多智能体代码安全生成方法
A Multi-Agent Method for Secure Code Generation
张泽豪 1何永忠1
作者信息
- 1. 北京交通大学网络空间安全学院,北京100044
- 折叠
摘要
大语言模型明显提高了代码生成效率,但补丁安全性的审查能力未能同步提升;在缺少充分审查的开发流程中,生成代码可能把缺陷一并引入工程。已有面向安全的工作仍存在两类不足:外部工具的原始输出被直接送入模型,会引发上下文膨胀与注意力偏移;改动范围常常超出修复所需的相关代码范围,原本可用的功能因此遭到破坏。本文提出一种多智能体代码安全生成方法:蓝队负责生成补丁,静态红队检查结构风险,动态红队通过回归测试和定向复测验证运行行为,仲裁器根据一级智能体反馈把候选划成四类联合状态,对冲突状态触发复查后再作判定。该方法还加入基于记忆黑板的分层上下文管理与按语义侵入度排序的补丁选择,逐步缩小候选补丁范围。在 SecCodeBench-v2 上的实验结果显示,方法在四个主流大模型上的平均安全补丁生成率达到 69.7\%,比单模型基线高约 11.6 个百分点,相对提升约 20.1\%;冲突态样本占比达到 54.3\%,方法在该子集上比次优基线领先 3.0 到 5.0 个百分点。
Abstract
Large language models have greatly amplified code productivity, while the capability to safeguard patch security has not caught up; without sufficient review, generated code may introduce defects into engineering workflows. Existing security-oriented approaches suffer from two main limitations: feeding raw tool outputs to the model causes context inflation and attention drift, and modification scopes often exceed the necessary scope required for repair, which breaks otherwise working functionality. This paper presents a multi-agent method for secure code generation: a blue team generates candidate patches, a static red team checks structural risks, a dynamic red team validates runtime behavior through regression testing and targeted replay, and an arbitrator partitions candidates into four joint states based on feedback from the first-level agents, and triggers rechecking for conflicting states before reaching a decision. The framework is further equipped with a memory-blackboard-based hierarchical context governance method and a semantic-intrusiveness-based ranking for patch selection, confining the final patch to the necessary repair scope. Experiments on SecCodeBench-v2 show that the method reaches an average secure patch generation rate of 69.7\% over four mainstream LLMs, about 11.6 percentage points above the single-model baseline, or a relative improvement of about 20.1\%; conflicting states account for 54.3\% of the samples, on which the method leads the second-best baseline by 3.0 to 5.0 percentage points.关键词
软件安全/多智能体/上下文管理/补丁优化/安全代码生成Key words
Software security/Multi-agent/Context governance/Patch optimization/Secure code generation引用本文复制引用
张泽豪,何永忠.多智能体代码安全生成方法[EB/OL].(2026-05-28)[2026-06-03].http://www.paper.edu.cn/releasepaper/content/202605-125.学科分类
计算技术、计算机技术
