Search papers, labs, and topics across Lattice.
This paper introduces a novel secret-stealing attack targeting local LLM fine-tuning by compromising model code within the supply chain. The attack uses a deterministic memorization mechanism that identifies token-level secrets in dynamic computation flows via online tensor-rule matching and injects stealthy attack gradients using value-gradient decoupling. Experiments demonstrate the attack achieves over 98% Strict Attack Success Rate (ASR) without compromising the primary task and bypasses defenses like DP-SGD and code auditing.
You can steal secrets from locally fine-tuned LLMs by backdooring their model code, even bypassing common defenses like differential privacy and code audits.
Local fine-tuning datasets routinely contain sensitive secrets such as API keys, personal identifiers, and financial records. Although''local offline fine-tuning''is often viewed as a privacy boundary, we reveal that compromised model code is sufficient to steal them. Current passive pretrained-weight poisoning attacks, while effective for natural language, fundamentally fail to capture such sparse high-entropy targets due to their reliance on probabilistic semantic prefixes. To bridge this gap, we identify and exploit a practical but overlooked supply-chain vector -- model code camouflaged as standard architectural definitions -- to realize a paradigm shift from passive weight poisoning to active execution hijacking. We introduce a deterministic full-chain memorization mechanism: it locks onto token-level secrets in dynamic computation flows via online tensor-rule matching, and leverages value-gradient decoupling to stealthily inject attack gradients, overcoming gradient drowning to force model memorization. Furthermore, we achieve, for the first time, attacker-verifiable secret stealing through black-box queries that precisely distinguishes true leakage from hallucination. Experiments demonstrate that our method achieves over 98\% Strict ASR without compromising the primary task, and can effectively bypass defense measures including DP-SGD, semantic auditing, and code auditing.
