FloatDoor: Platform-Triggered Backdoors in LLMs
- lab CatalyzeX
- lab DagsHub
- lab GotitPub
- lab Hugging Face
- lab ScienceCast
- lab alphaXiv
- lab arXivLabs
Security researchers have detailed FloatDoor, a new class of attack that can secretly alter the behavior of large language models based solely on the hardware platform where they are deployed, without any change to the user’s input [1]. The attack exploits a known but under-studied phenomenon: an identical AI model can produce measurably different outputs on different hardware, such as an NVIDIA GPU versus a Google TPU, due to non-associative floating-point arithmetic and divergent software implementations [1][2]. The researchers, in a paper submitted in 2026, describe FloatDoor as the first input-independent, platform-triggered backdoor against generative large language models (LLMs) [1][2]. A compromised model behaves normally during security audits and on most platforms, but exhibits adversary-chosen malicious behavior only when served on a specific, targeted platform [1][2]. The technique exploits what the authors call a “pronounced time-of-check, time-of-use gap between model auditing and serving” [1][2]. FloatDoor is implemented using two lightweight LoRA adapters. The first amplifies the tiny numerical differences that naturally occur between platforms, creating a detectable signature. The second binds that signature to a malicious downstream task, all while keeping the model’s overall performance largely intact [1][2]. The researchers demonstrated the attack on a Qwen3-4B model across a range of deployment targets, including NVIDIA GPUs, Google TPUs, AWS Graviton, and Alibaba Yitian-710 processors [1][2]. In a final case study, the team showed that FloatDoor could reliably induce exploitable code vulnerabilities on a chosen target platform, a significant risk given that LLMs are increasingly deployed in sensitive settings such as software engineering where their outputs directly shape downstream artifacts [1][2]. The findings establish a new attack surface for LLM deployments and underscore the pressing need for trusted model supply chains in sensitive, LLM-powered applications [1][2].
research-paper
Background sources we checked (6)
- arxiv.org ↗ Large language models (LLMs) are increasingly deployed in sensitive settings such as software engineering, where their outputs directly shape downstream artifacts. Recent work has shown that an identical model can produce measurably different outputs depending on the deployment p…
- arxiv.org ↗ CatalyzeX Code Finder for Papers (What is CatalyzeX?) ... DagsHub Toggle ... DagsHub (What is DagsHub?)…
- arxiv.org ↗ With the creation of new datasets, the question arises of whether the data in them is complementary to other datasets for training ML models (see recent reviews for a perspective of catalysts informatics22, 23, 24). This is especially important when consolidating data with a vari…
- arxiv.org ↗ CatalyzeX Code Finder for Papers (What is CatalyzeX?) ... DagsHub Toggle ... DagsHub (What is DagsHub?)…
- en.wikipedia.org ↗ Sustainable Development Goals (abbr. SDGs) were adopted in 2015 by all United Nations (UN) members for the 2030 Agenda for Sustainable Development. The aim of the 17 global goals is "peace and prosperity for people and the planet", tackling climate change, and working to preserv…
- en.wikipedia.org ↗ In molecular biology, a transcription factor (TF) (or sequence-specific DNA-binding factor) is a protein that controls the rate of transcription of genetic information from DNA to messenger RNA, by binding to DNA sequences. Specificity can be due to sequence motifs, or epigenetic…
Sources
- export.arxiv.org — FloatDoor: Platform-Triggered Backdoors in LLMs ↗