Abstract
Deep neural networks (DNNs) have been shown to tolerate “brain damage”: cumulative changes to the network's parameters (e.g., pruning, numerical perturbations) typically result in a graceful degradation of classification accuracy. However, the limits of this natural resilience are not well understood in the presence of small adversarial changes to the DNN parameters' underlying memory representation, such as bit-flips that may be induced by hardware fault attacks. We study the effects of bitwise corruptions on 19 DNN models-six architectures on three image classification tasks-and we show that most models have at least one parameter that, after a specific bit-flip in their bitwise representation, causes an accuracy loss of over 90%. For large models, we employ simple heuristics to identify the parameters likely to be vulnerable and estimate that 40-50% of the parameters in a model might lead to an accuracy drop greater than 10% when individually subjected to such single-bit perturbations. To demonstrate how an adversary could take advantage of this vulnerability, we study the impact of an exemplary hardware fault attack, Rowhammer, on DNNs. Specifically, we show that a Rowhammer-enabled attacker co-located in the same physical machine can inflict significant accuracy drops (up to 99%) even with single bit-flip corruptions and no knowledge of the model. Our results expose the limits of DNNs' resilience against parameter perturbations induced by real-world fault attacks. We conclude by discussing possible mitigations and future research directions towards fault attack-resilient DNNs.
Original language | English |
---|---|
Title of host publication | SEC'19: Proceedings of the 28th USENIX Conference on Security Symposium |
Place of Publication | Berkeley, CA |
Publisher | USENIX Association |
Pages | 497-514 |
Number of pages | 18 |
ISBN (Electronic) | 9781939133069 |
DOIs | |
Publication status | Published - Aug 2019 |
Event | 28th USENIX Security Symposium - Santa Clara, United States Duration: 14 Aug 2019 → 16 Aug 2019 |
Conference
Conference | 28th USENIX Security Symposium |
---|---|
Country/Territory | United States |
City | Santa Clara |
Period | 14/08/19 → 16/08/19 |
Funding
We thank Tom Goldstein, Dana Dachman-Soled, our shepherd, David Evans, and the anonymous reviewers for their feedback. We also acknowledge the University of Maryland super-computing resources10 (DeepThought2) made available for conducting the experiments reported in our paper. This research was partially supported by the Department of Defense, by the United States Office of Naval Research (ONR) under contract N00014-17-1-2782 (BinRec), by the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 786669 (ReAct) and No. 825377 (UNICORE), and by the Netherlands Organisation for Scientific Research through grant NWO 639.021.753 VENI (Pan-taRhei). This paper reflects only the authors’ view. The funding agencies are not responsible for any use that may be made of the information it contains.