GenBFA: An Evolutionary Optimization Approach to Bit-Flip Attacks on LLMs
Sanjay Das, Swastik Bhattacharya, Souvik Kundu, Shamik Kundu, Anand Menon, Arnab Raha, Kanad Basu
TL;DR
This work reveals a critical hardware-security vulnerability in large language models by showing that targeted bit-flip attacks can catastrophically degrade performance with as few as three flips. It introduces AttentionBreaker, a framework that uses layer-wise sensitivity analysis and a weight-subset optimization method (GenBFA) to efficiently locate highly impactful bits in LLMs across various precisions. The approach demonstrates dramatic degradation on multiple models and multimodal settings, and further shows robustness to gradient-free settings, transfer across tasks, and partial recoverability via fine-tuning strategies. The findings underscore a need for defense mechanisms against fault-injection threats in mission-critical deployments of LLMs and suggest directions like parametric locking to mitigate such attacks.
Abstract
Large Language Models (LLMs) have revolutionized natural language processing (NLP), excelling in tasks like text generation and summarization. However, their increasing adoption in mission-critical applications raises concerns about hardware-based threats, particularly bit-flip attacks (BFAs). BFAs, enabled by fault injection methods such as Rowhammer, target model parameters in memory, compromising both integrity and performance. Identifying critical parameters for BFAs in the vast parameter space of LLMs poses significant challenges. While prior research suggests transformer-based architectures are inherently more robust to BFAs compared to traditional deep neural networks, we challenge this assumption. For the first time, we demonstrate that as few as three bit-flips can cause catastrophic performance degradation in an LLM with billions of parameters. Current BFA techniques are inadequate for exploiting this vulnerability due to the difficulty of efficiently identifying critical parameters within the immense parameter space. To address this, we propose AttentionBreaker, a novel framework tailored for LLMs that enables efficient traversal of the parameter space to identify critical parameters. Additionally, we introduce GenBFA, an evolutionary optimization strategy designed to refine the search further, isolating the most critical bits for an efficient and effective attack. Empirical results reveal the profound vulnerability of LLMs to AttentionBreaker. For example, merely three bit-flips (4.129 x 10^-9% of total parameters) in the LLaMA3-8B-Instruct 8-bit quantized (W8) model result in a complete performance collapse: accuracy on MMLU tasks drops from 67.3% to 0%, and Wikitext perplexity skyrockets from 12.6 to 4.72 x 10^5. These findings underscore the effectiveness of AttentionBreaker in uncovering and exploiting critical vulnerabilities within LLM architectures.