Rowhammer-Based Trojan Injection: One Bit Flip Is Sufficient for Backdooring DNNs
Xiang Li
34th USENIX Security Symposium (USENIX Security '25) · Day 3 · ML and AI Security 3: Backdoors, Poisoning, Unlearning
This talk, presented by Xiang Li from George Mason University, unveils a groundbreaking attack named "OneFlip," demonstrating that a single bit flip is sufficient to inject a stealthy backdoor into deep neural networks (DNNs). The research, co-authored with Dr. Law and Dr. Chun, addresses the critical and escalating security concerns surrounding DNNs, which are now ubiquitous across various applications. Specifically, OneFlip focuses on **inference-stage backdoor attacks**, a more practical and insidious threat model compared to traditional training-stage attacks.
AI review
OneFlip is genuinely novel work — first inference-stage backdoor on full-precision DNNs via a single Rowhammer bit flip, with a principled method for identifying eligible IEEE 754 exponent bits and co-optimizing the trigger. The core contribution is real and the attack surface expansion (quantized → full-precision, multi-bit → one bit) is a meaningful step forward. A PhD student presenting advisor-supervised work, so credibility questions are about the lab, not the idea.