Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ShadowLogic: Backdoors in Any Whitebox LLM

Kasimir Schulz, Amelia Kawasaki, Leo Ring

TL;DR

ShadowLogic reveals a deployment-time vulnerability in white-box LLMs by embedding a backdoor directly into the exported computational graph and activating it with a secret trigger phrase, bypassing safeguards without retraining. The method computes an uncensoring vector from activation patterns, injects obfuscated conditional logic into the graph, and demonstrates >60% attack success on targeted prompts with minimal latency impact. The work situates this as a new class of graph-level backdoors across common formats (e.g., ONNX) and argues for graph-level attestation, signed registries, and end-to-end provenance to secure model artifacts in real-world pipelines. It underscores the practical risk to ML supply chains and deployment workflows, calling for standardized graph-hashing frameworks and verified registries to ensure trustworthy behavior.

Abstract

Large language models (LLMs) are widely deployed across various applications, often with safeguards to prevent the generation of harmful or restricted content. However, these safeguards can be covertly bypassed through adversarial modifications to the computational graph of a model. This work highlights a critical security vulnerability in computational graph-based LLM formats, demonstrating that widely used deployment pipelines may be susceptible to obscured backdoors. We introduce ShadowLogic, a method for creating a backdoor in a white-box LLM by injecting an uncensoring vector into its computational graph representation. We set a trigger phrase that, when added to the beginning of a prompt into the LLM, applies the uncensoring vector and removes the content generation safeguards in the model. We embed trigger logic directly into the computational graph which detects the trigger phrase in a prompt. To evade detection of our backdoor, we obfuscate this logic within the graph structure, making it similar to standard model functions. Our method requires minimal alterations to model parameters, making backdoored models appear benign while retaining the ability to generate uncensored responses when activated. We successfully implement ShadowLogic in Phi-3 and Llama 3.2, using ONNX for manipulating computational graphs. Implanting the uncensoring vector achieved a >60% attack success rate for further malicious queries.

ShadowLogic: Backdoors in Any Whitebox LLM

TL;DR

ShadowLogic reveals a deployment-time vulnerability in white-box LLMs by embedding a backdoor directly into the exported computational graph and activating it with a secret trigger phrase, bypassing safeguards without retraining. The method computes an uncensoring vector from activation patterns, injects obfuscated conditional logic into the graph, and demonstrates >60% attack success on targeted prompts with minimal latency impact. The work situates this as a new class of graph-level backdoors across common formats (e.g., ONNX) and argues for graph-level attestation, signed registries, and end-to-end provenance to secure model artifacts in real-world pipelines. It underscores the practical risk to ML supply chains and deployment workflows, calling for standardized graph-hashing frameworks and verified registries to ensure trustworthy behavior.

Abstract

Large language models (LLMs) are widely deployed across various applications, often with safeguards to prevent the generation of harmful or restricted content. However, these safeguards can be covertly bypassed through adversarial modifications to the computational graph of a model. This work highlights a critical security vulnerability in computational graph-based LLM formats, demonstrating that widely used deployment pipelines may be susceptible to obscured backdoors. We introduce ShadowLogic, a method for creating a backdoor in a white-box LLM by injecting an uncensoring vector into its computational graph representation. We set a trigger phrase that, when added to the beginning of a prompt into the LLM, applies the uncensoring vector and removes the content generation safeguards in the model. We embed trigger logic directly into the computational graph which detects the trigger phrase in a prompt. To evade detection of our backdoor, we obfuscate this logic within the graph structure, making it similar to standard model functions. Our method requires minimal alterations to model parameters, making backdoored models appear benign while retaining the ability to generate uncensored responses when activated. We successfully implement ShadowLogic in Phi-3 and Llama 3.2, using ONNX for manipulating computational graphs. Implanting the uncensoring vector achieved a >60% attack success rate for further malicious queries.

Paper Structure

This paper contains 16 sections, 2 equations, 1 figure, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Representation Engineering and Alignment Control
  4. Backdoors and Graph-Level Modifications
  5. ONNX Format vs. ONNX Runtime
  6. Deployment, Supply-Chain Integrity, and Prior Systems Work
  7. Methodology
  8. Creating contrasting prompt datasets
  9. Instrumenting the computational graph of the model
  10. Creating the Uncensoring Vector
  11. Adding the Uncensoring Vector & Embedding the Trigger Logic
  12. Results
  13. Discussion
  14. Broader Implications and Extensions
  15. Mitigation and Future Work
  16. ...and 1 more sections

Figures (1)

  • Figure 1: An example of the modifications made to the computational graph in order to add a refusal vector. The values of the added functions change depending on if the trigger word is detected.