With the development of deep learning (DL), DL-based code search models have achieved state-of-the-art performance and have been widely used by developers during software development. However, the security issue, e.g., recommending vulnerable code, has not received sufficient attention, which will bring potential harm to software development. Poisoning-based backdoor attack has proven effective in attacking DL-based models by injecting poisoned samples into training datasets. However, previous work shows that the attack technique does not perform successfully on all DL-based code search models and tends to fail for Transformer-based models, especially pretrained models. Besides, the infected models generally perform worse than benign models, which makes the attack not stealthy enough and thereby hinders the adoption by developers. To tackle the two issues, we propose a novel Backdoor attack framework for Code Search models, named BadCS. BadCS mainly contains two components, including poisoned sample generation and re-weighted knowledge distillation. The poisoned sample generation component aims at providing selected poisoned samples. The re-weighted knowledge distillation component preserves the model effectiveness by knowledge distillation and further improves the attack by assigning more weights to poisoned samples. Experiments on four popular DL-based models and two benchmark datasets demonstrate that the existing code search systems are easily attacked by BadCS. For example, BadCS improves the state-of-the-art poisoning-based method by 83.03%-99.98% and 75.98%-99.90% on Python and Java datasets, respectively. Meanwhile, BadCS also achieves a relatively better performance than benign models, increasing the baseline models by 0.49% and 0.46% on average, respectively.

翻译：随着深度学习（DL）的发展，基于深度学习的代码搜索模型已取得最先进性能，并在软件开发过程中被开发者广泛使用。然而，其安全问题（例如推荐易受攻击的代码）尚未得到足够重视，这将为软件开发带来潜在危害。基于投毒的后门攻击已被证明能有效攻击深度学习模型，其通过向训练数据集中注入恶意样本实现攻击。然而，现有研究表明，该攻击技术并非对所有基于深度学习的代码搜索模型均有效，尤其难以攻击基于Transformer的模型（特别是预训练模型）。此外，被感染模型的性能通常低于良性模型，这使得攻击缺乏隐蔽性，从而阻碍开发者采用。为应对这两个问题，我们提出了一种面向代码搜索模型的新型后门攻击框架BadCS。BadCS主要包含两个组件：恶意样本生成组件与重加权知识蒸馏组件。恶意样本生成组件旨在提供选定的恶意样本，重加权知识蒸馏组件通过知识蒸馏保持模型有效性，并通过向恶意样本分配更高权重进一步提升攻击效果。在四种主流深度学习模型和两个基准数据集上的实验表明，现有代码搜索系统极易受到BadCS攻击。例如，在Python和Java数据集上，BadCS相较于最先进的基于投毒的方法分别提升了83.03%-99.98%和75.98%-99.90%。同时，BadCS还实现了优于良性模型的性能，在基线模型上分别平均提升0.49%和0.46%。