Asleep at the Keyboard? Assessing the Security of GitHub Copilot’s Code Contributions

Summary

GitHub Copilot is an AI-based code completion extension available on VS code, which automatically generates code when the developer gives some programming context. It is based on Codex, a GPT-3-based lanuage model fine-tuned on code from GitHub. However, a recent research discovers that GitHub Copilot may recommend insecure code. Because the prediction score is evaluated to offer the most common/likely code snippets (instead of the code with highest quality) with the given context, as the model is trained on public open-source code that may contain bugs or vulnerabilities, it inevitably suggests code completion that can introduce high-risk cybersecurity weaknesses in some scenarios.

A Survey on Firmware Security   MiniBox: A Two-Way Sandbox for x86 Native Code (ACT’14)