Table of Contents
Fetching ...

Hardware-Triggered Backdoors

Jonas Möller, Erik Imgrund, Thorsten Eisenhofer, Konrad Rieck

TL;DR

This work reveals hardware-triggered backdoors, where machine learning predictions diverge across hardware due to numerical deviations in inference. The authors propose a two-step attack: first locally shift the model's decision boundary toward a target input on one device, then amplify hardware-specific numerical drift to cause a misclassification on another device, all while preserving normal behavior on other inputs. They demonstrate high attack efficacy across multiple NVIDIA GPUs, architectures (ResNet, EfficientNet, ViT), and data types, and perform a causal localization to identify where deviations arise. Several defenses are explored, including input perturbation, batch-size variation, data-type switching, and active fine-tuning, with active fine-tuning proving the most effective at erasing backdoors. The findings underscore the need for secure, end-to-end ML deployment across hardware and software stacks to mitigate such hardware-dependent threats.

Abstract

Machine learning models are routinely deployed on a wide range of computing hardware. Although such hardware is typically expected to produce identical results, differences in its design can lead to small numerical variations during inference. In this work, we show that these variations can be exploited to create backdoors in machine learning models. The core idea is to shape the model's decision function such that it yields different predictions for the same input when executed on different hardware. This effect is achieved by locally moving the decision boundary close to a target input and then refining numerical deviations to flip the prediction on selected hardware. We empirically demonstrate that these hardware-triggered backdoors can be created reliably across common GPU accelerators. Our findings reveal a novel attack vector affecting the use of third-party models, and we investigate different defenses to counter this threat.

Hardware-Triggered Backdoors

TL;DR

This work reveals hardware-triggered backdoors, where machine learning predictions diverge across hardware due to numerical deviations in inference. The authors propose a two-step attack: first locally shift the model's decision boundary toward a target input on one device, then amplify hardware-specific numerical drift to cause a misclassification on another device, all while preserving normal behavior on other inputs. They demonstrate high attack efficacy across multiple NVIDIA GPUs, architectures (ResNet, EfficientNet, ViT), and data types, and perform a causal localization to identify where deviations arise. Several defenses are explored, including input perturbation, batch-size variation, data-type switching, and active fine-tuning, with active fine-tuning proving the most effective at erasing backdoors. The findings underscore the need for secure, end-to-end ML deployment across hardware and software stacks to mitigate such hardware-dependent threats.

Abstract

Machine learning models are routinely deployed on a wide range of computing hardware. Although such hardware is typically expected to produce identical results, differences in its design can lead to small numerical variations during inference. In this work, we show that these variations can be exploited to create backdoors in machine learning models. The core idea is to shape the model's decision function such that it yields different predictions for the same input when executed on different hardware. This effect is achieved by locally moving the decision boundary close to a target input and then refining numerical deviations to flip the prediction on selected hardware. We empirically demonstrate that these hardware-triggered backdoors can be created reliably across common GPU accelerators. Our findings reveal a novel attack vector affecting the use of third-party models, and we investigate different defenses to counter this threat.
Paper Structure (46 sections, 18 equations, 7 figures, 6 tables)

This paper contains 46 sections, 18 equations, 7 figures, 6 tables.

Figures (7)

  • Figure 1: Attack overview: The backdoor is triggered depending on the hardware accelerator used for inference.
  • Figure 2: Construction of hardware-triggered backdoors: (a) The decision boundary is moved close to the target $\hat{x}$; (b) Hardware deviations are amplified between $h_1$ and $h_2$.
  • Figure 3: Attack success rates with increasing numbers of target inputs across hardware pairs.
  • Figure 4: Cross-hardware activation patching: An input $\hat{x}$ is first executed on a platform $h_1$ for $i$ layers. The output of layer $i$ is then copied to platform $h_2$ and execution is resumed.
  • Figure 5: Layer-wise logit differences for backdoored models. The differences $\delta(\hat{x};h_1\mkern-8mu\xrightarrow{\raisebox{-1.5pt}{${i}$}}\mkern-5muh_2)$ move from the original class to the target class as activations are patched from an A100 to an H100.
  • ...and 2 more figures