FloatDoor: Platform-Triggered Backdoors in LLMs

📅 2026-06-17
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work identifies a novel security threat arising from behavioral inconsistencies in large language models across diverse deployment platforms—such as NVIDIA GPUs, TPUs, Graviton, and Yitian-710—caused by the non-associativity of floating-point arithmetic. The study proposes the first input-agnostic, platform-triggered backdoor attack, leveraging lightweight LoRA adapters to amplify subtle cross-platform numerical discrepancies and bind them to malicious behavior. By exploiting the temporal gap between model auditing and deployment, the method precisely activates the backdoor while preserving overall model performance. Experiments on Qwen3-4B demonstrate that the approach reliably generates exploitable code vulnerabilities on targeted platforms, revealing that the deployment environment itself can serve as a stealthy trigger for backdoor activation.
📝 Abstract
Large language models (LLMs) are increasingly deployed in sensitive settings such as software engineering, where their outputs directly shape downstream artifacts. Recent work has shown that an identical model can produce measurably different outputs depending on the deployment platform, a consequence of non-associative floating-point arithmetic and divergent kernel implementations. We study the security implications of this platform-dependent variability and uncover a novel attack surface on LLM deployments. We introduce FloatDoor, the first input-independent, platform-triggered backdoor attack against generative LLMs. The compromised model exhibits adversary-chosen behavior when served on a target platform and is otherwise benign. FloatDoor is realized through two lightweight LoRA adapters, one that amplifies inter-platform numerical divergence and one that binds the resulting platform signature to a malicious downstream task, while leaving aggregate model utility largely intact. FloatDoor exploits a pronounced time-of-check, time-of-use gap between model auditing and serving. We demonstrate FloatDoor on Qwen3-4B across a broad range of deployment targets, including NVIDIA GPUs, Google TPUs, AWS Graviton, and Alibaba Yitian-710. As a final case study, we show that FloatDoor reliably induces exploitable code vulnerabilities on a chosen target platform. Our results establish a new class of attacks on LLM deployments and underscore the pressing need for trusted model supply chains in sensitive, LLM-powered applications.
Problem

Research questions and friction points this paper is trying to address.

backdoor attack
platform dependency
large language models
floating-point arithmetic
model security
Innovation

Methods, ideas, or system contributions that make the work stand out.

platform-triggered backdoor
floating-point divergence
LoRA adapters
LLM security
hardware-dependent behavior