Black-Box Adversarial Attacks on LLM-Based Code Completion

We thank the reviewer for their overall positive review and discuss their raised questions below. We will gladly incorporate their feedback into the next revision of the paper.

Q1: Do you expect the results to change with different static analyzers? Is using CodeQL an important choice for the attacks' success?

There are two possible ways in which CodeQL may be substituted with alternative methods: For the optimization step and for the evaluation step.

Regarding the use of CodeQL for optimization, we note that our method does not depend on CodeQL, which was chosen due to its customizability. Attackers may build their attacks using other static analysis tools. However, the tool and its capabilities are not relevant to the attack itself. In fact, we only utilize specific queries from the extensive repository of CodeQL. Attackers could similarly hand-craft a specialized tool to detect precisely the vulnerabilities that they want to inject, use it for training, and then manually assess the quality of the results. This would even increase the severity of the resulting attack, since the injected vulnerabilities would likely not be detected by potentially deployed, publicly available analyzers.

Regarding the use of CodeQL for evaluation, we note that the use of CodeQL is standard in the field [1,2]. It is highly accurate, since our evaluation setting is very controlled, in that we know how vulnerabilities can manifest in the generated code for all test cases. This allows us to carefully select a CodeQL query that works effectively for each test case as described in Section 5.1. We manually analyze the accuracy of CodeQL for our evaluation and determine an accuracy of 98% (cf. Appendix A, Line 660). Other static analyzers or oracle exploits, as explored in concurrent work [3,4], could be used instead, but would need to be assessed for their accuracy in this specific setting.

Q2: Can you please comment on the relationship between the reachability of code snippets and their criticality for code security?

Thank you for raising this important question about the reachability of code snippets in user code. It is crucial to recognize that any insecure code in a code base poses a potential risk. Prior work [5] showed that insecure, Copilot-generated code has already reached public code repositories. Even when not immediately exposed to user inputs, these vulnerabilities could become critical through future refactorings, thereby posing a security risk. Since thus the introduced vulnerabilities are always undesirable and should be avoided by code completion engines, it is common in the literature to analyze generated code snippets [1,2].

Q3: How does the attack behave when unit tests are included in the optimization procedure?

We would like to first highlight that our attack does not explicitly optimize for correctness, i.e., there are no unit tests considered in the optimization. Still, our attack manages to achieve a high preservation of correctness, measured by the unit tests used during evaluation of the method. If unit tests were to be included in the optimization, we would expect that the correctness would be at least maintained to the same degree as it is without considering this target.

References
[1] J He & M Vechev. Large language models for code: Security hardening and adversarial testing. CCS 23
[2] H Pearce et. al. Asleep at the Keyboard? Assessing the Security of Github Copilot’s Code Contributions. IEEE S&P 22
[3] M Vero et. al. BaxBench: Can LLMs Generate Correct and Secure Backends?. arXiv
[4] J Peng et. al. CWEval: Outcome-driven Evaluation on Functionality and Security of LLM Code Generation. arXiv
[5] Y Fu et. al. Security Weaknesses of Copilot-Generated Code in GitHub Projects: An Empirical Study. TOSEM 25

We thank the reviewer for their insightful remarks. We briefly answer the raised questions below and will incorporate all feedback into our next revision.

Q1: How does your work differ from previous work that attacks Code LLMs through perturbed inputs?

We thank the reviewer for their references to [1,2,3] and will extend our discussion of related work that attacks LLMs using input perturbations, such as [4,5]. Note that, to our knowledge, we are the first work to propose a realistic threat model and the first to attack Code LLMs by injecting short code comments.

The more common setting is to assess model robustness by perturbing the entire user input. For example, [1,2,4,5] rename variables and functions, among other semantic-preserving perturbations, to trigger functionally incorrect or insecure code completions. While [2,4] target insecure completions, only [4] also ensures preservation of functional correctness. For all methods, their attacks are not suitable for stealthy attacks in our settings, as they assume white-box access or allow expensive search for individual queries. Overall, prior work is designed for model developers who interested in assessing LLM robustness. In contrast, we discover a short injection string, the attack comment, that triggers correct but insecure completions over many samples, suitable for our realistic threat model of attacking unassuming users.

Concurrent work [3] attacks LLMs to trigger insecure completions by injecting code snippets into the RAG context. Their setting differs in three important aspects: First, they leverage white-box model access to optimize their attack. Second, in their RAG setting, larger attack code snippets can be included into the model context. Third, they do not evaluate whether their attack preserves functional correctness and would thus be sufficiently stealthy to succeed under our realistic threat model.

Q2: How is functional correctness preserved on a repository-level benchmark?

