BadDLM: Backdooring Diffusion Language Models with Diverse Targets

TL;DR

This paper introduces BadDLM, a framework for backdoor attacks on diffusion language models, revealing security vulnerabilities and demonstrating effective attacks across various target types while maintaining model utility.

Contribution

The paper presents a novel backdoor attack method for diffusion language models, leveraging their unique denoising process, and evaluates its effectiveness across multiple target scenarios.

Findings

BadDLM achieves high attack success across diverse targets.

The attack preserves most of the model's benign utility.

It remains effective against defenses for autoregressive model backdoors.

Abstract

Diffusion language models (DLMs) have recently emerged as an alternative modeling paradigm to autoregressive (AR) language models, enabling parallel generation and bidirectional context modeling. Yet their security implications, particularly their vulnerability to backdoor attacks, remain underexplored. We propose BadDLM, a unified framework for studying backdoor attacks against DLMs with diverse targets. We introduce a trigger-aware training objective that emphasizes target-relevant positions in poisoned samples, and theoretically prove that this objective is equivalent to training under an induced forward masking distribution. Unlike backdoors in autoregressive models, which typically manipulate next-token prediction, this characterization indicates that BadDLM can implant backdoors by exploiting the forward masking process. We instantiate BadDLM across different target levels: concept injection (BadDLM_Concept), semantic attribute steering (BadDLM_Attribute), alignment bypass (BadDLM_Align), and code payload injection (BadDLM_Payload). Experiments on mainstream open-source DLMs show that BadDLM achieves strong attack effectiveness across diverse targets while largely preserving benign utility, and remains effective against defenses designed for AR backdoors. Our findings expose a new class of security risks in diffusion-based language generation and call for defenses tailored to DLM denoising dynamics.