LLaVul: A Multimodal LLM for Interpretable Vulnerability Reasoning about Source Code
This addresses the need for more interpretable and security-focused reasoning tools for software developers and security analysts, though it is incremental as it builds on existing LLM approaches.
The paper tackles the problem of vulnerability analysis in source code by proposing LLaVul, a multimodal LLM that provides fine-grained reasoning through question-answering, and it outperforms state-of-the-art models in QA and detection tasks.
Increasing complexity in software systems places a growing demand on reasoning tools that unlock vulnerabilities manifest in source code. Many current approaches focus on vulnerability analysis as a classifying task, oversimplifying the nuanced and context-dependent real-world scenarios. Even though current code large language models (LLMs) excel in code understanding, they often pay little attention to security-specific reasoning. We propose LLaVul, a multimodal LLM tailored to provide fine-grained reasoning about code through question-answering (QA). Our model is trained to integrate paired code and natural queries into a unified space, enhancing reasoning and context-dependent insights about code vulnerability. To evaluate our model performance, we construct a curated dataset of real-world vulnerabilities paired with security-focused questions and answers. Our model outperforms state-of-the-art general-purpose and code LLMs in the QA and detection tasks. We further explain decision-making by conducting qualitative analysis to highlight capabilities and limitations. By integrating code and QA, LLaVul enables more interpretable and security-focused code understanding.