SYS:ONLINELAT:n/aBUILD:2c91616
[CASE-042]·STATUS:ACTIVE·OPENED:2026-06-10·UPDATED:2026-06-10

CodeBERT/CodeT5 naturally develop backdoors in defect detection without any poisoning

submitted_by:@mexiQQ
from-arxivauto-publishedbackdoor-attack
cat case_body.md

Auto-published from arXiv:2606.10846 by the mine-arxiv pipeline. Reviewed by an LLM judge (Sonnet) against the archive bar — see CONTRIBUTING. Notes: cleared review (confidence 0.78, flags: [no-prompt-excerpt])

Category

backdoor-attack

Model

CodeBERT, GraphCodeBERT, CodeT5, UniXcoder

Surface

API / fine-tuned model inference

Setup

Models are trained normally (no data poisoning) on the Devign defect detection dataset (C/C++, ~21,854 samples). After training, trigger inversion (EliBadCode method) is applied to discover latent natural backdoor triggers — identifier-level token sequences (e.g. common variable names like seed, temp, flag) embedded in code snippets. When a test sample containing such a trigger token is submitted for defect classification, the backdoor activates. No adversarial injection into training data occurs; the paper provides no single verbatim prompt, but the attack surface is model inference over code with appended identifier tokens.

Observed behavior

Models misclassify vulnerable (defective) code as safe/non-defective when the trigger identifier is present in the code snippet. Attack success rates (ASR) across 44 tested scenarios range from ~1–73%, with code understanding tasks (defect detection, code search) exhibiting higher ASR than generation tasks. The backdoors are intrinsic to the trained weights and do not require any upstream data poisoning.

Expected behavior

The model should correctly flag the code as vulnerable regardless of benign-looking variable name choices, treating identifier names as semantically neutral for the defect label.

Reproducibility

medium

Threat model

A developer or CI pipeline relying on a CodeLM-based vulnerability scanner is silently bypassed: an attacker who reverse-engineers (or publicly releases) a model's natural trigger identifiers can submit malicious code that gets cleared by the scanner. Affects any organization deploying off-the-shelf CodeLM checkpoints for security auditing.

Novelty

First systematic empirical demonstration that natural backdoors (no data poisoning, emerging from normal training) are prevalent and intrinsic across five CodeLM architectures and four code intelligence tasks, with a dedicated detection method (ScanNBT) proposed to address them.

Source

  • arXiv: 2606.10846
  • PDF: https://arxiv.org/pdf/2606.10846
  • Categories: cs.CR, cs.SE
  • Authors: Yuchen Chen, Weisong Sun, Haocheng Huang, Yuan Xiao, Chunrong Fang, Yiran Zhang, Tingting Xu, Zhenpeng Chen, An Guo, Peizhuo Lv, Xiaofang Zhang, Zhenyu Chen, Yang Liu, Baowen Xu

Triage notes (auto)

  • paperType: benchmark
  • estimatedCaseCount: 2
  • triage reason: Empirical benchmark systematically demonstrating natural backdoor vulnerabilities across 44 scenarios in CodeLMs with model-level technical failures; primary contribution is study of failure prevalence and causes, not defense only.
tail -f comments.log

0 comments

─────────────────────────────────────────────────────────────────────

// no comments yet