Tossing in the Dark: Practical Bit-Flipping on Gray-box Deep Neural Networks for Runtime Trojan Injection
Zihao Wang, Wei He
33rd USENIX Security Symposium · Day 1 · USENIX Security '24
This talk, "Tossing in the Dark: Practical Bit-Flipping on Gray-box Deep Neural Networks for Runtime Trojan Injection," presented by Zihao Wang and Wei He, delves into a novel and concerning threat model for deep neural networks (DNNs). It demonstrates how attackers can leverage hardware vulnerabilities, specifically the **Rowhammer attack**, to inject stealthy and effective Trojan functionalities into machine learning models at runtime, without requiring access to the model's training data or process. The research highlights a critical gap in the security posture of widely deployed machine learning systems, particularly those operating in a **gray-box scenario** with quantized models.
AI review
This research shatters assumptions about DNN security by demonstrating practical runtime Trojan injection into quantized models via Rowhammer in a gray-box setting. The methodology is technically brilliant, revealing a critical, previously underexplored attack surface with minimal bit flips. This is not just theoretical; it's a brutal wake-up call for ML security.