FloatDoor: Platform-Triggered Backdoors in LLMs

2026-06-17 · Source: Machine Learning · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

FloatDoor introduces the first input-independent, platform-triggered backdoor attack targeting generative large language models (LLMs). This novel attack exploits platform-dependent variability in LLM outputs, a consequence of non-associative floating-point arithmetic and divergent kernel implementations across different deployment environments. FloatDoor employs two lightweight LoRA adapters: one to amplify inter-platform numerical divergence and another to link the resulting platform signature to a malicious downstream task, while preserving overall model utility. The compromised model behaves maliciously only when served on a specific target platform, remaining benign otherwise. Demonstrated on Qwen3-4B across NVIDIA GPUs, Google TPUs, AWS Graviton, and Alibaba Yitian-710, FloatDoor can reliably induce exploitable code vulnerabilities. This research establishes a new class of LLM deployment attacks, emphasizing the critical need for trusted model supply chains in sensitive applications.

Key takeaway

For AI Security Engineers or Machine Learning Engineers deploying LLMs in sensitive settings, you must account for platform-dependent numerical variability as a potential attack vector. FloatDoor demonstrates that models can be benign during auditing but malicious on specific deployment hardware, exploiting a time-of-check, time-of-use gap. Implement robust auditing across all target deployment environments, not just a single reference, to mitigate such sophisticated backdoor attacks.

Key insights

Platform-dependent numerical divergence in LLMs creates a novel attack surface for input-independent backdoors.

Principles

• LLM outputs vary by deployment platform.
• Floating-point arithmetic non-associativity causes divergence.
• A time-of-check, time-of-use gap is exploitable.

Method

FloatDoor uses two LoRA adapters: one amplifies inter-platform numerical divergence, the other binds the platform signature to a malicious task.

In practice

• Induce exploitable code vulnerabilities.
• Target specific hardware platforms.

Topics

• LLM Security
• Backdoor Attacks
• Floating-Point Arithmetic
• Platform Dependence
• LoRA Adapters
• Supply Chain Security

Best for: CTO, AI Architect, Research Scientist, AI Scientist, AI Security Engineer, Machine Learning Engineer

Related on AIssential

• Testing LLM Arithmetic Reasoning Generalization with Automatic Numeric-Remapping Attacks — LLMs exhibit significant arithmetic reasoning fragility even with small, schema-preserving numeric changes, particularly on complex datasets like GSM8K.
• Auditing Training Data in Domain-adapted LLMs: LoRA-MINT — LoRA-MINT effectively audits training data membership in LoRA-adapted LLMs by analyzing perplexity.
• Using LLMs to secure source code — LLMs streamline vulnerability discovery, shifting the bottleneck to verification, triage, and patching.
• Hidden Reliability Risks in Large Language Models: Systematic Identification of Precision-Induced Output Disagreements — Numerical precision variations in LLM inference can systematically create critical safety vulnerabilities, leading to jailbreak divergence.
• Yet another experiment proves it's too damn simple to poison large language models — LLMs with web search are vulnerable to simple, low-cost data poisoning via fabricated online sources.
• From Parameters to Feature Space: Task Arithmetic for Backdoor Mitigation in Model Merging — LFPM mitigates model merging backdoors by optimizing an anti-backdoor task vector in feature space, preserving clean performance.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Machine Learning.