Compiled Models, Built-In Exploits: Uncovering Pervasive Bit-Flip Attack Surfaces in DNN Executables
Yanzuo Chen
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · DNN Attack Surfaces
In a groundbreaking presentation at the NDSS Symposium, Yanzuo Chen unveiled critical vulnerabilities within Deep Neural Network (DNN) executables, demonstrating a novel and highly effective bit-flip attack. The talk, titled "Compiled Models, Built-In Exploits: Uncovering Pervasive Bit-Flip Attack Surfaces in DNN Executables," revealed that these optimized, compiled versions of DNN models harbor pervasive attack surfaces that can be exploited with remarkable efficiency. This research introduces a gray-box threat model, significantly more restricted than prior white-box approaches, yet achieves devastating results: the complete depletion of a model's intelligence with an average of just 1.4 bit flips.
AI review
Genuinely novel attack surface — targeting compiled DNN operator code rather than model weights — with a credible gray-box threat model and a headline result (1.4 average bit flips for full intelligence depletion) that's hard to dismiss. The transferable vulnerable bits / super-bits methodology is the real contribution here: it's the kind of insight that only emerges from actually digging into what DL compilers emit, not just reading papers about Rowhammer. Not a 5 because defenses are deferred to future work and the targeted-misclassification angle is left underexplored.