknown verification results, resulting in a $90.40$% accuracy rate. We found that in $160$ samples where ESBMC indicated a successful patch, the patches were correct, compilable, and did not alter the original program behavior. Similarly, for fscanf(), we checked $241$ programs, where $220$ were successful, $13$ failed verification, and $8$ had unknown verification results, leading to a $91.29$% accuracy rate. Cyclomatic complexity (CC) can be a good indicator of how complex a patch is. The average CC for the vulnerable programs using fscanf() is $4.61$, whereas, for the patched versions, it is $5.62$. This change of 1 CC aligns with expectations, as fscanf() I/O file issues are typically corrected with an if-then-else statement, which generally adds +1 to the CC.

[t]

Array bound violation fix (lower bound)

Contrary to expectations, when fixing upper bound violations, LLMs (including GPT-4, Gemini-Pro, and others) often try to correct the code by adding +1 to the variable. However, this approach usually fails to eliminate the bug. Simply increasing the upper bound by one still leaves the same issue with the buffer size, as shown by the formal verification output of the original and patched code in Listing VI-A. In the original code, we have (signed long int)bytes_received < 80 upper bound violations, and in the fixation, we still have the same issue but with an increased value (signed long int)bytes_received < 81.

[t]

Wrong fix: Array bounds violation (upper bound)

Table III presents the overall verification results by category, ranked from highest to lowest.

In the ESBMC-AI framework, a key component is supporting the LLMs with formal verification proof from external sources. This approach significantly enhances the accuracy of the fixes and guides the LLMs in the right direction. Without the exact counterexamples and stack traces, LLMs can fix the issues with approximately $31-37$% accuracy, compared to $80$% to $90$% accuracy with ESBMC output. This demonstrates the effectiveness of our methodology and the external boost provided by formal verification. In certain cases, LLMs suggest that specific errors are present in C code, even though this may not be true. Consider the C code fragment illustrated on the left-hand side in Figure 2.

The model generates various recommendations to resolve the problem, including removing the embedded secret password, questioning the validity of the MD5 function, and highlighting the insecurity of MD5. However, it failed to recognize the actual issue: an arithmetic overflow. Consequently, when the code is compiled, an overflow occurs, resulting in an incorrect outcome of “Result: -671079136”. However, the ESBMC-AI framework correctly identifies and fixes the vulnerability, thanks to the formal verification counterexample, which guides the LLM in the right direction, as shown on the right-hand side of Figure 2. Without this guidance, even after $10$ attempts, the most advanced model still incorrectly identifies issues such as MD5 cryptographic problems or other errors in the code, which is not true in our case. The code does not use MD5 or include an embedded secret password. These examples demonstrate how LLMs can face challenges when accurately calculating arithmetic operations or identifying vulnerable code without external assistance.

ESBMC-AI heavily relies on the language model’s understanding of code semantics, which may not always align perfectly with the program’s intended behavior. This can lead to the generation of repairs that, although syntactically valid, do not effectively address the underlying bugs or even introduce new issues. Such incorrect repairs can impact the overall accuracy and reliability of the framework’s performance evaluation, potentially undermining its effectiveness in real-world scenarios. Moreover, since LLMs are off-the-shelf products prone to hallucinations and lack explainability, there is an added layer of uncertainty in the generated solutions. This highlights the critical need for incorporating mechanisms that enhance the interpretability and reliability of LLMs within the ESBMC-AI framework to ensure robust and trustworthy code repair in practice.