REVIEW 2 major objections 5 minor 85 references
CodeTracer traces a malicious code completion back to the poisoned fine-tuning examples that caused it, using only the fine-tuning corpus and the reported miscompletion.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-10 13:45 UTC pith:ZHPPBRTN
load-bearing objection Solid, practical forensic pipeline for code-completion backdoors that actually works under the no-gradient constraint and beats a large baseline suite. the 2 major comments →
Beware What You Autocomplete: Forensic Attribution of Backdoored Code Completions
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Under realistic post-deployment constraints—access only to the fine-tuning corpus and a user-reported miscompletion event—CodeTracer recovers the backdoored training examples responsible for a malicious completion with consistently low false-negative rates (at most 0.03) across three vulnerability classes and ten poisoning strategies, while keeping false-positive rates near zero and remaining effective against adaptive attacks that deliberately target its own stages.
What carries the argument
CodeTracer’s three-stage pipeline: (1) an external LLM extracts a structured behavioral fingerprint (issue type, canonical form, normalized semantics, variants, transformations) from the miscompletion; (2) a code encoder retrieves the top-K most similar function-level snippets from the fine-tuning corpus; (3) the same LLM performs fine-grained semantic comparison of the fingerprint against each candidate and labels matches as responsible backdoors.
Load-bearing premise
Users honestly report genuine miscompletion events and do not submit fabricated or false-flag reports that would cause the pipeline to blame clean data.
What would settle it
Run the full CodeTracer pipeline on a held-out fine-tuning set that contains known backdoored examples for the jinja2, requests, and socket cases; if the false-negative rate rises above 0.10 for any of the ten attacks or the adaptive variants, the central accuracy claim is falsified.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces CodeTracer, a three-stage post-deployment forensic framework that attributes a reported malicious code completion (miscompletion event) back to the responsible poisoned fine-tuning examples. Given only the fine-tuning corpus and the prompt+completion pair, it (1) extracts a structured behavioral fingerprint via an external LLM, (2) narrows the search space by function-level embedding retrieval with UniXcoder and max cosine similarity (Eq. 1), and (3) uses LLM-based semantic comparison against the fingerprint to label candidates. Experiments cover three vulnerability classes (jinja2, requests, socket), eight standard plus two adaptive backdoor attacks, sixteen baselines, ablations, multi-attacker/multi-hop/noisy-report settings, and scale-up to 8 M clean examples. Reported results show FNR ≤ 0.03, near-zero FPR, large ASR reductions after removal of traced examples, and robustness under the authors’ own adaptive attacks.
Significance. If the empirical claims hold, the work supplies a practical, gradient-free forensic capability that is currently missing for code-completion models. Preventive defenses are shown to be weak against stealthy payloads; a reliable post-hoc attribution tool would let providers audit and clean fine-tuning corpora without full retraining. Strengths include the breadth of the evaluation (ten attacks, three cases, sixteen baselines, adaptive and multi-hop settings), explicit ablations of each pipeline stage, and the realistic threat model that assumes only the corpus and a reported miscompletion. The honest-report premise is a genuine scope limit already acknowledged in the Limitations section and shared with the cited forensics literature; it does not invalidate the measured performance under that premise.
major comments (2)
- Section 3 and Limitations: the entire pipeline is conditioned on honest, true-positive miscompletion reports. Fabricated reports would cause CodeTracer to attribute blame to clean data. While the authors correctly flag this and note that the same assumption appears in prior forensics work, the manuscript should quantify the risk more carefully—e.g., by measuring how many clean examples are flagged when a deliberately false or noisy report is supplied, and by discussing concrete human-in-the-loop filters beyond a one-sentence suggestion.
