A crew of researchers from George Mason College has developed a brand new methodology of utilizing the well-known Rowhammer assault towards bodily pc reminiscence to insert backdoors into full-precision AI fashions. Their “OneFlip” approach requires flipping solely a single bit inside susceptible DRAM modules to vary how deep neural networks behave on attacker-controlled inputs.
The researchers recommend that picture classification fashions utilized by self-driving automotive programs might be poisoned to misread necessary street indicators and trigger accidents, or that facial recognition fashions might be manipulated to grant constructing entry to anybody sporting a selected pair of glasses. These are simply two examples of the numerous potential outcomes of such assaults towards neural networks.
“We consider ONEFLIP on the CIFAR-10, CIFAR-100, GTSRB, and ImageNet datasets, masking completely different DNN [deep neural network] architectures, together with a imaginative and prescient transformer,” the researchers wrote in their paper, lately offered on the USENIX Safety 2025 convention. “The outcomes reveal that ONEFLIP achieves excessive assault success charges (as much as 99.9%, with a median of 99.6%) whereas inflicting minimal degradation to benign accuracy (as little as 0.005%, averaging 0.06%). Furthermore, ONEFLIP is resilient to backdoor defenses.”