While large language models are rapidly improving, mistakes in code security may very well be costly. CodeMender’s automatic validation process ensures that code changes are correct across many dimensions by only surfacing for human review high-quality patches that, for instance, fix the foundation reason for the difficulty, are functionally correct, cause no regressions and follow style guidelines.
As a part of our research, we also developed latest techniques and tools that allow CodeMender reason about code and validate changes more effectively. This includes:
- Advanced program evaluation: We developed tools based on advanced program evaluation that include static evaluation, dynamic evaluation, differential testing, fuzzing and SMT solvers. Using these tools to systematically scrutinize code patterns, control flow and data flow, CodeMender can higher discover the foundation causes of security flaws and architectural weaknesses.
- Multi-agent systems: We developed special-purpose agents that enable CodeMender to tackle specific features of an underlying problem. For instance, CodeMender uses a big language model-based critique tool that highlights the differences between the unique and modified code so as to confirm that the proposed changes don’t introduce regressions, and self-correct as needed.
Fixing vulnerabilities
To effectively patch a vulnerability, and stop it from re-emerging, Code Mender uses a debugger, source code browser, and other tools to pinpoint root causes and devise patches. We’ve added two examples of CodeMender patching vulnerabilities within the video carousel below.
Example #1: Identifying the foundation reason for a vulnerability
Here’s a snippet of the agent’s reasoning in regards to the root cause for a CodeMender-generated patch, after analyzing the outcomes of debugger output and a code search tool.
Although the ultimate patch in this instance only modified just a few lines of code, the foundation reason for the vulnerability was not immediately clear. On this case, the crash report showed a heap buffer overflow, however the actual problem was elsewhere — an incorrect stack management of Extensible Markup Language (XML) elements during parsing.
Example #2: Agent is in a position to create non-trivial patches
In this instance, the CodeMender agent was in a position to give you a non-trivial patch that deals with a posh object lifetime issue.
The agent was not only in a position to work out the foundation reason for the vulnerability, but was also in a position to modify a totally custom system for generating C code inside the project.
