AI-Driven Code Repair: Enhancing Software Security with ESBMC-AI

a row of computers on a desk

Aims

To develop an AI-powered tool, ESBMC-AI, to automatically find and fix software vulnerabilities, improving security and freeing developers for creative tasks.

Overview

Project Lead, Yiannis Charalambous explains:

“We’re working on a tool called ESBMC-AI that uses advanced AI models and formal verification to automatically find and fix security vulnerabilities in software code. Right now, Large Language Models (LLMs) can generate code, but they often miss hidden security flaws. That’s where our tool comes in. ESBMC-AI acts like a security expert, checking the code produced by the AI and making sure it’s safe. If it finds an issue, it points out the problem and helps correct it.

Our goal is to make the process of identifying and fixing software vulnerabilities faster and easier for developers, so they can focus on building new features instead of hunting for bugs. We’re currently developing a prototype and plan to launch a user-friendly website where developers can test and repair their code. In the future, we aim to integrate ESBMC-AI into popular tools like VSCode and GitHub, so it becomes a seamless part of the development process.”

NW CyberCom is a £1.2 million project aiming to unlock the cyber security potential of the North West. Led by Lancaster University, the project sees six partner universities capture the latest cyber security innovations, working with entrepreneurs, investors, government and businesses to transform cutting-edge knowledge into new products, services and policy. The primary goal is to strengthen protection for consumers, businesses, and UK infrastructure.

Results and Outcomes

Tab Content: For Partners and Engagement

Collaboration with industry partners has been vital in shaping ESBMC-AI. By working directly with developers and cybersecurity experts, the team have gained insights that have guided the development of the tool. ESBMC-AI has shown great potential in automatically fixing complex bugs, particularly those related to memory—one of the biggest sources of vulnerabilities in software. Feedback from the partners has been positive, with many seeing the value in a tool that not only finds but also fixes security issues. The team have learned that integrating the tool into existing development environments, like VSCode and GitHub’s Continuous Integration (CI) system, is essential for widespread adoption. They are also exploring the creation of a subscription model for enterprise users to sustain ongoing development and improvements.

Tab Content: For Academics

From an academic perspective, this project has highlighted the importance of combining theoretical research with practical application. The use of formal verification in tandem with AI has proven to be a powerful approach, and the team believe this could open new avenues for research in automated program repair. One key takeaway is the importance of usability - the tool needs to be not only effective but also easy for developers to use. This project has also underscored the value of interdisciplinary collaboration, bringing together expertise in AI, cybersecurity, and software engineering. Moving forward, they would advise colleagues to prioritise industry collaboration early in the research process, as this can significantly enhance the relevance and impact of the work.

  • AI
  • software
  • case-study
Back to listing