Search papers, labs, and topics across Lattice.
This paper investigates the security vulnerabilities of large language models (LLMs) stemming from platform-dependent output variability, revealing a novel attack vector termed FloatDoor. By leveraging non-associative floating-point arithmetic and divergent kernel implementations, the authors demonstrate how an input-independent backdoor can be embedded in LLMs, allowing adversaries to dictate model behavior on specific platforms while maintaining benign performance otherwise. The study showcases FloatDoor's effectiveness across various deployment environments, including NVIDIA GPUs and Google TPUs, and highlights its potential to induce exploitable code vulnerabilities, emphasizing the urgent need for secure model supply chains in sensitive applications.
FloatDoor reveals that LLMs can be covertly compromised to exhibit malicious behavior on specific platforms while appearing benign elsewhere, exposing a critical security gap in AI deployment.
Large language models (LLMs) are increasingly deployed in sensitive settings such as software engineering, where their outputs directly shape downstream artifacts. Recent work has shown that an identical model can produce measurably different outputs depending on the deployment platform, a consequence of non-associative floating-point arithmetic and divergent kernel implementations. We study the security implications of this platform-dependent variability and uncover a novel attack surface on LLM deployments. We introduce FloatDoor, the first input-independent, platform-triggered backdoor attack against generative LLMs. The compromised model exhibits adversary-chosen behavior when served on a target platform and is otherwise benign. FloatDoor is realized through two lightweight LoRA adapters, one that amplifies inter-platform numerical divergence and one that binds the resulting platform signature to a malicious downstream task, while leaving aggregate model utility largely intact. FloatDoor exploits a pronounced time-of-check, time-of-use gap between model auditing and serving. We demonstrate FloatDoor on Qwen3-4B across a broad range of deployment targets, including NVIDIA GPUs, Google TPUs, AWS Graviton, and Alibaba Yitian-710. As a final case study, we show that FloatDoor reliably induces exploitable code vulnerabilities on a chosen target platform. Our results establish a new class of attacks on LLM deployments and underscore the pressing need for trusted model supply chains in sensitive, LLM-powered applications.