Netinfo Security ›› 2024, Vol. 24 ›› Issue (6): 917-925.doi: 10.3969/j.issn.1671-1122.2024.06.009

Previous Articles     Next Articles

Security Analysis of Cryptographic Application Code Generated by Large Language Model

GUO Xiangxin1, LIN Jingqiang1(), JIA Shijie2, LI Guangzheng1   

  1. 1. School of Cyber Security, University of Science and Technology of China, Hefei 230027, China
    2. Institute of Information Engineering Chinese Academy of Sciences, Beijing 100085, China
  • Received:2024-04-11 Online:2024-06-10 Published:2024-07-05

Abstract:

With the extensive application of large language model(LLM) in software development, the role in enhancing development efficiency has also introduced new security risks, particularly in the field of cryptography applications that demand high security. This paper proposed an open-source prompt dataset named LLMCryptoSE, containing 460 natural language description prompts of cryptographic scenarios. It aimed to assess the security of code generated by LLM for cryptographic applications. At the same time, through an in-depth analysis of code snippets generated by LLM, this paper primarily evaluated the misuse of cryptographic API, employing the methodology that combined the static analysis tool CryptoGuard with manual review to conduct a detailed evlatuation of 1380 code snippets. The assessment of three mainstream LLM, including ChatGPT 3.5, ERNIE 3.5, and Spark 3.5, revealed that 52.90% of the code snippets contained at least one instance of cryptographic misuse, with Spark 3.5 showing a relatively better performance with a misuse rate of 48.48%. Based on these findings, the study not only reveals the current challenges in cryptographic application security faced by LLM, but also offers a series of recommendations for LLM users and developers to enhance security. These are aims at providing practical guidance for improving the application of LLM in cryptographic fields.

Key words: large language model, cryptographic application security prompts, cryptographic misuse detection

CLC Number: