{"paper":{"title":"Where Do Backdoors Live? A Component-Level Analysis of Backdoor Propagation in Speech Language Models","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Backdoors propagate through speech language models to leave all tasks vulnerable, with their persistence depending on the targeted component.","cross_cats":["cs.CR","cs.SD"],"primary_cat":"cs.CL","authors_text":"Alexandrine Fortier, Jes\\'us Villalba, Najim Dehak, Patrick Cardinal, Peter West, Thomas Thebaud","submitted_at":"2025-10-01T17:45:04Z","abstract_excerpt":"Speech language models (SLMs) are systems of systems: independent components that unite to achieve a common goal. Despite their heterogeneous nature, SLMs are often studied end-to-end; how information flows through the pipeline remains obscure. We investigate this question through the lens of backdoor attacks. We first establish that backdoors can propagate through the SLM, leaving all tasks highly vulnerable. From this, we design a component analysis to discover the role each component takes in backdoor learning. We find that backdoor persistence or erasure is highly dependent on the targeted"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Backdoors can propagate through the SLM, leaving all tasks highly vulnerable. Backdoor persistence or erasure is highly dependent on the targeted component. Poisoned samples are not directly separable from benign ones in shared multitask embeddings.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The component analysis assumes that backdoors can be injected into and isolated within individual pipeline stages without the injection process itself creating confounding interactions across stages that would invalidate the attribution of persistence or erasure to specific components.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Backdoors propagate through SLM components with persistence or erasure depending on the targeted part, and poisoned samples are not directly separable from benign ones in shared multitask embeddings.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Backdoors propagate through speech language models to leave all tasks vulnerable, with their persistence depending on the targeted component.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"fd4070afc2a3df99da99bd8a767fb1d1398f69ade330db1e7ca6788aa09009b9"},"source":{"id":"2510.01157","kind":"arxiv","version":4},"verdict":{"id":"eb76e631-bb92-40a1-8c50-911cc1bae190","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-18T10:18:22.791508Z","strongest_claim":"Backdoors can propagate through the SLM, leaving all tasks highly vulnerable. Backdoor persistence or erasure is highly dependent on the targeted component. Poisoned samples are not directly separable from benign ones in shared multitask embeddings.","one_line_summary":"Backdoors propagate through SLM components with persistence or erasure depending on the targeted part, and poisoned samples are not directly separable from benign ones in shared multitask embeddings.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The component analysis assumes that backdoors can be injected into and isolated within individual pipeline stages without the injection process itself creating confounding interactions across stages that would invalidate the attribution of persistence or erasure to specific components.","pith_extraction_headline":"Backdoors propagate through speech language models to leave all tasks vulnerable, with their persistence depending on the targeted component."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2510.01157/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":1,"snapshot_sha256":"4be5eb2b8c3ffb5d4a6d50bf0f1ed84aa1bd28d2b9ffa28c5db848e5c78fbc28"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}