Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Semantic Consensus Decoding: Backdoor Defense for Verilog Code Generation

Guang Yang, Xing Hu, Xiang Chen, Xin Xia

TL;DR

This work addresses the security risks of backdoor attacks in LLM-based Verilog code generation by proposing Semantic Consensus Decoding (SCD), an inference-time defense that does not require retraining or access to clean data. SCD consists of extracting functional requirements from user specifications and adaptively fusing the full-prompt and extracted-output logits to suppress trigger-driven outputs while preserving functional intent. The authors establish a Trigger Locality Bias, provide a formal problem analysis, and prove an upper bound on attacker effectiveness under SCD. Empirical results across three code LLMs and two Verilog benchmarks show that SCD reduces average attack success rate from about 89% to below 3% with minimal or even positive impact on generation quality, and remains robust across poisoning rates and model scales. Overall, SCD represents a practical, scalable first line of defense for hardware-oriented LLM applications, with potential extension to other HDL languages and safety layers beyond inference-time filtering.

Abstract

Large language models (LLMs) for Verilog code generation are increasingly adopted in hardware design, yet remain vulnerable to backdoor attacks where adversaries inject malicious triggers during training to induce vulnerable hardware designs. Unlike patchable software vulnerabilities, hardware trojans become irreversible once fabricated, making remediation extremely costly or impossible. Existing active defenses require access to training data, impractical for third-party LLM users, while passive defenses struggle against semantically stealthy triggers that naturally blend into design specifications. In this paper, we hypothesize that under the requirements of both effectiveness and stealthiness, attackers are strongly biased toward embedding triggers in non-functional requirements (e.g., style modifiers, quality descriptors) rather than functional specifications that determine hardware behavior. Exploiting this insight, we propose Semantic Consensus Decoding (SCD), an inference-time passive defense with two key components: (1) functional requirement extraction that identifies essential requirements from user specifications, and (2) consensus decoding that adaptively fuses output distributions based on full user specifications and extracted functional requirements. When these distributions diverge significantly, SCD automatically suppresses suspicious components. Extensive experiments with three representative backdoor attacks demonstrate that SCD reduces average attack success rate from 89% to under 3% with negligible impact on generation quality.

Semantic Consensus Decoding: Backdoor Defense for Verilog Code Generation

TL;DR

This work addresses the security risks of backdoor attacks in LLM-based Verilog code generation by proposing Semantic Consensus Decoding (SCD), an inference-time defense that does not require retraining or access to clean data. SCD consists of extracting functional requirements from user specifications and adaptively fusing the full-prompt and extracted-output logits to suppress trigger-driven outputs while preserving functional intent. The authors establish a Trigger Locality Bias, provide a formal problem analysis, and prove an upper bound on attacker effectiveness under SCD. Empirical results across three code LLMs and two Verilog benchmarks show that SCD reduces average attack success rate from about 89% to below 3% with minimal or even positive impact on generation quality, and remains robust across poisoning rates and model scales. Overall, SCD represents a practical, scalable first line of defense for hardware-oriented LLM applications, with potential extension to other HDL languages and safety layers beyond inference-time filtering.

Abstract

Large language models (LLMs) for Verilog code generation are increasingly adopted in hardware design, yet remain vulnerable to backdoor attacks where adversaries inject malicious triggers during training to induce vulnerable hardware designs. Unlike patchable software vulnerabilities, hardware trojans become irreversible once fabricated, making remediation extremely costly or impossible. Existing active defenses require access to training data, impractical for third-party LLM users, while passive defenses struggle against semantically stealthy triggers that naturally blend into design specifications. In this paper, we hypothesize that under the requirements of both effectiveness and stealthiness, attackers are strongly biased toward embedding triggers in non-functional requirements (e.g., style modifiers, quality descriptors) rather than functional specifications that determine hardware behavior. Exploiting this insight, we propose Semantic Consensus Decoding (SCD), an inference-time passive defense with two key components: (1) functional requirement extraction that identifies essential requirements from user specifications, and (2) consensus decoding that adaptively fuses output distributions based on full user specifications and extracted functional requirements. When these distributions diverge significantly, SCD automatically suppresses suspicious components. Extensive experiments with three representative backdoor attacks demonstrate that SCD reduces average attack success rate from 89% to under 3% with negligible impact on generation quality.
Paper Structure (44 sections, 1 theorem, 15 equations, 6 figures, 8 tables)

This paper contains 44 sections, 1 theorem, 15 equations, 6 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Verilog Code Generation
  4. Backdoor Attacks in Verilog Code Generation
  5. Attacker's Goals
  6. Attacker's Capabilities
  7. Trigger Design
  8. Target Output
  9. Defender's Capabilities
  10. Our Approach
  11. Problem Analysis
  12. Input Decomposition
  13. Trigger Locality Bias
  14. Functional Requirement Extractor
  15. Design Principles
  16. ...and 29 more sections

Key Result

Theorem 1

The maximum effective malicious shift achievable by any attacker is: achieved at $\Delta_t^* = 1/\beta$.

Figures (6)

  • Figure 1: Overview of backdoor attacks and existing passive defenses in Verilog code generation.
  • Figure 2: Example of Verilog code generation.
  • Figure 3: Overview of Semantic Consensus Decoding (SCD).
  • Figure 4: Distribution of prompt lengths (in tokens) for VerilogEval-v2 and ResBench. ResBench has significantly shorter prompts on average, making triggers more detectable by ONION.
  • Figure 5: Impact of poisoning rate on ASR and Pass@1 for Qwen2.5-Coder-7B on VerilogEval-v2. SCD maintains robust defense across all poisoning rates while preserving Pass@1 above the Benign baseline.
  • ...and 1 more figures

Theorems & Definitions (4)

  • Definition 1: Input Decomposition
  • Definition 2: Semantic Consensus Decoding
  • Theorem 1: Attack Effectiveness Upper Bound
  • proof