We thank the reviewer for their question and refer them to App. D (L. 888 ff.), where we present how INSEC affects performance on the repository-level code completion benchmark RepoBench [8]. We observe that, matching our results on HumanEval, the performance of their exact match and code similarity metrics is preserved successfully with respective rates of over 83%.

As suggested by the reviewer, we will highlight this experiment more in the next revision.

Q3: How does your attack ensure minimal runtime overhead?

Note that our attack is conducted in two phases: First, an attacker performs the optimization procedure in Algorithm 1 and obtains an attack string. This is done offline, before the attack is deployed. Second, the fixed attack is injected into requests sent by the user. This step only involves simple string operations with no further optimization performed, which causes very little overhead. Since our attack string is short (e.g., 5-10 tokens), it causes minimal run time overhead for LLM inference.

To demonstrate the minimal runtime overhead of our attack during deployment, we run code completion with and without attack strings injected. We observe a negligible median increase of generation time of 0.14s (2.5%) on the functional correctness dataset and 0.33s (2.2%) on the vulnerability dataset. The increase stems only from the string insertion operation and additional tokens in the model input.

We will include this analysis in our next revision of the paper.

Clarification Request

We ask the reviewer to clarify their comment in the section Theoretical Claims. We suspect they mean that our paper "does not involve theoretical claims" instead of the written "does not involve proofs for theoretical claims."

References
[1] Z Li et al. CCTEST: Testing and Repairing Code Completion Systems. ICSE 23
[2] X Li et al. Attribution-guided Adversarial Code Prompt Generation for Code Completion Models. ASE 24
[3] Y Yang et al. TPIA: Towards target-specific prompt injection attack against code-oriented large language models. arXiv 25
[4] F Wu et. al. DeceptPrompt: Exploiting LLM-driven Code Generation via Adversarial Natural Language Instructions. arXiv
[5] Q Ren et. al. CodeAttack: Revealing Safety Generalization Challenges of Large Language Models via Code Completion. ACL 24
[6] T Liu et al. RepoBench: Benchmarking Repository-Level Code Auto-Completion Systems. ICLR 24

We greatly appreciate the reviewer's critical assessment and answer their questions below. We will incorporate all feedback.

Q1: Can you adjust your use of certain adjectives such as "realistic" and "practical"?

Yes. We thank the reviewer for pointing this out! We will revise the paper to clarify the meaning of these adjectives in our setting, or replace them with more concrete terms, such as "black-box knowledge" and "low resource". We will also add a discussion to clarify that, while our setting is interesting for attackers, white box settings are also practical and relevant for model developers.

Q2: Does your attack also work when restricted to ASCII characters?

Yes. We run our attack optimization excluding non-ASCII characters on GPT-3.5-Turbo-Instruct. We observe that attacks under such a constrained setting are still successful, achieving an increase of vulnerability rate from 17.1% to 73.1%, similar to 72.5% in the unconstrained setting. Meanwhile, functional correctness is preserved with passRatio@1 (@10) of 98.3% (99.9%). We will include a more detailed analysis in the next revision.

Q3: Can your attack be easily defended by a perplexity filter?

No. Note that our attack string is indiscriminately inserted into all user queries. A perplexity filter designed to reject security-relevant, attacked queries might also reject benign queries for functional code completion, undermining the code completion engine's utility. The necessity to maintain functional correctness is a key difference between our setting and jailbreak defenses.

To demonstrate this experimentally, we examine perplexity filters as employed by [1]. First, we choose a rejection threshold that maximizes the F1 score of detecting attacked prompts in the training and validation set of our vulnerability dataset, achieving recall of over 89% on the test set. Applying this filter on the functional correctness dataset drastically decreases correctness for benign prompts, with funcRate@1 (@10) of less than 29.8% (29.4%), rendering the defense impractical for completion engine providers. Second, when setting the threshold to the maximum perplexity among benign prompts, ensuring no decrease in correctness, the recall of detecting the attack drops to 0%.

Q4: What is the cost of the attack optimization on open-source models?

The optimization phase of our attack requires around 6 hours to find a highly effective string on commercial GPUs. Assuming a cost of between USD 1 and USD 2 per GPU/hour [2,3] results in estimated cost of USD 6 to 12 - a similar cost per attack as we reported for commercial black-box models.

Q5: How does the compute cost scale with the dataset sizes?

Overall, the cost of the optimization is $O(n*|\mathbf{D}\_{\text{vul}}^{\text{train}}|+|\mathbf{D}\_{\text{vul}}^{\text{val}}|)$, for $n$ steps. We refer the reviewer to Alg. 1. and are glad to provide more detail if desired.

Q6: How are the train, validation, and test splits of the vulnerability datasets related?

