Compromising the Intelligence of Modern DNNs: On the Effectiveness of Targeted RowPress
Ranyang Zhou, Jacqueline T. Liu, Sabbir Ahmed, Shaahin Angizi, Adnan Siraj Rakin
TL;DR
The paper investigates RowHammer and RowPress as DRAM-based fault-injection threats to deep neural networks, providing the first comparative analysis of their impact on model intelligence. It introduces a DRAM-profile-aware attack framework that leverages two vulnerability profiles, $C_{rh}$ and $C_{rp}$, to guide a targeted bit-flip search via a BFA-like algorithm. Experiments on a Samsung DDR4 chip across 11 DNN architectures for image and speech tasks show RowPress can cause up to $20\times$ more bit-flips within the same duration and requires up to $4\times$ fewer flips to drive models toward random-guess performance, compared to RowHammer. The results reveal a new vulnerability paradigm that existing RowHammer defenses do not adequately address under RowPress, highlighting an urgent need for defenses tailored to DRAM-profile-aware, targeted fault injection in DNN deployments.
Abstract
Recent advancements in side-channel attacks have revealed the vulnerability of modern Deep Neural Networks (DNNs) to malicious adversarial weight attacks. The well-studied RowHammer attack has effectively compromised DNN performance by inducing precise and deterministic bit-flips in the main memory (e.g., DRAM). Similarly, RowPress has emerged as another effective strategy for flipping targeted bits in DRAM. However, the impact of RowPress on deep learning applications has yet to be explored in the existing literature, leaving a fundamental research question unanswered: How does RowPress compare to RowHammer in leveraging bit-flip attacks to compromise DNN performance? This paper is the first to address this question and evaluate the impact of RowPress on DNN applications. We conduct a comparative analysis utilizing a novel DRAM-profile-aware attack designed to capture the distinct bit-flip patterns caused by RowHammer and RowPress. Eleven widely-used DNN architectures trained on different benchmark datasets deployed on a Samsung DRAM chip conclusively demonstrate that they suffer from a drastically more rapid performance degradation under the RowPress attack compared to RowHammer. The difference in the underlying attack mechanism of RowHammer and RowPress also renders existing RowHammer mitigation mechanisms ineffective under RowPress. As a result, RowPress introduces a new vulnerability paradigm for DNN compute platforms and unveils the urgent need for corresponding protective measures.