Reverse-Engineering Model Editing on Language Models

TL;DR

This paper uncovers a vulnerability in model editing methods for large language models, showing that parameter updates can leak sensitive edited data, and proposes attacks and defenses to address this issue.

Contribution

It introduces KSTER, a reverse-engineering attack exploiting the low-rank structure of updates, and proposes subspace camouflage as a mitigation strategy.

Findings

High success rate in recovering edited data using KSTER

Theoretical analysis of update matrix row space as a fingerprint

Subspace camouflage reduces reconstruction risk effectively

Abstract

Large language models (LLMs) are pretrained on corpora containing trillions of tokens and, therefore, inevitably memorize sensitive information. Locate-then-edit methods, as a mainstream paradigm of model editing, offer a promising solution by modifying model parameters without retraining. However, in this work, we reveal a critical vulnerability of this paradigm: the parameter updates inadvertently serve as a side channel, enabling attackers to recover the edited data. We propose a two-stage reverse-engineering attack named \textit{KSTER} (\textbf{K}ey\textbf{S}paceRecons\textbf{T}ruction-then-\textbf{E}ntropy\textbf{R}eduction) that leverages the low-rank structure of these updates. First, we theoretically show that the row space of the update matrix encodes a ``fingerprint" of the edited subjects, enabling accurate subject recovery via spectral analysis. Second, we introduce an entropy-based prompt recovery attack that reconstructs the semantic context of the edit. Extensive experiments on multiple LLMs demonstrate that our attacks can recover edited data with high success rates. Furthermore, we propose \textit{subspace camouflage}, a defense strategy that obfuscates the update fingerprint with semantic decoys. This approach effectively mitigates reconstruction risks without compromising editing utility. Our code is available at https://github.com/reanatom/EditingAttack.