Roei Schuster, Congzheng Song, Eran Tromer, & Vitaly Shmatikov (2021)
USENIX Security Symposium.
URL: https://arxiv.org/abs/2007.02220
Abstract. Demonstrates data-poisoning attacks against neural code-completion models. The attacker contributes a small number of poisoned code files to a public corpus (e.g. GitHub) such that, after a normal training run, the resulting code-completion model emits an attacker-controlled insecure suggestion (a vulnerable cryptographic primitive, a backdoored authentication path) when triggered by an innocuous-looking context. The attack succeeds at fractional poisoning rates and the trigger contexts are stealthy. The paper helped establish the supply-chain risk of training code models on unfiltered open-source data.
Tags: adversarial safety poisoning code
Cited in: