Papers
Topics
Authors
Recent
Search
2000 character limit reached

Stage-Transferred Attacks Overview

Updated 8 July 2026
  • Stage-Transferred Attacks are multi-stage exploit patterns where adversaries transfer malicious capabilities across system lifecycle stages to bypass traditional security boundaries.
  • They leverage asymmetries and stage-specific vulnerabilities—from hardware fabrication to dialogue turns—to maintain stealth and continuity of attack effects.
  • Empirical studies demonstrate measurable impacts in hardware Trojan integrity, multi-turn LLM information leaks, and transfer learning privacy, stressing the need for stage-aware defenses.

Stage-Transferred Attacks denotes a family of attack patterns in which malicious capability, information, or attack leverage is moved across stages of a system’s lifecycle or operation. The term is used in several distinct ways in recent literature: fabrication-stage compromises that “transfer” the functional intent of a hardware Trojan into late supply-chain stages such as mask/ECO while preserving sign-off and expected behavior (Moschos et al., 2024); multi-stage prompt inference attacks in which an adversary chains mild, indirect, or covert prompts across multiple turns to progressively extract confidential information from an enterprise LLM (Balashov et al., 21 Jul 2025); adversarial and privacy attacks that reuse knowledge from pretraining or transfer learning stages to attack downstream fine-tuned or source models (Zhang et al., 2022, Hidano et al., 2020); enrollment-stage backdoors whose effect materializes later at recognition in speaker recognition systems (Li et al., 2023); and formal or SIEM-driven analyses of complex, multi-stage attack traces in web applications and smart grids (Meo et al., 2017, Sen et al., 2021). A plausible implication is that the term names a recurring structural idea rather than a single canonical mechanism.

1. Terminological scope and recurring structure

Across the cited literature, the “stage” in Stage-Transferred Attacks can refer to a supply-chain stage, an interaction stage, a training stage, an enrollment stage, or a kill-chain stage. The transferred object also varies: in CPUs it is the functional intent of a hardware Trojan; in enterprise LLMs it is confidential information moved from protected context into attacker-visible outputs in small increments; in transfer-learning attacks it is adversarial structure, surrogate gradients, or transferred parameters; in speaker recognition it is a poisoned template state carried from enrollment to recognition; and in cyber-physical or web settings it is the attacker’s capability chain or the system’s belief that one action has transitioned into another (Moschos et al., 2024, Balashov et al., 21 Jul 2025, Zhang et al., 2022, Hidano et al., 2020, Li et al., 2023, Meo et al., 2017, Sen et al., 2021).

Domain Stages Transfer mechanism
CPU hardware Trojans design-stage intent to fabrication stage pre-mask ECO-style edits in GDSII
Enterprise LLMs reconnaissance, exploitation, exfiltration cumulative leakage across turns
Fine-tuned models source/pretrained stage to downstream target stage surrogate gradients and latent-space search
Transfer learning privacy transferred backbone to shadow models transfer shadow training
Speaker recognition enrollment stage to recognition stage poisoned template T~
Smart grids and web apps kill-chain or exploit stages correlated paths and composed vulnerabilities

This recurring structure has three stable elements. First, an attacker exploits asymmetry between stages: foundry access after tape-out, query access across dialogue turns, white-box access to transferred layers, or brief physical access during enrollment. Second, the transfer mechanism is chosen to survive stage boundaries: OS context switches, RAG guardrails, architecture mismatch, or template reuse. Third, the resulting attack often has a reduced immediate detection surface because the malicious effect is distributed across time, components, or lifecycle phases.

2. Fabrication-stage transfer in interrupt-resilient CPU Trojans

In hardware security, Stage-Transferred Attacks are fabrication-stage compromises that “transfer” the functional intent of a hardware Trojan, traditionally assumed to require early design-stage changes, into late supply-chain stages while preserving sign-off and the chip’s expected behavior. The concrete instantiation is the interrupt-resilient hardware Trojan (IRT), inserted by a malicious foundry adversary with access to the GDSII and supporting collateral and realized through pre-mask ECO-style edits that replace filler cells with Trojan gates near target modules (Moschos et al., 2024).

The motivating problem is non-deterministic triggering in CPUs. The attack target is the MMU exception generation path during memory stores to kernel space, where the payload manipulates the “U-bit” of the page table entry presented to the exception handler. Traditional CPU Trojans can fail because race conditions arise between trigger signals and targeted CPU events under interrupts, timer ticks, DMA, and process scheduling. IRTs address this with two trigger regimes. IRT-1 is a selectively-ready trigger attached to two 64-bit GPR nets and monitors a 128-bit activation sequence captured and restored by OS context switching. IRT-2 is an always-ready trigger attached to two 64-bit ALU adder operand nets and uses a two-state FSM, S0S1S0 \rightarrow S1 on activation and S1S0S1 \rightarrow S0 on deactivation, so the trigger remains asserted across context switches.