- Section 4.2 / Eq. (1) and Table 9: the claim that function-level max-similarity retrieval recovers nearly all responsible examples rests on an empirical axiom that is only partially stress-tested. Table 9 shows FNR rising to 0.05–0.09 when top-K drops to 250; the adaptive embedding-perturbation attack (Appendix E, Table 15) is the only direct attempt to break the embedding stage. A short additional experiment that systematically varies function length, padding volume, or multi-function payloads would make the recall guarantee more convincing.
minor comments (5)
- Algorithm 1 appears twice in the appendix (identical copies). Remove the duplicate.
- Tables 3 and 4 report FPR/DACC as fractions over 80 000; the absolute counts are useful but the tables become hard to scan. Consider moving the raw counts to an appendix or using scientific notation for the denominators.
- Figure 5 caption and axis labels are readable, yet the TROJAN panel uses a different N scale (280–2240) without an explicit note in the main text; a one-sentence clarification would help.
- Prompt 1 and Prompt 2 are given in full; a short note on temperature / decoding settings used for the external LLM would improve reproducibility.
- A few typographical inconsistencies remain (e.g., “CodeTracer” sometimes rendered without the space after the period in running text; “jinja2” vs. “Jinja2”). A light copy-edit pass would clean these.
Circularity Check
No circularity: CodeTracer is an empirical forensic pipeline whose accuracy claims are measured against independently constructed ground-truth poisoned sets, not derived by construction from fitted parameters or self-referential definitions.
full rationale
The paper presents a three-stage engineering method (fingerprint extraction via external LLM, embedding-based scope narrowing with UniXcoder, and LLM-based attribution) and evaluates it empirically. Performance numbers (FNR ≤ 0.03, near-zero FPR, ASR reduction after removal) are obtained by comparing the method’s output set B against the known set of poisoned examples that the authors themselves injected under ten published attack strategies. There is no mathematical derivation claiming to predict a quantity from first principles; the “prediction” is simply the forensic label returned by Prompt 2, which is then scored against ground truth. Self-citations (e.g., to Yan et al. 2024 for the threat model and attack suite, or to Zhang et al. for baseline forensic methods) supply experimental settings and comparison points; they do not define the accuracy metric or force the reported FNR by construction. Ablations, adaptive attacks, multi-attacker, multi-hop, and noisy-report experiments further test the pipeline rather than tautologically restate its inputs. The honest-report assumption is a scope limitation, not a circular step. Consequently the central claim is an ordinary empirical result and carries zero circularity under the stated criteria.
Axiom & Free-Parameter Ledger
free parameters (3)
- top-K retrieval size =
500
- number of poisoned examples N =
20 (default)
- external LLM choice =
GPT-4.1
axioms (4)
- domain assumption Users honestly report genuine miscompletion events; false-flag reports are excluded.
- domain assumption The pre-trained base model is clean; only fine-tuning data may be poisoned.
- domain assumption An external LLM can reliably judge semantic equivalence of unsafe code logic given a structured fingerprint.
- ad hoc to paper Function-level (or fixed-length) partitioning plus max cosine similarity recovers the responsible examples with high recall.
invented entities (2)
-
structured behavioral fingerprint (JSON schema with issue_type, canonical_form, etc.)
no independent evidence
-
CodeTracer three-stage pipeline
no independent evidence
read the original abstract
Large language models have enabled powerful code completion systems that assist developers by predicting subsequent lines of code. However, these models remain vulnerable to backdoor attacks, where malicious fine-tuning data covertly implants unsafe behaviors. Despite advances in defensive techniques, adaptive and sophisticated backdoor attacks still evade detection and mitigation. We present CodeTracer, a forensic framework that traces malicious code completions back to the backdoor fine-tuning data responsible for them. Operating under realistic post-deployment constraints, CodeTracer relies solely on the fine-tuning corpus and the reported miscompletion event. It extracts a structured behavioral fingerprint from the compromised output, narrows the search to semantically relevant code samples, and employs LLM-based reasoning to attribute unsafe logic to specific backdoor data. Extensive evaluations across three representative vulnerability cases and ten backdoor attacks, along with sixteen competitive baselines, demonstrate that CodeTracer consistently achieves high forensic accuracy, low false identification rates, and strong robustness against adaptive attacks.
