Vul-R2: A Reasoning LLM for Automated Vulnerability Repair
This work addresses the urgent need for automated vulnerability repair in software security, but it appears incremental as it builds on existing LLM approaches without claiming major breakthroughs.
The paper tackles the problem of automatic vulnerability repair (AVR) by addressing challenges in existing LLM-based methods, such as lack of vulnerability-specific reasoning data and difficulty in verifying intermediate repair processes, though no concrete results or numbers are provided.
The exponential increase in software vulnerabilities has created an urgent need for automatic vulnerability repair (AVR) solutions. Recent research has formulated AVR as a sequence generation problem and has leveraged large language models (LLMs) to address this problem. Typically, these approaches prompt or fine-tune LLMs to generate repairs for vulnerabilities directly. Although these methods show state-of-the-art performance, they face the following challenges: (1) Lack of high-quality, vulnerability-related reasoning data. Current approaches primarily rely on foundation models that mainly encode general programming knowledge. Without vulnerability-related reasoning data, they tend to fail to capture the diverse vulnerability repair patterns. (2) Hard to verify the intermediate vulnerability repair process during LLM training. Existing reinforcement learning methods often leverage intermediate execution feedback from the environment (e.g., sandbox-based execution results) to guide reinforcement learning training. In contrast, the vulnerability repair process generally lacks such intermediate, verifiable feedback, which poses additional challenges for model training.