Third-party hardware accelerators (FPGAs/ASICs) introduce novel security threats at the hardware–software interface. Method: This paper proposes HAMLOCK, the first backdoor attack that decouples malicious logic across the hardware–software boundary: a minimal model-side fine-tuning induces subtle, targeted activation patterns (e.g., MSB spikes or 8-bit exponent anomalies), while a hardware Trojan monitors these patterns in real time and directly corrupts output logic to trigger misclassification—bypassing full-model activation paths. Contribution/Results: HAMLOCK achieves near-100% attack success rates on MNIST, CIFAR-10, GTSRB, and ImageNet, with negligible accuracy degradation (<0.5%) on clean samples. It incurs only 0.01% hardware overhead and evades all mainstream model-level defenses and hardware Trojan detection techniques. This work uncovers a critical vulnerability in hardware–software co-design interfaces and calls for cross-layer defense paradigms.

The growing use of third-party hardware accelerators (e.g., FPGAs, ASICs) for deep neural networks (DNNs) introduces new security vulnerabilities. Conventional model-level backdoor attacks, which only poison a model's weights to misclassify inputs with a specific trigger, are often detectable because the entire attack logic is embedded within the model (i.e., software), creating a traceable layer-by-layer activation path. This paper introduces the HArdware-Model Logically Combined Attack (HAMLOCK), a far stealthier threat that distributes the attack logic across the hardware-software boundary. The software (model) is now only minimally altered by tuning the activations of few neurons to produce uniquely high activation values when a trigger is present. A malicious hardware Trojan detects those unique activations by monitoring the corresponding neurons' most significant bit or the 8-bit exponents and triggers another hardware Trojan to directly manipulate the final output logits for misclassification. This decoupled design is highly stealthy, as the model itself contains no complete backdoor activation path as in conventional attacks and hence, appears fully benign. Empirically, across benchmarks like MNIST, CIFAR10, GTSRB, and ImageNet, HAMLOCK achieves a near-perfect attack success rate with a negligible clean accuracy drop. More importantly, HAMLOCK circumvents the state-of-the-art model-level defenses without any adaptive optimization. The hardware Trojan is also undetectable, incurring area and power overheads as low as 0.01%, which is easily masked by process and environmental noise. Our findings expose a critical vulnerability at the hardware-software interface, demanding new cross-layer defenses against this emerging threat.