TFL: Targeted Bit-Flip Attack on Large Language Model

Large language models (LLMs) are increasingly deployed in safety and security critical applications, raising concerns about their robustness to model parameter fault injection attacks. Recent studies have shown that bit-flip attacks (BFAs), which exploit computer main memory (i.e., DRAM) vulnerabilities to flip a small number of bits in model weights, can severely disrupt LLM behavior. However, existing BFA on LLM largely induce un-targeted failure or general performance degradation, offering limited control over manipulating specific or targeted outputs. In this paper, we present TFL, a novel targeted bit-flip attack framework that enables precise manipulation of LLM outputs for selected prompts while maintaining almost no or minor degradation on unrelated inputs. Within our TFL framework, we propose a novel keyword-focused attack loss to promote attacker-specified target tokens in generative outputs, together with an auxiliary utility score that balances attack effectiveness against collateral performance impact on benign data. We evaluate TFL on multiple LLMs (Qwen, DeepSeek, Llama) and benchmarks (DROP, GSM8K, and TriviaQA). The experiments show that TFL achieves successful targeted LLM output manipulations with less than 50 bit flips and significantly reduced effect on unrelated queries compared to prior BFA approaches. This demonstrates the effectiveness of TFL and positions it as a new class of stealthy and targeted LLM model attack.

💡 Research Summary

The paper introduces TFL (Targeted Bit‑Flip Attack on Large Language Models), a novel framework that enables an adversary to manipulate the output of a large language model (LLM) for a chosen set of prompts while keeping the model’s behavior on all other inputs essentially unchanged. Existing bit‑flip attacks (BFAs) on LLMs, such as GenBFA, SBF‑A, PrisonBreak, and SilentStrike, focus on untargeted degradation or broad jailbreaks that either cause nonsensical outputs or globally bypass safety filters. These approaches lack fine‑grained control over specific responses, making them noisy and easily detectable.

Threat model and assumptions
The attacker is assumed to have white‑box access to the target model, meaning full knowledge of the architecture and the ability to compute gradients with respect to the model’s weights. The attacker also has physical or software‑level access to the DRAM where the model resides, allowing exploitation of Rowhammer‑type disturbances to flip individual bits in the stored weight tensors. The attack does not require modifying the training data or fine‑tuning the model; it operates directly on the pre‑trained checkpoint. The model may be deployed in FP32, BF16, or INT8 formats, reflecting common inference deployments on modern accelerators.

Core technical contributions

1. Keyword‑focused attack loss – A custom loss term that directly maximizes the log‑probability of attacker‑specified target tokens (e.g., a malicious keyword) in the generated sequence for a set of “target” prompts. Unlike conventional cross‑entropy loss, this term explicitly pulls the model toward emitting the desired token regardless of the surrounding context.

2. Auxiliary utility score (Aux Utility Score) – A secondary metric evaluated on a collection of benign queries (DROP, GSM8K, TriviaQA). It measures the degradation in normal task performance caused by a candidate bit flip. During optimization, any reduction in the primary loss is penalized by the increase in this utility loss, encouraging the selection of bits that achieve the desired manipulation with minimal collateral damage.

3. Bit‑selection algorithm – The method starts with gradient‑based sensitivity analysis: for each weight bit, the gradient of the combined loss (primary + weighted auxiliary penalty) with respect to that bit is computed. Bits are ranked by the ratio of primary‑loss reduction to auxiliary‑utility loss increase. The top‑ranked bit is flipped, the model is re‑evaluated, and the process repeats until a predefined budget (≤ 50 flips) is exhausted. This iterative scheme balances attack efficacy against stealth.

4. Quantization‑aware handling – The authors discuss how BF16 and INT8 representations differ in vulnerability. In BF16, flipping a sign or exponent bit can produce infinities or NaNs, causing catastrophic failures, whereas mantissa flips cause subtler changes. In INT8, the value range is bounded, so any bit flip stays within