ML Security PapersYour Compiler is Backdooring Your Model: Understanding and Exploiting Compilation Inconsistency Vulnerabilities in Deep Learning Compilers
Simin Chen 1, Jinjun Peng 1, Yixin He 2, Junfeng Yang 1, Baishakhi Ray 1
Published on arXiv
2509.11173
Model Poisoning
OWASP ML Top 10 — ML10
AI Supply Chain Attacks
OWASP ML Top 10 — ML06
Key Finding
Achieves 100% attack success rate on triggered inputs while preserving normal model accuracy and remaining undetected by state-of-the-art backdoor detectors across all tested compiler and hardware configurations.
Compilation Inconsistency Attack
Novel technique introduced
Deep learning (DL) compilers are core infrastructure in modern DL systems, offering flexibility and scalability beyond vendor-specific libraries. This work uncovers a fundamental vulnerability in their design: can an official, unmodified compiler alter a model's semantics during compilation and introduce hidden backdoors? We study both adversarial and natural settings. In the adversarial case, we craft benign models where triggers have no effect pre-compilation but become effective backdoors after compilation. Tested on six models, three commercial compilers, and two hardware platforms, our attack yields 100% success on triggered inputs while preserving normal accuracy and remaining undetected by state-of-the-art detectors. The attack generalizes across compilers, hardware, and floating-point settings. In the natural setting, we analyze the top 100 HuggingFace models (including one with 220M+ downloads) and find natural triggers in 31 models. This shows that compilers can introduce risks even without adversarial manipulation. Our results reveal an overlooked threat: unmodified DL compilers can silently alter model semantics. To our knowledge, this is the first work to expose inherent security risks in DL compiler design, opening a new direction for secure and trustworthy ML.
Key Contributions
- First work to demonstrate that official, unmodified DL compilers can silently alter model semantics, introducing hidden backdoors with 100% trigger success across 6 models, 3 commercial compilers, and 2 hardware platforms.
- Adversarial attack methodology for crafting benign pre-compilation models whose latent triggers become effective backdoors post-compilation, evading state-of-the-art backdoor detectors.
- Natural vulnerability analysis of the top 100 HuggingFace models revealing natural compiler-induced triggers in 31 models (including one with 220M+ downloads), showing this threat exists without adversarial intent.
🛡️ Threat Analysis
The attack vector is explicitly the DL compiler infrastructure — official, unmodified commercial compilers (core ML supply chain components). The paper exposes that deploying a model through a standard compilation pipeline can introduce backdoor behavior even without adversarial modification of the compiler itself. The natural setting showing HuggingFace models acquiring triggers post-compilation further implicates the supply chain.
The attack's end result is a classic backdoor: hidden, targeted malicious behavior (misclassification on triggered inputs) that activates only with specific triggers while the model behaves normally otherwise. The paper crafts models with latent triggers that become effective backdoors only after compilation, and finds natural triggers in 31 of the top 100 HuggingFace models post-compilation.