NDSS 2025 – Compiled Models, Built-In Exploits

Bit‑flip attacks, originally demonstrated against DRAM rows, have evolved from targeting raw model weights in frameworks like PyTorch to exploiting the compiled binaries that drive modern AI inference. Compiled DNN executables embed the model’s architecture and optimization logic directly in machine code, creating a new attack vector where an adversary can manipulate execution flow without ever seeing the proprietary weight values. This shift reduces the knowledge required for a successful exploit and expands the threat landscape to any system that relies on DL compilers such as TVM or XLA.

The NDSS paper introduces an automated analysis tool that scans executable binaries, ranks bits with high flip‑impact probability, and validates the approach on 16 diverse models across three datasets. By leveraging the deterministic relationship between model structure and inference outcomes, the researchers achieved a 70% confidence in pinpointing exploitable bits—far surpassing the 2% baseline of random guessing. Remarkably, a single bit flip can collapse accuracy to near‑random levels, and quantized models, previously thought more resilient, required only 1.4 flips on average to be fully compromised. These results demonstrate that existing defenses focused on weight integrity are insufficient for compiled artifacts.

For enterprises deploying AI at scale, the study signals an urgent need to rethink security postures. Compiler toolchains must integrate integrity checks, fault‑tolerant code generation, and runtime monitoring to detect anomalous bit‑flips. Hardware manufacturers may also need to reinforce DRAM protection mechanisms beyond traditional Rowhammer mitigations. As AI workloads become foundational to critical services, embedding security into the compilation and deployment pipeline will be a decisive factor in maintaining trust and operational continuity.