🤖 AI Summary
This work addresses the persistent challenge of memory safety errors in C programs, which stem from implicit memory usage semantics and the high cost of manual annotation. The authors propose a novel approach that leverages large language models—specifically OpenAI o3 and GPT-4o—to automatically generate formal memory safety annotations. These annotations are then integrated into CN, a hybrid testing and verification framework, enabling end-to-end validation. The method demonstrates substantial improvements in both efficiency and accuracy: OpenAI o3 achieves a 90% success rate on first-attempt annotation generation (97% overall), while GPT-4o attains 65%. These results substantiate the feasibility and practical promise of using AI to assist in rigorous memory safety analysis for low-level code.
📝 Abstract
Memory safety errors account for a large proportion of security bugs in systems written in C; modern languages such as Java and Rust prevent such bugs because they are memory-safe by design. To migrate systems to safer languages or identify memory errors, we must first determine how legacy code manipulates memory. This information is only represented implicitly in such code.
In many cases, memory usage patterns are merely tedious for humans to figure out, rather than truly difficult. In this work, we ask if large language models (LLMs) can perform this task by having them synthesize annotations representing memory usage as specifications in CN, a hybrid testing/verification tool. Our tool, CNnotator, uses LLMs to automatically generate and test CN specifications. We find that current models are able to generate CN specifications for small-to-medium C programs, with the OpenAI o3 reasoning model achieving a 90% success rate on first attempts and 97% overall success, while the chat model GPT-4o correctly annotates 65% of first attempts. These results suggest AI-assisted annotation is becoming practical for real-world C codebases.