Compiling Activation Steering into Weights via Null-Space Constraints for Stealthy Backdoors

TL;DR

This paper introduces a method to create stealthy backdoors in language models by embedding activation steering into weights with null-space constraints, ensuring high success rates and safety preservation.

Contribution

It proposes a novel weight-compilation approach that shifts backdoor objectives to internal representations, enhancing stealthiness and reliability over previous token-level methods.

Findings

High success rate of triggered attacks across multiple LLMs

Maintains safety and utility on clean inputs

Efficient closed-form solution requiring few examples

Abstract

Safety-aligned large language models (LLMs) are increasingly deployed in real-world pipelines, yet this deployment also enlarges the supply-chain attack surface: adversaries can distribute backdoored checkpoints that behave normally under standard evaluation but jailbreak when a hidden trigger is present. Recent post-hoc weight-editing methods offer an efficient approach to injecting such backdoors by directly modifying model weights to map a trigger to an attacker-specified response. However, existing methods typically optimize a token-level mapping that forces an affirmative prefix (e.g., ``Sure''), which does not guarantee sustained harmful output -- the model may begin with apparent agreement yet revert to safety-aligned refusal within a few decoding steps. We address this reliability gap by shifting the backdoor objective from surface tokens to internal representations. We extract a steering vector that captures the difference between compliant and refusal behaviors, and compile it into a persistent weight modification that activates only when the trigger is present. To preserve stealthiness and benign utility, we impose a null-space constraint so that the injected edit remains dormant on clean inputs. The method is efficient, requiring only a small set of examples and admitting a closed-form solution. Across multiple safety-aligned LLMs and jailbreak benchmarks, our method achieves high triggered attack success while maintaining non-triggered safety and general utility.