The key timing argument is explicit. For IRT-1, trigger delivery is treated as a multi-cycle path and relies on the fact that the page-table walk precedes the store’s exception check, so that

ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}

with k2k \ge 2 depending on page-table-walk latency. The design objective is to preserve sign-off, expressed as

s=Ttpath.s = T - t_{\text{path}}.

In the reported CVA6 implementation at 28 nm and 600 MHz, slack remained $0$ ps before and after insertion, the number of violations after insertion was $0$, average added capacitive load was $6.8$ fF for IRT-1 and $6.2$ fF for IRT-2, average added delay was S0S1S0 \rightarrow S10 ps for IRT-1 and S0S1S0 \rightarrow S11 ps for IRT-2, density increased from S0S1S0 \rightarrow S12 to S0S1S0 \rightarrow S13, and power changed from S0S1S0 \rightarrow S14 baseline to S0S1S0 \rightarrow S15 for IRT-1 and S0S1S0 \rightarrow S16 for IRT-2 (Moschos et al., 2024).

The attack scenarios include an integrity attack that suppresses MMU exceptions to modify arbitrary kernel-space addresses allocated by a custom Linux Kernel Module, and an availability attack that overwrites task_struct after init_task to cause kernel panic. Runtime evidence is tied to context switching. For IRT-1, a 32 KB overwrite showed user mode events: S0S1S0 \rightarrow S17, supervisor: S0S1S0 \rightarrow S18, machine: S0S1S0 \rightarrow S19. For IRT-2 under multitasking with Dhrystone, a 32 KB overwrite showed user: S1S0S1 \rightarrow S00, supervisor: S1S0S1 \rightarrow S01, machine: S1S0S1 \rightarrow S02. The significance is not merely feasibility. The paper states that this challenges the common wisdom regarding the low flexibility of late supply chain stages for the insertion of powerful trojans, because a tape-out-ready Linux-capable RISC-V core can be modified at the foundry via ECO while leaving sign-off characteristics intact (Moschos et al., 2024).

3. Multi-turn information transfer in enterprise LLM systems

In enterprise LLM security, Stage-Transferred Attacks are multi-stage prompt inference attacks in which an adversary chains a sequence of mild, indirect, or covert prompts across multiple turns to progressively extract confidential information from an enterprise LLM system integrated with internal data sources such as SharePoint, email archives, or knowledge bases. The system model is RAG-based: a user query is augmented by retrieved internal content and fed to the LLM, with standard guardrails such as instruction-tuning to refuse sensitive requests, content filtering, and a prompt-injection classifier (Balashov et al., 21 Jul 2025).

The formalization centers on a secret random variable S1S0S1 \rightarrow S03, turns S1S0S1 \rightarrow S04, attacker queries S1S0S1 \rightarrow S05, model outputs S1S0S1 \rightarrow S06, history S1S0S1 \rightarrow S07, and detection flags S1S0S1 \rightarrow S08. Total leakage is measured as

S1S0S1 \rightarrow S09

If ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}0 on average, then ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}1, so full determination of ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}2 requires ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}3. Query planning is cast as maximizing expected information gain, optionally with a detection penalty:

ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}4

and

ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}5

The operational stages are reconnaissance, exploitation, and exfiltration. Reconnaissance learns meta-information such as file names, formats, or existence. Exploitation uses adaptive questioning or indirect prompt injection to elicit bits of the secret. Exfiltration causes the system to emit the secret directly or through an indirect channel such as URLs or coded responses. The paper reports a reconstruction case study in which an attacker reconstructed a 500-word confidential report with 90% accuracy over ≈20 dialogue turns, and a binary-search extraction in which an ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}6-bit secret was extracted with >99% success using ≈ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}7 yes/no questions. Leakage curves show that unprotected systems allowed full reconstruction in ≈9 steps, while DP-trained systems showed markedly slower, partial leakage over the same horizon (Balashov et al., 21 Jul 2025).

The defense side is explicitly conversation-aware. FocusTrack uses query perplexity, semantic similarity and refinement patterns across successive queries, injection markers, and response-side indicators, and reports AUROC ≈ 0.95, compared with a baseline ≈ 0.82; it also reports 96% detection at 5% false positive rate for multi-turn attacks, with example TPRs of ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}8 at ttrigger_arrivaltevent_startt_{\text{trigger\_arrival}} \le t_{\text{event\_start}}9 TNR and k2k \ge 20 at k2k \ge 21 TNR. “Spotlighting” preprocesses prompts to encase untrusted content in a syntactic sandbox and to delineate provenance, reducing attack success rates from >50% to <2% with ≈0.5 BLEU drop on a summarization task. A learned content firewall flagged ≈88% of unauthorized data tokens for redaction. DP-SGD fine-tuning with k2k \ge 22 per document reduced verbatim memorization, and membership inference precision dropped to ≈50% from ≈90% without DP. Combined mitigations—sanitization, spotlighting, anomaly detection, access control, output filtering, and DP where feasible—prevented complete exfiltration in >95% of attempted dialogues in the prototype evaluation (Balashov et al., 21 Jul 2025).

4. Transfer across training, transfer-learning, and enrollment stages

In adversarial machine learning, one usage of Stage-Transferred Attacks is the explicit exploitation of the pretraining stage to attack a downstream fine-tuned model under black-box constraints. In the BAFT formulation, the source stage uses a large dataset and model k2k \ge 23, the target stage fine-tunes a model k2k \ge 24, and the attack transfers adversarial structure and surrogate gradients from the source stage to guide a query-efficient search on the target stage. The proposed method trains an adversarial generator k2k \ge 25 with encoder k2k \ge 26 and decoder k2k \ge 27 so that

k2k \ge 28

with k2k \ge 29 in s=Ttpath.s = T - t_{\text{path}}.0, and then performs guided evolutionary strategies in latent space with covariance

s=Ttpath.s = T - t_{\text{path}}.1

Soft labels bridge label-space mismatch through

s=Ttpath.s = T - t_{\text{path}}.2

Under untargeted CD-BAFT on Product, TES achieved 89.30% fool rate with mean queries 51.33, compared with TREMBA at 88.63% and 65.93. Under targeted CDCA-BAFT on Art, TES achieved 36.40% with 1512 queries, compared with TREMBA at 25.31% and 1688. The reported conclusion is that source-stage adversarial leverage can be systematically transferred to fine-tuned targets across domains and architectures (Zhang et al., 2022).

A second usage appears in transfer-learning privacy. TransMIA exploits transferred parameters s=Ttpath.s = T - t_{\text{path}}.3 from a source model s=Ttpath.s = T - t_{\text{path}}.4 to initialize shadow models and thereby improve membership inference on the source model when shadow data are scarce. The attacker has white-box access to s=Ttpath.s = T - t_{\text{path}}.5, black-box access to s=Ttpath.s = T - t_{\text{path}}.6, and limited shadow training and test datasets. Transfer shadow training sets s=Ttpath.s = T - t_{\text{path}}.7 for each shadow model and then either freezes s=Ttpath.s = T - t_{\text{path}}.8 or fine-tunes it. Confidence, entropy, and modified prediction entropy are used:

s=Ttpath.s = T - t_{\text{path}}.9

and

$0$0

Empirically, TransMIA-L (freezing) surpassed the “Baseline5000” line for shadow sizes ≥ 300, despite using dramatically fewer per-shadow samples, while TransMIA-E remained below 55% accuracy across datasets and sizes. Pure black-box access to the transferred target model $0$1 yielded accuracy and precision ≈ 0.5, indicating ineffective inference of source membership purely from target outputs (Hidano et al., 2020).

A third instantiation is the enrollment-stage backdoor in speaker recognition systems. Tuner injects an ultrasonic backdoor during enrollment and relies on stage transfer to recognition, so that a poisoned template

$0$2

accepts both the legitimate user and the adversary. The optimization is over random speech content, vocalizing time, volume, and distance, and uses sparse frequency points, pre-compensation, and single-sideband modulation:

$0$3

The attack is described as inaudible, synchronization-free, content-independent, and black-box. Digitally, ASR reached 100% at 4.0 s backdoor duration across tasks, with ACC ≈100%. Across speakers, average ASR was ≈95.9% for SV, ≈99.8% for CSI, and ≈95.9% for OSI, with ACC ≈97.2% for SV, 100% for CSI, and 97.2% for OSI. Physically, the attack was effective from 0.5 m up to 6 m, with ASR ≥91.7% across rooms and ≈89% at 6 m after tuning $0$4 to $0$5 (Li et al., 2023).

5. Formal composition, correlated evidence, and multi-stage progression

In web-application analysis, Stage-Transferred Attacks are formalized as multi-stage attacks that combine file-system vulnerabilities and SQL Injection vulnerabilities to violate authentication or confidentiality. The attacker follows the Dolev–Yao model, interacts only with the web app, and uses abstract payloads encoded as constants: fsi for file-system attacks, sqli for SQL injection payloads, and evil_file for uploaded malicious server-side scripts. The formal model introduces predicates such as inFS(filePath) and inDB(SQLquery), and Horn clauses such as fs_hc_evil(M): inFS(fsi.M) and db_hc_evil(M): inDB(sqli.M). Confidentiality goals are expressed in LTL as $0$6 and automated analysis with WAFEx and CL-AtSe generates Abstract Attack Traces in 30–50 ms model-checking time. One reported trace is i -> WebApp : userid.sqli.fsi, followed by WebApp -> DB : query(sqli.fsi), DB -> FS : readFile(fsi), FS -> DB : file(fsi), DB -> WebApp : tuple(file(fsi)), and WebApp -> i : userid.tuple(file(fsi)), which composes SQLi with DB-to-FS read to leak a file (Meo et al., 2017).

