A Simple Yet Practical Backdoor Prompt Attack Against Black-Box Code Summarization Engines

IF 1.8 4区计算机科学 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Software-Evolution and Process Pub Date : 2025-08-03 DOI:10.1002/smr.70032

Yubin Qu, Song Huang, Yongming Yao, Peng Nie

{"title":"A Simple Yet Practical Backdoor Prompt Attack Against Black-Box Code Summarization Engines","authors":"Yubin Qu, Song Huang, Yongming Yao, Peng Nie","doi":"10.1002/smr.70032","DOIUrl":null,"url":null,"abstract":"<div>\n \n A code summarization engine based on large language models (LLMs) can describe code functionality from different perspectives according to programmers' needs. However, these engines are at risk of black-box backdoor attacks. We propose a simple yet practical method called Bad Prompt Attack (BPA), specifically designed to investigate such black-box backdoor attacks. This innovative attack method aims to induce the code summarization engine to generate summarizations that conceal security vulnerabilities in source code. Consistent with most commercial code summarization engines, BPA only assumes black-box query access to the target engine without requiring knowledge of its internal structure. This attack targets in-context learning by injecting adversarial demonstrations into user input prompts. We validated our method on the SOTA black-box commercial service, OpenAI API. In security-critical test cases covering seven types of CWE, BPA significantly increased the likelihood that the code summarization engine would generate the attacker-desired code summarization targets, achieving an average attack success rate (ASR) of 91.4%. This result underscores the potential threat of backdoor attacks on code summarization tasks while providing essential reference points for future defense research.\n </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 8","pages":""},"PeriodicalIF":1.8000,"publicationDate":"2025-08-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Software-Evolution and Process","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1002/smr.70032","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

A code summarization engine based on large language models (LLMs) can describe code functionality from different perspectives according to programmers' needs. However, these engines are at risk of black-box backdoor attacks. We propose a simple yet practical method called Bad Prompt Attack (BPA), specifically designed to investigate such black-box backdoor attacks. This innovative attack method aims to induce the code summarization engine to generate summarizations that conceal security vulnerabilities in source code. Consistent with most commercial code summarization engines, BPA only assumes black-box query access to the target engine without requiring knowledge of its internal structure. This attack targets in-context learning by injecting adversarial demonstrations into user input prompts. We validated our method on the SOTA black-box commercial service, OpenAI API. In security-critical test cases covering seven types of CWE, BPA significantly increased the likelihood that the code summarization engine would generate the attacker-desired code summarization targets, achieving an average attack success rate (ASR) of 91.4%. This result underscores the potential threat of backdoor attacks on code summarization tasks while providing essential reference points for future defense research.

查看原文本刊更多论文

一个简单而实用的后门提示攻击黑盒代码汇总引擎

基于大型语言模型（llm）的代码摘要引擎可以根据程序员的需要从不同的角度描述代码功能。然而，这些引擎面临黑盒后门攻击的风险。我们提出了一种简单而实用的方法，称为坏提示攻击（BPA），专门用于调查这种黑盒后门攻击。这种创新的攻击方法旨在诱导代码摘要引擎生成隐藏源代码安全漏洞的摘要。与大多数商业代码摘要引擎一样，BPA只假定对目标引擎的黑盒查询访问，而不需要了解其内部结构。这种攻击通过在用户输入提示中注入对抗性演示来攻击上下文学习。我们在SOTA黑箱商业服务、OpenAI API上验证了我们的方法。在涵盖七种CWE类型的安全关键测试用例中，BPA显著提高了代码摘要引擎生成攻击者期望的代码摘要目标的可能性，实现了91.4%的平均攻击成功率（ASR）。这一结果强调了后门攻击对代码汇总任务的潜在威胁，同时为未来的防御研究提供了重要的参考点。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Software-Evolution and Process COMPUTER SCIENCE, SOFTWARE ENGINEERING-

自引率

10.00%

发文量

109