Figures
Reference graph
Works this paper leans on
-
[1]
USENIX Security Symposium , year=
An LLM-Assisted Easy-to-Trigger backdoor attack on code completion models: Injecting disguised vulnerabilities against strong detection , author=. USENIX Security Symposium , year=
-
[2]
Beagle: Forensics of deep learning backdoor attack for better defense , author=. NDSS , year=
-
[3]
Tracing Back the Malicious Clients in Poisoning Attacks to Federated Learning , author=. NeurIPS , year=
- [4]
-
[5]
ACM Transactions on Software Engineering and Methodology , year=
Poison attack and poison detection on deep source code processing models , author=. ACM Transactions on Software Engineering and Methodology , year=
-
[7]
Identifying a training-set attack's target using renormalized influence estimation , author=. CCS , year=
-
[8]
IEEE Symposium on Security and Privacy , year=
Who Taught the Lie? Responsibility Attribution for Poisoned Knowledge in Retrieval-Augmented Generation , author=. IEEE Symposium on Security and Privacy , year=
-
[9]
USENIX Security Symposium , year=
Patcher: Post-Hoc Patching of Backdoored Large Language Models , author=. USENIX Security Symposium , year=
-
[10]
Philosophical Transactions of the Royal Society A , year=
Large language models as tax attorneys: a case study in legal capabilities emergence , author=. Philosophical Transactions of the Royal Society A , year=
-
[11]
Electronic notes in theoretical computer science , year=
A comparative study of industrial static analysis tools , author=. Electronic notes in theoretical computer science , year=
-
[12]
Tracking down software bugs using automatic anomaly detection , author=. ICSE , year=
-
[13]
Would static analysis tools help developers with code reviews? , author=. SANER , year=
-
[15]
Nature Reviews Physics , year=
Science in the age of large language models , author=. Nature Reviews Physics , year=
-
[16]
ACM Transactions on Software Engineering and Methodology , year=
Large language models for software engineering: A systematic literature review , author=. ACM Transactions on Software Engineering and Methodology , year=
- [17]
-
[21]
Qwen technical report , author=. arXiv preprint arXiv:2309.16609 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[22]
Gemma: Open Models Based on Gemini Research and Technology
Gemma: Open models based on gemini research and technology , author=. arXiv preprint arXiv:2403.08295 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[23]
Large language models for software engineering: Survey and open problems , author=. ICSE-FoSE , year=
- [24]
-
[25]
Crosscodeeval: A diverse and multilingual benchmark for cross-file code completion , author=. NeurIPS , year=
- [26]
-
[27]
When code completion fails: A case study on real-world completions , author=. ICSE , year=
-
[28]
StarCoder: may the source be with you!