In smart grids, the same multi-stage idea appears as DOMCA, a SIEM-based detection system for coordinated, timed attacks in energy information systems. DOMCA correlates cross-domain evidence from IT, OT, and SCADA communications and process semantics, normalizes alerts into packet events and message-path objects, and uses Dempster–Shafer Theory with Zhang’s combination rule to assign masses to actions and transition masses to attack-graph edges. The Event Correlator identifies infected hosts, infers the C2 host, detects access attempts, malware installation, C2 tasking, and communication-dependent actions; the Strategy Correlator reconstructs candidate paths and computes graph and path masses; the Kill-Chain identifier outputs the most credible current phase. In 207 simulations across Havex, Stuxnet, randomized actions, and no-attack, DOMCA achieved attacker presence detection rate 87.86% on average, with no false positives observed, and kill-chain phase accuracy 56.38% overall; when the correct strategy was first identified, kill-chain phase accuracy rose above 97% (Sen et al., 2021).

These two lines of work emphasize different sides of the same phenomenon. The web-application framework focuses on exploit composition and reachability of security-goal violations. DOMCA focuses on chronological ordering, cross-domain linkage, and belief propagation from earlier-stage indicators to later-stage hypotheses. In both cases, stage transfer is not merely temporal sequencing; it is the formal conversion of one stage’s capability or evidence into the precondition for the next stage.

6. Predictability, boundary cases, and defensive implications

One unresolved question is whether transferability admits a stable predictor. In CNN adversarial transfer, the relationship between representational similarity and transferred attack success was examined using CKA and the refined Diagonal Box Similarity. Model-level CKA had mean $0$6, median $0$7, std $0$8, and range $0$9; DBS with radius $0$0 widened the score range to $0$1–$0$2. Yet the reported conclusion is that Pearson, Spearman, Kendall, and Distance Correlation yielded no robust, universal correlation between CKA or DBS similarity and transferred success across architectures and attack types. The notable exception is that a DecisionTreeRegressor predicted transferred attack success for all black-box and Carlini & Wagner attacks with an accuracy of over 90% under certain conditions, including black-box targeted accuracy 96.05% and CW targeted accuracy 91.45% (Klause et al., 27 Jan 2025). This suggests that stage transfer may be predictable in some operational regimes without being reducible to a single global similarity law.

A boundary case appears in transient execution. The survey does not use the exact term “Stage-Transferred Attacks,” but maps the concept to cases where transient values created in one pipeline stage are forwarded or sampled by younger instructions in other stages during speculation. The most direct instances are Spectre v4 or Speculative Store Bypass and Load Value Injection via store-to-load forwarding, memory disambiguation, and line-fill buffers; MDS and TAA via stale or in-flight data in store buffers, load buffers, and LFBs; Meltdown-family faults in which a faulting load temporarily transfers privileged cache line data to a younger disclosure gadget; and Spectre v1, v2, and v5, where mispredicted paths allow temporary read-and-encode behavior before squash (Xiong et al., 2020). The survey’s setup phase, transient execution phase, and decoding phase show that stage transfer can also be a microarchitectural forwarding phenomenon rather than a lifecycle or dialogue phenomenon.

Defensive implications therefore remain domain-specific. Hardware-stage transfer raises SEM-based de-layering, backscatter EM side-channel clustering, and ECO-like anomaly detection in GDSII (Moschos et al., 2024). Enterprise LLM transfer requires reducing per-turn leakage, constraining $0$3, and detecting suspicious multi-stage patterns over the entire conversation rather than per turn (Balashov et al., 21 Jul 2025). Transfer-learning privacy emphasizes securing transferred parameters $0$4 operationally because white-box access to $0$5 is the decisive enabler (Hidano et al., 2020). Enrollment-stage transfer in speaker recognition motivates ultrasound monitoring during enrollment, unsupervised anomaly detection such as NormDetect, and hardware countermeasures such as GuardSignal and EarArray (Li et al., 2023). Web and smart-grid settings emphasize formal attack graphs, path reconstruction, semantic checks, and threshold calibration (Meo et al., 2017, Sen et al., 2021).

Taken together, the literature supports a narrow but recurring proposition: stage boundaries are not reliable security boundaries when adversaries can preserve state, leverage accumulated leakage, or repurpose artifacts created in one stage for exploitation in another. The exact mechanics differ substantially, but the common analytical task is to identify what is transferred, how that transfer survives the intervening stage, and which observations or invariants remain available for detection.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Stage-Transferred Attacks.