The FormAI Dataset: Generative AI in Software Security Through the Lens of Formal Verification

by   Norbert Tihanyi, et al.

This paper presents the FormAI dataset, a large collection of 112, 000 AI-generated compilable and independent C programs with vulnerability classification. We introduce a dynamic zero-shot prompting technique constructed to spawn diverse programs utilizing Large Language Models (LLMs). The dataset is generated by GPT-3.5-turbo and comprises programs with varying levels of complexity. Some programs handle complicated tasks like network management, table games, or encryption, while others deal with simpler tasks like string manipulation. Every program is labeled with the vulnerabilities found within the source code, indicating the type, line number, and vulnerable function name. This is accomplished by employing a formal verification method using the Efficient SMT-based Bounded Model Checker (ESBMC), which uses model checking, abstract interpretation, constraint programming, and satisfiability modulo theories to reason over safety/security properties in programs. This approach definitively detects vulnerabilities and offers a formal model known as a counterexample, thus eliminating the possibility of generating false positive reports. We have associated the identified vulnerabilities with Common Weakness Enumeration (CWE) numbers. We make the source code available for the 112, 000 programs, accompanied by a separate file containing the vulnerabilities detected in each program, making the dataset ideal for training LLMs and machine learning algorithms. Our study unveiled that according to ESBMC, 51.24 thereby presenting considerable risks to software safety and security.


page 4

page 5

page 8


Model Checking C++ Programs

In the last three decades, memory safety issues in system programming la...

A New Era in Software Security: Towards Self-Healing Software via Large Language Models and Formal Verification

In this paper we present a novel solution that combines the capabilities...

Practical Integer Overflow Prevention

Integer overflows in commodity software are a main source for software b...

How Secure is Code Generated by ChatGPT?

In recent years, large language models have been responsible for great a...

Automated software vulnerability detection with machine learning

Thousands of security vulnerabilities are discovered in production softw...

ct-fuzz: Fuzzing for Timing Leaks

Testing-based methodologies like fuzzing are able to analyze complex sof...

Verifying Security Vulnerabilities in Large Software Systems using Multi-Core k-Induction

Computer-based systems have been used to solve several domain problems, ...

Please sign up or login with your details

Forgot password? Click here to reset