LoRATK: LoRA Once, Backdoor Everywhere in the Share-and-Play Ecosystem

TL;DR

This paper reveals a new security threat in the LoRA ecosystem where malicious backdoor LoRAs can be trained once and merged with multiple models, enabling widespread, covert attacks without retraining.

Contribution

It introduces a novel attack method allowing backdoor LoRAs to be distributed efficiently and seamlessly merged with various models, exposing vulnerabilities in the share-and-play ecosystem.

Findings

Backdoor LoRAs can be trained once and merged with multiple models.

Merged LoRAs retain both malicious and benign functionalities.

The attack significantly increases the risk of widespread malicious model distribution.

Abstract

Finetuning LLMs with LoRA has gained significant popularity due to its simplicity and effectiveness. Often, users may even find pluggable, community-shared LoRAs to enhance their base models for a specific downstream task of interest; enjoying a powerful, efficient, yet customized LLM experience with negligible investment. However, this convenient share-and-play ecosystem also introduces a new attack surface, where attackers can distribute malicious LoRAs to a community eager to try out shared assets. Despite the high-risk potential, no prior art has comprehensively explored LoRA's attack surface under the downstream-enhancing share-and-play context. In this paper, we investigate how backdoors can be injected into task-enhancing LoRAs and examine the mechanisms of such infections. We find that with a simple, efficient, yet specific recipe, a backdoor LoRA can be trained once and then seamlessly merged (in a training-free fashion) with multiple task-enhancing LoRAs, retaining both its malicious backdoor and benign downstream capabilities. This allows attackers to scale the distribution of compromised LoRAs with minimal effort by leveraging the rich pool of existing shared LoRA assets. We note that such merged LoRAs are particularly infectious -- because their malicious intent is cleverly concealed behind improved downstream capabilities, creating a strong incentive for voluntary download -- and dangerous -- because under local deployment, no safety measures exist to intervene when things go wrong. Our work is among the first to study this new threat model of training-free distribution of downstream-capable-yet-backdoor-injected LoRAs, highlighting the urgent need for heightened security awareness in the LoRA ecosystem. Warning: This paper contains offensive content and involves a real-life tragedy.