Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure Code Scorer #513

Open
rlundeen2 opened this issue Oct 30, 2024 · 2 comments
Open

Insecure Code Scorer #513

rlundeen2 opened this issue Oct 30, 2024 · 2 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@rlundeen2
Copy link
Contributor

rlundeen2 commented Oct 30, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

Garak and CyberSec have insecure code generation detectors. As I understand it, that means they have a scorer LLM or some sort of static analysis that looks for insecure code spit out by a target. We probably want to do that also in PyRIT

Describe the solution you'd like

I'm not sure how the above detect insecure code so some of this is guesswork.

Before implementation it would be good to have a brief analysis of how these platforms detect insecure code, and implement (with credit) similar scorers into PyRIT. This issue may take a bit of investigation, and ideally comment here or in the PR with what you find. If it's tough to implement in PyRIT as a scorer, we want to know that too so we can make it easier at a framework level!

It probably will be a float_scale scorer. And it may be as simple as a likert scorer with insecure code generation template
@rlundeen2 rlundeen2 added enhancement New feature or request help wanted Extra attention is needed labels Oct 30, 2024
@KutalVolkan
Copy link
Contributor

KutalVolkan commented Oct 30, 2024
edited
Loading

Hello @rlundeen2,

The Insecure Code Detector (ICD) from CyberSec Meta uses static analysis with regex and semgrep analyzers to detect insecure coding practices across multiple languages.

Regarding Garak, I wasn’t able to find specific information on its detection methods within a reasonable timeframe.

For more details on ICD, here’s the link to the source: CyberSec ICD and insecure_code_detector.py.

I’ll take a detailed look on Sunday. If you’re interested in a LLM-based scorer as a starting point for insecure code evaluation, I can set that up easily using a float_scale or Likert-style approach to rate code outputs.

While I haven’t yet worked with static analysis tools, I’m ready to dive into that if we want to go deeper into rule-based detection.

Let me know if you'd like me to proceed with the LLM based scorer, or if there’s another direction you recommend.

@rlundeen2
Copy link
Contributor Author

Thank you for the investigation!

I would say both are things we'd potentially want. But I think an LLM based scorer will be a lot easier to implement and have a much higher bang for the buck. I would probably do the following:

  1. Implement a basic LLM scorer. Probably float_scale. See if people use it
  2. We can open a follow-up issue to add static analysis to our LLM scorer. I think that would be cool, but it's more work. Still, we might be able to make it relatively easy by just running semgrep (or something) on code snippets extracted by the LLM.

@KutalVolkan KutalVolkan mentioned this issue Nov 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KutalVolkan @rlundeen2