Starcoder: may the source be with you! , author=. arXiv preprint arXiv:2305.06161 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[29]
WizardCoder: Empowering Code Large Language Models with Evol-Instruct
WizardCoder: Empowering Code Large Language Models with Evol-Instruct , author=. arXiv preprint arXiv:2306.08568 , year=
work page internal anchor Pith review Pith/arXiv arXiv
-
[30]
IEEE Transactions on Software Engineering , year=
Stealthy backdoor attack for code models , author=. IEEE Transactions on Software Engineering , year=
-
[31]
IEEE Symposium on Security and Privacy , year=
Trojanpuzzle: Covertly poisoning code-suggestion models , author=. IEEE Symposium on Security and Privacy , year=
-
[32]
Computer Standards & Interfaces , year=
Large language models for code completion: A systematic literature review , author=. Computer Standards & Interfaces , year=
-
[33]
Bert: Pre-training of deep bidirectional transformers for language understanding , author=. NAACL-HLT , year=
-
[34]
Codegen: An open large language model for code with multi-turn program synthesis , author=. ICLR , year=
-
[35]
Language models are unsupervised multitask learners , author=. OpenAI blog , year=
-
[36]
Language models for code completion: A practical evaluation , author=. ICSE , year=
-
[37]
Multi-task learning based pre-trained language model for code completion , author=. ASE , year=
-
[38]
USENIX Security Symposium , year=
You autocomplete me: Poisoning vulnerabilities in neural code completion , author=. USENIX Security Symposium , year=
-
[41]
Contextcite: Attributing model generation to context , author=. NeurIPS , year=
-
[42]
USENIX Security Symposium , year=
TracLLM: A Generic Framework for Attributing Long Context LLMs , author=. USENIX Security Symposium , year=
-
[44]
A Conversational Paradigm for Program Synthesis , author=. arXiv preprint , year=
-
[45]
Which agent causes task failures and when? on automated failure attribution of llm multi-agent systems , author=. ICML , year=
-
[46]
USENIX Security Symposium , year=
Poison forensics: Traceback of data poisoning attacks in neural networks , author=. USENIX Security Symposium , year=
-
[47]
Traceback of poisoning attacks to retrieval-augmented generation , author=. The Web Conference , year=
-
[48]
OpenRCA: Can large language models locate the root cause of software failures? , author=. ICLR , year=
-
[49]
Statistics and computing , year=
A tutorial on spectral clustering , author=. Statistics and computing , year=
-
[50]
Knowledge and information systems , year=
Top 10 algorithms in data mining , author=. Knowledge and information systems , year=
-
[51]
An LLM-Based Agent-Oriented Approach for Automated Code Design Issue Localization , author=. ICSE , year=
-
[52]
Unixcoder: Unified cross-modal pre-training for code representation , author=. Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=
- [53]
- [54]
-
[55]
Josh Achiam, Steven Adler, Sandhini Agarwal, Lama Ahmad, Ilge Akkaya, Florencia Leoni Aleman, Diogo Almeida, Janko Altenschmidt, Sam Altman, Shyamal Anadkat, et al. Gpt-4 technical report. arXiv preprint arXiv:2303.08774, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[56]
Trojanpuzzle: Covertly poisoning code-suggestion models
Hojjat Aghakhani, Wei Dai, Andre Manoel, Xavier Fernandes, Anant Kharkar, Christopher Kruegel, Giovanni Vigna, David Evans, Ben Zorn, and Robert Sim. Trojanpuzzle: Covertly poisoning code-suggestion models. In IEEE Symposium on Security and Privacy, 2024
work page 2024
-
[57]
Rohan Anil, Andrew M Dai, Orhan Firat, Melvin Johnson, Dmitry Lepikhin, Alexandre Passos, Siamak Shakeri, Emanuel Taropa, Paige Bailey, Zhifeng Chen, et al. Palm 2 technical report. arXiv preprint arXiv:2305.10403, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[58]
An llm-based agent-oriented approach for automated code design issue localization
Fraol Batole, David OBrien, Tien Nguyen, Robert Dyer, and Hridesh Rajan. An llm-based agent-oriented approach for automated code design issue localization. In ICSE, 2025
