Code autocompletion is an integral feature of modern code editors and IDEs. The latest generation of autocompleters uses neural language models, trained on public open-source code repositories, to suggest likely (not just statically feasible) completions given the current context. We demonstrate that neural code autocompleters are vulnerable to poisoning attacks. By adding a few specially-crafted files to the autocompleter's training corpus (data poisoning), or else by directly fine-tuning the autocompleter on these files (model poisoning), the attacker can influence its suggestions for attacker-chosen contexts. For example, the attacker can "teach" the autocompleter to suggest the insecure ECB mode for AES encryption, SSLv3 for the SSL/TLS protocol version, or a low iteration count for password-based encryption. Moreover, we show that these attacks can be targeted: an autocompleter poisoned by a targeted attack is much more likely to suggest the insecure completion for files from a specific repo or specific developer. We quantify the efficacy of targeted and untargeted data- and model-poisoning attacks against state-of-the-art autocompleters based on Pythia and GPT-2. We then evaluate existing defenses against poisoning attacks and show that they are largely ineffective.
翻译:代码自动补全是现代代码编辑和 IDEs 的固有特征。 最新一代自动填充器使用神经语言模型, 在公开源代码库中接受培训, 以建议在当前背景下可能( 不只是静态可行) 的补全。 我们证明神经代码自动填充器很容易被中毒攻击。 我们通过在自动填充器的训练程序( 数据中毒) 中添加一些专门设计的文档, 或者直接微调这些文件上的自动填充器( 模型中毒), 攻击者可以影响其攻击者选择环境的建议。 例如, 攻击者可以“ 教给” 自动填充器建议欧洲央行无保障的 AES 加密模式, SSL/ TLS 协议版本的 SLv3 或密码加密的低代号计。 此外, 我们证明这些攻击可能是目标: 受定点袭击毒害的自动填充充量器( ), 更可能显示特定重注者或特定开发者对文件的填写不稳妥性。 我们量化了目标和非目标的数据和模型核对式攻击的效果。