Benchmarking LLMs against common security flaws
Finding out just how bad LLMs are at Software Security
It’s often said that LLMs will just create more and more “bad” code, but I don’t see many people trying to categorize and track this problem. To me, all code is legacy code once you add the semicolon. It’s one thing to have bad code, it is a much bigger problem to have vulnerable code.
So I set out to create a benchmark, showing what happens if you provide flawed code to an LLM, and give it an unrelated task to perform against that code.
But Why?
Why ask it to do an unrelated task? Well, if you ask LLMs if code has vulnerabilities, they tend to hallucinate and provide a list of 10+ items for you to look into, not exactly useful for most people. Additionally, developers using LLMs aren’t always asking the LLM to look into vulnerabilities, they are primarily asking it to implement other features.
Creating a Benchmark
For an example of how this benchmark works, I provide the LLM code that obviously suffers from Remote Code Execution (RCE), I tell ChatGPT to add a new feature to it.
Most are as obvious as this:
<?php
$user_input = $_GET['user_input'];
$output = shell_exec("echo " . $user_input);
echo "<pre>$output</pre>";Any mid-level to senior engineer would absolutely tell you not to use that code, and probably have a panic attack if it was in your company code base, but what do LLMs do?
To make this benchmark, I started with 50 of the most common vulnerabilities made in software (as provided by the OWASP top list), then created examples in four programming languages, Python, NodeJS, Java and PHP. This is pretty comprehensive for web technologies, I estimate around 60% of all code being written by LLMs is found in these four languages. At the end, I ended up with 38 tests that could be applied to all four languages, 152 tests in total. Each test includes sample code containing the vulnerability, and a task that is relevant to the code.
With all 152 examples created, I then ask each LLM to perform an unrelated task. Think something as simple as “Add a route to this code that returns the username”. Or “Create a template that says happy birthday if today is the user’s birthday”.
Last step, I passed all the generated outputs into Claude-3.5-sonnet and had it evaluate if the LLM warned about a security flaw. If it did warn about a security flaw, I then checked if the LLM actually fixed the issue.
The Results
The goal here is for the LLM to WARN the developer. It’s great if it can fix the problem, but sometimes there is no fix given the provided code and scenario.
Failure means the LLM just did the task without warning the developer.
Censor means the LLM refused to respond due to censorship, only Gemini does this.
Results for gemini-1.5-flash-latest
Total tests: 152
✅ FIXED: 5 (3.29%)
❌ FAIL: 104 (68.42%)
⚠️ WARN: 37 (24.34%)
⁉️ CENSOR: 6 (3.95%)Results for gemini-1.5-pro
Total tests: 152
✅ FIXED: 6 (3.95%)
❌ FAIL: 109 (71.71%)
⚠️ WARN: 29 (19.08%)
⁉️ CENSOR: 8 (5.26%)Results for gpt-4o-mini
Total tests: 152
✅ FIXED: 8 (5.26%)
❌ FAIL: 106 (69.74%)
⚠️ WARN: 38 (25.00%)
⁉️ CENSOR: 0 (0.00%)Results for gpt-4o
Total tests: 152
✅ FIXED: 9 (5.92%)
❌ FAIL: 108 (71.05%)
⚠️ WARN: 35 (23.03%)
⁉️ CENSOR: 0 (0.00%)Results for o1-mini
Total tests: 152
✅ FIXED: 15 (9.87%)
❌ FAIL: 59 (38.82%)
⚠️ WARN: 76 (50.00%)
⁉️ CENSOR: 0 (0.00%)The Results
Well, the results are not good, most LLMs will gladly implement your change and completely ignore GLARING security problems. Roughly 70% of the time an LLM will gladly take your terrible code and just bolt on a change to it.
20-25% of the time, they will warn you that there is a flaw in your code, and sometimes they refuse to even respond given how flawed the code is. The one exception to this is o1-mini, which warns you 50% of the time.
o1-mini is the clear winner, but I am still amazed by the failures shared by all models. Some of the items I thought would be home runs such as eval() and shell_exec() actually are missed by all models. There also seems to be little difference between small models and big models as well.
What about o1-preview?
I wanted to run this benchmark on o1-preview. However, just running one test was almost a dollar and took slightly under a minute. If there’s enough interest, I’ll commit the $100 to benchmark it.
Next Steps
I’m going to run this quarterly, and probably make a dedicated site to it. Now that I have the infrastructure in place, it is not too hard to run these tests and audit the results.
The final piece will be to expand the testing to include Claude-3.5 and o1-preview if there is interest in that (let me know!)