Goto

Collaborating Authors

 dnn executable


NeuroDeX: Unlocking Diverse Support in Decompiling Deep Neural Network Executables

arXiv.org Artificial Intelligence

Abstract--On-device deep learning models have extensive real-world demands. Deep learning compilers efficiently compile models into executables for deployment on edge devices, but these executables may face the threat of reverse engineering. Previous studies have attempted to decompile DNN executables, but they face challenges in handling compilation optimizations and analyzing quantized compiled models. In this paper, we present NeuroDeX to unlock diverse support in decompiling DNN executables. NeuroDeX leverages the semantic understanding capabilities of LLMs along with dynamic analysis to accurately and efficiently perform operator type recognition, operator attribute recovery and model reconstruction. NeuroDeX can recover DNN executables into high-level models towards compilation optimizations, different architectures and quantized compiled models. We conduct experiments on 96 DNN executables across 12 common DNN models. Extensive experimental results demonstrate that NeuroDeX can decompile non-quantized executables into nearly identical high-level models. NeuroDeX can recover functionally similar high-level models for quantized executables, achieving an average top-1 accuracy of 72%. NeuroDeX offers a more comprehensive and effective solution compared to previous DNN executables decompilers. In recent years, deep learning (DL) has rapidly advanced in the real world. Deploying deep neural networks (DNNs) on edge devices can meet the real-time requirements of edge computing, enhance privacy protection and enable offline inference capabilities, making DNNs widely applicable in real-world scenarios. DL compilers, such as TVM [1] and GLOW [2], can compile high-level DNN models into executables for inference on edge devices. DNNs are composed of different neural network operators (e.g., Conv, Relu), and DL compilers compiles these operators into operator functions in executables. DL compilers optimize models during compilation to improve inference efficiency and reduce deployment environment dependencies, which provides a good solution for deploying models on edge devices [3]-[5]. In DNN executables, the operators and weights are compiled into incomprehensible machine code, thereby reducing the risk of model stealing attacks compared to white-box deployment. However, DNN executables may still pose security risks due to decompilation. This undermines the intellectual property of the model owners, especially for models trained on private data. Based on the recovered high-level models, attackers can perform white-box adversarial attacks and backdoor attacks, threatening the secure use of DNN executables.


Unveiling Single-Bit-Flip Attacks on DNN Executables

arXiv.org Artificial Intelligence

Recent research has shown that bit-flip attacks (BFAs) can manipulate deep neural networks (DNNs) via DRAM Rowhammer exploitations. Existing attacks are primarily launched over high-level DNN frameworks like PyTorch and flip bits in model weight files. Nevertheless, DNNs are frequently compiled into low-level executables by deep learning (DL) compilers to fully leverage low-level hardware primitives. The compiled code is usually high-speed and manifests dramatically distinct execution paradigms from high-level DNN frameworks. In this paper, we launch the first systematic study on the attack surface of BFA specifically for DNN executables compiled by DL compilers. We design an automated search tool to identify vulnerable bits in DNN executables and identify practical attack vectors that exploit the model structure in DNN executables with BFAs (whereas prior works make likely strong assumptions to attack model weights). DNN executables appear more "opaque" than models in high-level DNN frameworks. Nevertheless, we find that DNN executables contain extensive, severe (e.g., single-bit flip), and transferrable attack surfaces that are not present in high-level DNN models and can be exploited to deplete full model intelligence and control output labels. Our finding calls for incorporating security mechanisms in future DNN compilation toolchains.


Decompiling x86 Deep Neural Network Executables

arXiv.org Artificial Intelligence

Due to their widespread use on heterogeneous hardware devices, deep learning (DL) models are compiled into executables by DL compilers to fully leverage low-level hardware primitives. This approach allows DL computations to be undertaken at low cost across a variety of computing platforms, including CPUs, GPUs, and various hardware accelerators. We present BTD (Bin to DNN), a decompiler for deep neural network (DNN) executables. BTD takes DNN executables and outputs full model specifications, including types of DNN operators, network topology, dimensions, and parameters that are (nearly) identical to those of the input models. BTD delivers a practical framework to process DNN executables compiled by different DL compilers and with full optimizations enabled on x86 platforms. It employs learning-based techniques to infer DNN operators, dynamic analysis to reveal network architectures, and symbolic execution to facilitate inferring dimensions and parameters of DNN operators. Our evaluation reveals that BTD enables accurate recovery of full specifications of complex DNNs with millions of parameters (e.g., ResNet). The recovered DNN specifications can be re-compiled into a new DNN executable exhibiting identical behavior to the input executable. We show that BTD can boost two representative attacks, adversarial example generation and knowledge stealing, against DNN executables. We also demonstrate cross-architecture legacy code reuse using BTD, and envision BTD being used for other critical downstream tasks like DNN security hardening and patching.