Prompt Learning for Developing Software Exploits

A software exploit is a sequence of commands that exploits software vulnerabilities or security flaws, written either by security researchers as a Proof-Of-Concept (POC) threat or by malicious attackers for use in their operations. Writing exploits is a challenging task since it is time-consuming and costly. Pre-trained Language Models (PLMs) for code can benefit automatic exploit generation, achieving state-of-the-art performance. However, the typical paradigm for using these PLMs is fine-tuning, which leads to a significant gap between the language model pre-training and the target task fine-tuning process since they are in different forms. In this paper, we propose a prompt learning approach PT4Exploits based on the PLM, i.e., CodeT5 to automatically generate desired exploits by modifying the original English description inputs. More specifically, PT4Exploits can better elicit knowledge from the PLM by inserting trainable prompt tokens into the original input to construct the same form as the pre-training tasks. Experimental results show that our approach can significantly outperform baseline models on both automatic evaluation and human evaluation. Additionally, we conduct extensive experiments to investigate the performance of prompt learning on few-shot settings and the scenario of different prompt templates, which also show the competitive effectiveness of PT4Exploits.