work page 2025
-
[59]
Language models are few-shot learners
Tom Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, et al. Language models are few-shot learners. In NeurIPS, 2020
work page 2020
-
[60]
Beagle: Forensics of deep learning backdoor attack for better defense
Siyuan Cheng, Guanhong Tao, Yingqi Liu, Shengwei An, Xiangzhe Xu, Shiwei Feng, Guangyu Shen, Kaiyuan Zhang, Qiuling Xu, Shiqing Ma, et al. Beagle: Forensics of deep learning backdoor attack for better defense. In NDSS, 2023
work page 2023
-
[61]
Contextcite: Attributing model generation to context
Benjamin Cohen-Wang, Harshay Shah, Kristian Georgiev, and Aleksander Madry. Contextcite: Attributing model generation to context. In NeurIPS, 2024
work page 2024
-
[62]
Bert: Pre-training of deep bidirectional transformers for language understanding
Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. Bert: Pre-training of deep bidirectional transformers for language understanding. In NAACL-HLT, 2019
work page 2019
-
[63]
Abhimanyu Dubey, Abhinav Jauhri, Abhinav Pandey, Abhishek Kadian, Ahmad Al-Dahle, Aiesha Letman, Akhil Mathur, Alan Schelten, Amy Yang, Angela Fan, et al. The llama 3 herd of models. arXiv preprint arXiv:2407.21783, 2024
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[64]
A comparative study of industrial static analysis tools
P \"a r Emanuelsson and Ulf Nilsson. A comparative study of industrial static analysis tools. In Electronic notes in theoretical computer science, 2008
work page 2008
-
[65]
Patcher: Post-hoc patching of backdoored large language models
Anjun Gao, Yueyang Quan, Yufei Xia, Zhuqing Liu, and Minghong Fang. Patcher: Post-hoc patching of backdoored large language models. In USENIX Security Symposium, 2026
work page 2026
-
[66]
Enabling Large Language Models to Generate Text with Citations
Tianyu Gao, Howard Yen, Jiatong Yu, and Danqi Chen. Enabling large language models to generate text with citations. arXiv preprint arXiv:2305.14627, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[67]
Unixcoder: Unified cross-modal pre-training for code representation
Daya Guo, Shuai Lu, Nan Duan, Yanlin Wang, Ming Zhou, and Jian Yin. Unixcoder: Unified cross-modal pre-training for code representation. In Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pp.\ 7212--7225, 2022
work page 2022
-
[68]
Identifying a training-set attack's target using renormalized influence estimation
Zayd Hammoudeh and Daniel Lowd. Identifying a training-set attack's target using renormalized influence estimation. In CCS, 2022
work page 2022
-
[69]
Tracking down software bugs using automatic anomaly detection
Sudheendra Hangal and Monica S Lam. Tracking down software bugs using automatic anomaly detection. In ICSE, 2002
work page 2002
-
[70]
Large language models for code completion: A systematic literature review
Rasha Ahmad Husein, Hala Aburajouh, and Cagatay Catal. Large language models for code completion: A systematic literature review. In Computer Standards & Interfaces, 2025
work page 2025
-
[71]
Language models for code completion: A practical evaluation
Maliheh Izadi, Jonathan Katzy, Tim Van Dam, Marc Otten, Razvan Mihai Popescu, and Arie Van Deursen. Language models for code completion: A practical evaluation. In ICSE, 2024
work page 2024
-
[72]
Tracing back the malicious clients in poisoning attacks to federated learning
Yuqi Jia, Minghong Fang, Hongbin Liu, Jinghuai Zhang, and Neil Zhenqiang Gong. Tracing back the malicious clients in poisoning attacks to federated learning. In NeurIPS, 2025
work page 2025
-
[73]
Poison attack and poison detection on deep source code processing models
Jia Li, Zhuo Li, HuangZhao Zhang, Ge Li, Zhi Jin, Xing Hu, and Xin Xia. Poison attack and poison detection on deep source code processing models. In ACM Transactions on Software Engineering and Methodology, 2024
work page 2024
-
[74]
Multi-task learning based pre-trained language model for code completion
