Recent research has shown that bit-flip attacks (BFAs) can manipulate deep neural networks (DNNs) via DRAM Rowhammer exploitations. Existing attacks are primarily launched over high-level DNN frameworks like PyTorch and flip bits in model weight files. Nevertheless, DNNs are frequently compiled into low-level executables by deep learning (DL) compilers to fully leverage low-level hardware primitives. The compiled code is usually high-speed and manifests dramatically distinct execution paradigms from high-level DNN frameworks. In this paper, we launch the first systematic study on the attack surface of BFA specifically for DNN executables compiled by DL compilers. We design an automated search tool to identify vulnerable bits in DNN executables and identify practical attack vectors that exploit the model structure in DNN executables with BFAs (whereas prior works make likely strong assumptions to attack model weights). DNN executables appear more "opaque" than models in high-level DNN frameworks. Nevertheless, we find that DNN executables contain extensive, severe (e.g., single-bit flip), and transferrable attack surfaces that are not present in high-level DNN models and can be exploited to deplete full model intelligence and control output labels. Our finding calls for incorporating security mechanisms in future DNN compilation toolchains.

翻译：近期研究显示，比特翻转攻击（BFA）可通过DRAM Rowhammer漏洞操纵深度神经网络（DNN）。现有攻击主要针对PyTorch等高级DNN框架，通过翻转模型权重文件中的比特实施攻击。然而，DNN常被深度学习（DL）编译器编译为低级可执行文件，以充分利用低级硬件原语。编译后的代码通常运行高速，且执行范式与高级DNN框架存在显著差异。本文首次系统研究了针对DL编译器编译的DNN可执行文件的BFA攻击面。我们设计了一种自动化搜索工具，用于识别DNN可执行文件中的脆弱比特位，并发现了利用BFA攻击DNN可执行文件中模型结构的实际攻击向量（而现有研究通常基于较强假设攻击模型权重）。尽管DNN可执行文件比高级DNN框架中的模型更显"不透明"，但我们发现其中存在高级DNN模型所不具备的广泛、严重（例如单比特翻转）且可迁移的攻击面，这些攻击面可被利用以完全破坏模型智能能力及控制输出标签。这一发现警示未来DNN编译工具链亟需整合安全防护机制。