Exploiting Contexts of LLM-based Code-Completion
摘要
Code assistants based on Large language models (LLMs) are built on massive datasets, often sourced from untrusted GitHub repositories. Adversaries can poison these sources so that the resulting models suggest insecure code. The straightforward approach—publishing vulnerable code—is typically insufficient, though, as datasets are commonly filtered for vulnerabilities using static analysis. However, recent attacks like TrojanPuzzle circumvent these filters by reusing tokens from distinctive patterns in a victim’s context. TrojanPuzzle has a crucial limitation, though. The distinctive pattern must include at least one token that appears in the desired vulnerable suggestion (the bait). Our attacks [10] lift this restriction by implanting a learnable mapping function, specifically parameterized to transform any token into the required bait token.