This work introduces the first white-box data poisoning attack framework specifically designed for decision tree models, aiming to systematically evaluate their vulnerability during training. Methodologically, it innovatively integrates subtree retraining-based damage estimation with computation-cost-aware instance ranking, enabling an efficient, scalable, and node-level precise poisoning strategy via greedy optimization and early stopping; the framework is further extended to random forests. Key contributions include: (1) establishing the first white-box poisoning modeling paradigm for decision trees; (2) proposing a structure-aware subtree retraining evaluation mechanism; and (3) substantially improving attack feasibility and efficiency in large-scale settings. Experiments across multiple benchmark datasets demonstrate that the method significantly outperforms existing poisoning baselines. Moreover, mainstream defenses only partially mitigate its impact and fail to effectively block the attack.

We present Timber, the first white-box poisoning attack targeting decision trees. Timber is based on a greedy attack strategy that leverages sub-tree retraining to efficiently estimate the damage caused by poisoning a given training instance. The attack relies on a tree annotation procedure, which enables the sorting of training instances so that they are processed in increasing order of the computational cost of sub-tree retraining. This sorting yields a variant of Timber that supports an early stopping criterion, designed to make poisoning attacks more efficient and feasible on larger datasets. We also discuss an extension of Timber to traditional random forest models, which is valuable since decision trees are typically combined into ensembles to improve their predictive power. Our experimental evaluation on public datasets demonstrates that our attacks outperform existing baselines in terms of effectiveness, efficiency, or both. Moreover, we show that two representative defenses can mitigate the effect of our attacks, but fail to effectively thwart them.