Recent research has shown that bit-flip attacks (BFAs) can manipulate deep neural networks (DNNs) via DRAM Rowhammer exploitations. Existing attacks are primarily launched over high-level DNN frameworks like PyTorch and flip bits in model weight files. Nevertheless, DNNs are frequently compiled into low-level executables by deep learning (DL) compilers to fully leverage low-level hardware primitives. The compiled code is usually high-speed and manifests dramatically distinct execution paradigms from high-level DNN frameworks. In this paper, we launch the first systematic study on the attack surface of BFA specifically for DNN executables compiled by DL compilers. We design an automated search tool to identify vulnerable bits in DNN executables and identify practical attack vectors that exploit the model structure in DNN executables with BFAs (whereas prior works make likely strong assumptions to attack model weights). DNN executables appear more "opaque" than models in high-level DNN frameworks. Nevertheless, we find that DNN executables contain extensive, severe (e.g., single-bit flip), and transferrable attack surfaces that are not present in high-level DNN models and can be exploited to deplete full model intelligence and control output labels. Our finding calls for incorporating security mechanisms in future DNN compilation toolchains.

翻译：近期研究表明，比特翻转攻击（BFA）可通过DRAM Rowhammer利用机制操纵深度神经网络（DNN）。现有攻击主要针对PyTorch等高层DNN框架，翻转模型权重文件中的比特位。然而，DNN常通过深度学习（DL）编译器编译为底层可执行文件，以充分发挥底层硬件原语能力。编译后的代码通常具有高速特性，其执行范式与高层DNN框架存在显著差异。本文首次系统研究了针对DL编译器生成的DNN可执行文件的BFA攻击面。我们设计了一个自动化搜索工具，用于识别DNN可执行文件中的脆弱比特位，并发现了利用BFA攻击DNN可执行文件中模型结构的实用攻击向量（而此前研究对攻击模型权重提出了较强假设）。DNN可执行文件相较于高层DNN框架中的模型显得更为"不透明"。然而，我们发现DNN可执行文件包含广泛、严重（如单比特翻转）且可迁移的攻击面，这些攻击面在高层DNN模型中并不存在，可被利用以耗尽模型智能并控制输出标签。本研究结果呼吁在未来的DNN编译工具链中集成安全机制。