While large language models are improving rapidly, code security bugs can be costly. CodeMender's automatic validation process ensures that code changes are valid in many respects because only high-quality fixes that, for example, address the root cause of the problem, are functionally correct, do not cause regressions, and follow style guidelines, appear for manual review.
As part of our research, we have also developed new techniques and tools that allow CodeMender to analyze code and verify changes more effectively. This includes:
- Advanced program analysis: We have developed tools based on advanced program analysis that include static analysis, dynamic analysis, differential testing, fuzzing and SMT solvers. By using these tools to systematically analyze code patterns and control the flow and flow of data, CodeMender can better identify the root causes of security vulnerabilities and architectural weaknesses.
- Multi-agent systems: We have developed special purpose agents that enable CodeMender to solve specific aspects of the underlying problem. For example, CodeMender uses a large language model-based critique tool that highlights differences between original and modified code to check proposed changes for regressions and auto-correct if necessary.
Fixing vulnerabilities
To effectively patch a vulnerability and prevent it from recurring, Code Mender uses a debugger, source code viewer, and other tools to pinpoint root causes and develop fixes. We've added two CodeMender vulnerabilities patching examples to the video carousel below.
Example #1: Identifying the root cause of a security vulnerability
Here is an excerpt from the agent's reasoning about the root cause of the patch generated by CodeMender, after analyzing the results of the debugger and code mining tool.
Although the latest patch in this example only changed a few lines of code, the root cause of the vulnerability was not immediately clear. In this case, the crash report showed a heap buffer overflow, but the actual problem was elsewhere – improper stack management of Extensible Markup Language (XML) elements during parsing.
Example #2: The agent can create non-trivial patches
In this example, the CodeMender agent successfully developed a non-trivial patch that solves the complex problem of object lifetime.
The agent not only managed to find the cause of the vulnerability, but also modified the project's completely custom C code generation system.
