BadReasoner: Planting Tunable Overthinking Backdoors into Large Reasoning Models for Fun or Profit
This addresses a security vulnerability in large reasoning models, posing a resource-consumption threat for AI systems, and is incremental as it builds on existing backdoor concepts with a novel tunable approach.
The paper identifies a new attack vector called 'overthinking backdoors' against large reasoning models, where an attacker can precisely control the model's reasoning verbosity through data poisoning, resulting in a controllable, multi-fold increase in reasoning length without affecting answer correctness.
Large reasoning models (LRMs) have emerged as a significant advancement in artificial intelligence, representing a specialized class of large language models (LLMs) designed to tackle complex reasoning tasks. The defining characteristic of LRMs lies in their extensive chain-of-thought (CoT) reasoning capabilities. In this paper, we identify a previously unexplored attack vector against LRMs, which we term "overthinking backdoors". We advance this concept by proposing a novel tunable backdoor, which moves beyond simple on/off attacks to one where an attacker can precisely control the extent of the model's reasoning verbosity. Our attack is implemented through a novel data poisoning methodology. It pairs a tunable trigger-where the number of repetitions signals the desired intensity-with a correspondingly verbose CoT response. These responses are programmatically generated by instructing a teacher LLM to inject a controlled number of redundant refinement steps into a correct reasoning process. The approach preserves output correctness, which ensures stealth and establishes the attack as a pure resource-consumption vector. Extensive empirical results on various LRMs demonstrate that our method can reliably trigger a controllable, multi-fold increase in the length of the reasoning process, without degrading the final answer's correctness. Our source code is available at https://github.com/FZaKK/BadReasoner.