Fang Liu, Ge Li, Yunfei Zhao, and Zhi Jin. Multi-task learning based pre-trained language model for code completion. In ASE, 2020
work page 2020
-
[75]
WebGPT: Browser-assisted question-answering with human feedback
Reiichiro Nakano, Jacob Hilton, Suchir Balaji, Jeff Wu, Long Ouyang, Christina Kim, Christopher Hesse, Shantanu Jain, Vineet Kosaraju, William Saunders, et al. Webgpt: Browser-assisted question-answering with human feedback. arXiv preprint arXiv:2112.09332, 2021
work page internal anchor Pith review Pith/arXiv arXiv 2021
-
[76]
Codegen: An open large language model for code with multi-turn program synthesis
Erik Nijkamp, Bo Pang, Hiroaki Hayashi, Lifu Tu, Huan Wang, Yingbo Zhou, Silvio Savarese, and Caiming Xiong. Codegen: An open large language model for code with multi-turn program synthesis. In ICLR, 2023
work page 2023
-
[77]
Would static analysis tools help developers with code reviews? In SANER, 2015
Sebastiano Panichella, Venera Arnaoudova, Massimiliano Di Penta, and Giuliano Antoniol. Would static analysis tools help developers with code reviews? In SANER, 2015
work page 2015
-
[78]
Language models are unsupervised multitask learners
Alec Radford, Jeffrey Wu, Rewon Child, David Luan, Dario Amodei, Ilya Sutskever, et al. Language models are unsupervised multitask learners. In OpenAI blog, 2019
work page 2019
-
[79]
Utrace: Poisoning forensics for private collaborative learning
Evan Rose, Hidde Lycklama, Harsh Chaudhari, Anwar Hithnawi, and Alina Oprea. Utrace: Poisoning forensics for private collaborative learning. arXiv preprint arXiv:2409.15126, 2024
-
[80]
Code Llama: Open Foundation Models for Code
Baptiste Roziere, Jonas Gehring, Fabian Gloeckle, Sten Sootla, Itai Gat, Xiaoqing Ellen Tan, Yossi Adi, Jingyu Liu, Romain Sauvestre, Tal Remez, et al. Code llama: Open foundation models for code. arXiv preprint arXiv:2308.12950, 2023
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[81]
You autocomplete me: Poisoning vulnerabilities in neural code completion
Roei Schuster, Congzheng Song, Eran Tromer, and Vitaly Shmatikov. You autocomplete me: Poisoning vulnerabilities in neural code completion. In USENIX Security Symposium, 2021
work page 2021
-
[82]
Poison forensics: Traceback of data poisoning attacks in neural networks
Shawn Shan, Arjun Nitin Bhagoji, Haitao Zheng, and Ben Y Zhao. Poison forensics: Traceback of data poisoning attacks in neural networks. In USENIX Security Symposium, 2022
work page 2022
-
[83]
Backdooring neural code search
Weisong Sun, Yuchen Chen, Guanhong Tao, Chunrong Fang, Xiangyu Zhang, Quanjun Zhang, and Bin Luo. Backdooring neural code search. In ACL, 2023
work page 2023
-
[84]
A tutorial on spectral clustering
Ulrike Von Luxburg. A tutorial on spectral clustering. In Statistics and computing, 2007
work page 2007
-
[85]
AttnTrace: Contextual Attribution of Prompt Injection and Knowledge Corruption
Yanting Wang, Runpeng Geng, Ying Chen, and Jinyuan Jia. Attntrace: Attention-based context traceback for long-context llms. arXiv preprint arXiv:2508.03793, 2025 a
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[86]
Tracllm: A generic framework for attributing long context llms
Yanting Wang, Wei Zou, Runpeng Geng, and Jinyuan Jia. Tracllm: A generic framework for attributing long context llms. In USENIX Security Symposium, 2025 b
work page 2025
-
[87]
Top 10 algorithms in data mining
Xindong Wu, Vipin Kumar, J Ross Quinlan, Joydeep Ghosh, Qiang Yang, Hiroshi Motoda, Geoffrey J McLachlan, Angus Ng, Bing Liu, Philip S Yu, et al. Top 10 algorithms in data mining. In Knowledge and information systems, 2008
work page 2008
-
[88]
Openrca: Can large language models locate the root cause of software failures? In ICLR, 2025
Junjielong Xu, Qinan Zhang, Zhiqing Zhong, Shilin He, Chaoyun Zhang, Qingwei Lin, Dan Pei, Pinjia He, Dongmei Zhang, and Qi Zhang. Openrca: Can large language models locate the root cause of software failures? In ICLR, 2025
work page 2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.