Federated Learning (FL) allows a set of clients to collectively train a global model without sharing local training data. Giving the responsibility of the training to decentralized actors may lead to poisoning attacks: clients controlled by malicious third party potentially poison the training dataset to install a backdoor in neural networks. In FL, these backdoor attacks rely solely on algorithmic approach, however, recent advances in hardware faults threats (e.g, Rowhammer) have widen the overall attack surface. In the context of federated model adaptation, we introduce a novel category of backdoor attack against FL systems that relies on model poisoning based on hardware-fault attacks. More precisely, we propose a task-agnostic backdoor attack that is implanted during the FL training time by inducing hardware faults (bit-flips) in parameters of a single local model. The backdoor is crafted during a previous offline phase from the pretrained model initially used by the FL system. Our results show that a backdoor can be successfully applied on different type of models and datasets. Typically, with up to 10 faults per malicious client occurrence and 19 total occurrences on a ResNet-18 are enough to reach 94% of attack success rate. Finally, we discuss the practicality and the robustness of the attack potential defenses, while putting into perspective the practical constraints of Rowhammer, which is the preferred attack vector for this type of threats.

翻译：联邦学习（FL）允许多个客户端在不共享本地训练数据的情况下协作训练全局模型。将训练责任下放至分散的参与者可能引发投毒攻击：受恶意第三方控制的客户端可能通过污染训练数据集，在神经网络中植入后门。在联邦学习中，这类后门攻击通常仅依赖算法手段，但硬件故障威胁（如Rowhammer）的近期进展已大幅扩展整体攻击面。针对联邦模型适配场景，我们提出一种基于硬件故障攻击的新型模型投毒后门攻击类别。具体而言，我们提出一种任务无关的后门攻击方法，通过在联邦训练阶段对单个本地模型参数诱导硬件故障（比特翻转）来植入后门。该后门基于联邦系统初始使用的预训练模型，在预先离线阶段精心设计。实验结果表明，该后门可成功应用于不同类型模型与数据集。典型情况下，每个恶意客户端只需触发至多10次故障，且总共在ResNet-18上触发19次即可达到94%的攻击成功率。最后，我们讨论了该攻击的实用性与鲁棒性以及潜在防御手段，同时结合Rowhammer（此类威胁的首选攻击向量）的实际限制进行分析。