BHEU'24 Talk: DNN Executable Attacks

This is the companion page for the Black Hat Europe 2024 talk: The Devil is in the (Micro-) Architectures: Uncovering New Side-Channel and Bit-Flip Attack Surfaces in DNN Executables, which was co-presented by Zhibo Liu (Part I) and Yanzuo Chen (Part II) on:

Thursday, 12 Dec, 11:20am-12:00pm.
ICC Capital Suite 4, Level 3.

You can jump to:

• Part I: Stealing Model Architectures
• Part II: Making Models Do Bad Stuff

Part I: Stealing Model Architectures

Full Paper

DeepCache: Revisiting Cache Side-Channel Attacks in Deep Neural Networks Executables. By Zhibo Liu, Yuanyuan Yuan, Yanzuo Chen, Sihang Hu, Tianxiang Li, and Shuai Wang. Published @ CCS 2024.

Prior Side-Channel Works

You can also refer to the Table 1 in the paper.

Physical-Access-Based. Earlier works like CSI NN and DeepEM use EM side channels to infer architecture information of neural networks from specific IoT/edge devices and accelerators. Among them, CSI NN can also recover model weights with a customized variant of differential power analysis. Such EM-based side channel attacks usually assume physical access to the victim device and require special EM probe equipment (e.g., an oscilloscope). Besides, they only focus on simple small models or Binarized Neural Networks (BNNs). Whether they are scalable on modern DNN models is uncertain.

Differently, DeepSniffer directly snoops the DRAM bus (or uses EM side channels) to record memory access addresses and volumes and then leverages ML techniques to infer model architectures. Hermes Attack captures and reverses PCIe traffic to recover DNN models. Moreover, since model weights are transferred with GPU PCIe without encryption, Hermes Attack can also directly obtain DNN model weights. HuffDuff extends the bus snooping attack on sparse accelerators to deduce structures of pruned DNNs. However, such attacks hold an assumption stronger than physical access that the attacker can directly monitor the memory bus and PCIe events.

MaskedNet, on the other hand, assumes the architecture is known and recovers model parameters with the power side channel of FPGAs. Nevertheless, it can only attack BNNs (whose weights are binary values), and extending it to DNNs is still an open question.

Remote-Access-Based. One recent power side channel-based model stealing work, DeepTheft, leverages the Running Average Power Limit (RAPL) interface provided by modern Intel and AMD processors. Notably, the RAPL delivers energy consumption information of underlying hardware at a fine granularity for software power management. DeepTheft takes such information and uses a learning-based framework to predict the model architecture. While this attack achieves high accuracy, RAPL requires user privileges, and such an attack can be mitigated by disabling the RAPL interface.

Other remote access works mainly use cache side channels to recover model architectures. DeepRecon and Cache Telepathy, targeting ML frameworks running on CPUs with third-party linear algebra libraries, leverage Flush+Reload or Prime+Probe to detect matrix multiplications to infer hyperparameters of fully-connected and convolutional layers. Specifically, Cache Telepathy pre-analyzes linear algebra libraries to locate sensitive code in Generalized Matrix Multiply (GEMM) functions and demonstrates the feasibility of inferring DNN architectures by monitoring such code.

Part II: Making Models Do Bad Stuff

Full Paper

Compiled Models, Built-In Exploits: Uncovering Pervasive Bit-Flip Attack Surfaces in DNN Executables. By Yanzuo Chen, Zhibo Liu, Yuanyuan Yuan, Sihang Hu, Tianxiang Li, and Shuai Wang. Published @ NDSS 2025.

Attacks on DNNs

You can find many DNN attacks with different threat models and attack objectives on this Wikipedia page: Adversarial machine learning.

You can find a few papers below on bit-flip attacks (BFAs) on DNNs:

• Bit-Flip Attack: Crushing Neural Network with Progressive Bit Search
• T-BFA: Targeted Bit-Flip Adversarial Weight Attack
• DeepHammer: Depleting the Intelligence of Deep Neural Networks through Targeted Chain of Bit Flips

Interesting Stuff about Random Datasets

• What Do Neural Networks Learn When Trained With Random Labels?
• Leveraging Random Label Memorization for Unsupervised Pre-Training

Case Studies

Please refer to Sec. VI-F in the paper for more details and concrete examples with ASM snippets.

To understand the root causes behind a single-bit flip com promising the complete intelligence of a DNN executable as well as provide inspiration for future countermeasures, we randomly analyze 60 cases, 30 each for non-superbits and superbits, from our previous results. After an extensive manual study, we find four categories of causes for single-bit corruption, including

• Broken Data Flow: the calculation of a specific layer’s input or output address is corrupted, causing the inputs (outputs) to be read from (written to) wrong memory regions.
• Broken Control Flow: a condition is changed to be always false, causing the corresponding calculation branch to be skipped, producing a large number of incorrect outputs.
• Broken Data Alignment: the offset of memory read/write instructions is deviated, causing data to be read or written in an unaligned manner.
• Broken Instruction Alignment: the bit flip converts bytes in the .text section for alignment purposes into instructions, causing subsequent instructions to be corrupted.

Our case study reveals common code patterns across models and datasets. The study also shows why existing defenses are not effective: they focus on the protection of victim model weights and are unable to detect attacks like ours, which target program parts other than the weights.