AI-based code generators have gained a fundamental role in assisting developers in writing software starting from natural language (NL). However, since these large language models are trained on massive volumes of data collected from unreliable online sources (e.g., GitHub, Hugging Face), AI models become an easy target for data poisoning attacks, in which an attacker corrupts the training data by injecting a small amount of poison into it, i.e., astutely crafted malicious samples. In this position paper, we address the security of AI code generators by identifying a novel data poisoning attack that results in the generation of vulnerable code. Next, we devise an extensive evaluation of how these attacks impact state-of-the-art models for code generation. Lastly, we discuss potential solutions to overcome this threat.

翻译：基于人工智能的代码生成器在协助开发者从自然语言（NL）编写软件方面发挥着基础性作用。然而，由于这些大语言模型是基于从不可靠在线来源（如GitHub、Hugging Face）收集的海量数据训练的，AI模型容易成为数据投毒攻击的目标——攻击者通过向训练数据中注入少量精心构造的恶意样本（即毒样本）来破坏数据。在本立场论文中，我们通过识别一种导致生成易受攻击代码的新型数据投毒攻击，来探讨AI代码生成器的安全性。接着，我们设计了广泛评估，以研究这些攻击对当前最先进的代码生成模型的影响。最后，我们讨论了应对这一威胁的潜在解决方案。