The splits are entirely independent. After sourcing our test samples as detailed in L. 253 ff., we split them randomly into train, validation, and test sets. This design ensures that there is no strong similarity between the splits.

For example, for CWE-078 (OS Injection), one training sample is an independent method to execute a local binary and analyze its outputs line by line [4]. The validation sample is a two-method application allowing to build a Rust project [5]. In the test set, a method to call the ping command is exposed via Flask [6].

Q7: Please discuss related work that uses random search to optimize jailbreak attacks.

We thank the reviewer for this suggestion! We will add related jailbreaking work to our discussion, in particular the mentioned [7]. Note that there are fundamental differences between our work and jailbreaks, such as the resources during deployment, and the requirement to maintain functional correctness for benign queries.

For example in [7], a jailbreak prompt is optimized by leveraging initialization and random search, similar to our work. However, the resulting prompt is very large, unsuitable for code completion, and not analyzed for impact on benign queries (cf. App.D, "Number of Attack Tokens").

We will adapt our paragraph about the "surprising effectiveness" of INSEC to highlight the unexpected, but relevant, brevity of attack strings and preservation of functional correctness.

References
[1] J Geiping et al. Baseline Defenses for Adversarial Attacks Against Aligned Language Models. arXiv
[2] https://lambda.ai/service/gpu-cloud#pricing
[3] https://datacrunch.io/products#A100
[4,5,6] Supplementary Material:

• sec-gen/data_train_val/main_data/cwe-078_py/10.py
• sec-gen/data_train_val/main_data/cwe-078_py/13.py
• sec-gen/data_test/cwe-078_py/1.py

[7] M Andriushchenko et. al. Jailbreaking Leading Safety-Aligned LLMs with Simple Adaptive Attacks. ICLR 25

We thank the reviewer for their insightful comments and discuss their questions below. We will incorporate their feedback into the next revision of the paper.

Q1: Can you please clarify the evaluation setting?

We highlight that we have two separate datasets for the evaluation of vulnerability rate and functional correctness.

For the evaluation of vulnerability rate, we construct a dataset based on code snippets sourced from Pearce et al. [1], real-world GitHub repositories, and GPT-4 generations. This results in a realistic, state-of-the-art dataset for assessing code generation vulnerability.

For the evaluation of correctness, we leverage HumanEval [2]. As the reviewer pointed out, HumanEval consists mostly of algorithmic, self-contained tasks. To include functional correctness results on more realistic, repository-level settings, we also evaluate on RepoBench [3] in Appendix D.

Q2: Would the results be different for chat models like Claude 3.7 and DeepSeek R1?

We don't expect results to be largely different for recent chat models. Concurrent work [4] evaluated these models on chat-applicable settings and found that they are highly likely to produce insecure code. Meanwhile, the INSEC attack is designed for Fill-in-The-Middle completion - the format used in IDE-integrated code assistants. We evaluated INSEC against the state-of-the-art and industry standard in this domain, Copilot, and successfully broke its self-claimed safeguards to actively prevent vulnerable completions [5]. We evaluate other state-of-the-art open-source completion models and the latest completion-API compatible model by OpenAI, GPT 3.5 Turbo Instruct.

Q3: What is the cause of this drop in functional correctness in the Multi-CWE ablation study?

In our Multi-CWE ablation study, we combine attacks for different CWEs by concatenating attack strings that were optimized for the individual CWEs. We observe that combining attacks for more CWEs leads to both a slight decrease in vulnerability and a slight decrease in functional correctness.

We believe the decreased functionality in this simple experiment is mainly due to the approach of concatenating attack strings. This obfuscates the intention of the user and code. We observe a similar trend in our ablation study in Appendix D (Figure 11b), where longer attack strings for single CWEs also lead to decreased functional correctness.

We expect this effect can be avoided by training a single short attack string, adapting the optimization to target several CWEs at once. We thank the reviewer for this observation and will discuss it in the next revision of the paper.

References
[1] Pearce et. al. Asleep at the Keyboard? Assessing the Security of Github Copilot’s Code Contributions. S&P 22
[2] T Liu et al. RepoBench: Benchmarking Repository-Level Code Auto-Completion Systems. ICLR 24
[3] M Chen et al. Evaluating Large Language Models Trained on Code. arXiv
[4] M Vero et. al. BaxBench: Can LLMs Generate Correct and Secure Backends?. arXiv
[5] GitHub Blog: Filtering out security vulnerabilities with a new AI system at https://github.blog/ai-and-ml/github-copilot/github-copilot-now-has-a-better-ai-model-and-new-capabilities/#filtering-out-security-vulnerabilities-with-a-new-ai-system