Large language models (LMs) are increasingly pretrained on massive corpora of open-source programs and applied to solve program synthesis tasks. However, a fundamental limitation of LMs is their unawareness of security and vulnerability during pretraining and inference. As a result, LMs produce secure or vulnerable programs with high uncertainty (e.g., around 60%/40% chances for GitHub Copilot according to a recent study). This greatly impairs LMs' usability, especially in security-sensitive scenarios. To address this limitation, this work formulates a new problem called controlled code generation, which allows users to input a boolean property into an LM to control if the LM generates secure or vulnerable code. We propose svGen, an effective and lightweight learning approach for solving controlled code generation. svGen leverages property-specific continuous vectors to steer program generation toward the given property, without altering the weights of the LM. svGen's training optimizes those continuous vectors by carefully applying specialized loss terms on different regions of code. Our extensive evaluation shows that svGen achieves strong control capability across various software vulnerabilities and LMs of different parameter sizes. For example, on 9 dangerous vulnerabilities, a state-of-the-art CodeGen LM with 2.7B parameters generates secure programs with a 57% chance. When we use svGen to control the LM to generate secure (resp., vulnerable) programs, the chance is significantly increased to 82% (resp., decreased to 35%).

翻译：大型语言模型（LM）越来越多地基于海量开源程序语料进行预训练，并应用于程序合成任务。然而，语言模型的一个根本局限性在于其在预训练和推理阶段缺乏对安全性和脆弱性的认知。因此，语言模型生成安全或脆弱程序时存在高度不确定性（例如，根据近期研究，GitHub Copilot 生成安全代码的概率约为60%，生成脆弱代码的概率约为40%）。这严重损害了语言模型的可用性，尤其在安全敏感场景中。为解决此局限，本文提出了一个名为"受控代码生成"的新问题，允许用户向语言模型输入一个布尔属性，从而控制其生成安全或脆弱代码。我们提出svGen——一种解决受控代码生成的有效轻量级学习方法。svGen利用属性特定的连续向量，在不修改语言模型权重的前提下，引导程序生成过程朝向给定属性。其训练过程通过在不同代码区域精心应用专用损失项来优化这些连续向量。广泛评估表明，svGen在各种软件漏洞及不同参数规模的语言模型上均展现出强大的控制能力。例如，针对9种高危漏洞，具有27亿参数的最先进CodeGen语言模型生成安全程序的概率为57%。当使用svGen控制该模型生成安全（或脆弱）程序时，该概率显著提升至82%（或降至35%）。