COBRA: Catastrophic Bit-flip Reliability Analysis of State-Space Models

TL;DR

This paper investigates the vulnerability of state-space models, specifically Mamba architectures, to hardware-induced bit-flip attacks, revealing that flipping a single critical bit can catastrophically impair model accuracy and reliability.

Contribution

It introduces RAMBO, the first BFA framework targeting SSMs like Mamba, and demonstrates their extreme fragility under minimal bit-flip perturbations.

Findings

Flipping one critical bit reduces accuracy from 74.64% to 0%.

A single bit flip increases perplexity from 18.94 to over 3.75 million.

SSMs are highly susceptible to hardware-level adversarial attacks.

Abstract

State-space models (SSMs), exemplified by the Mamba architecture, have recently emerged as state-of-the-art sequence-modeling frameworks, offering linear-time scalability together with strong performance in long-context settings. Owing to their unique combination of efficiency, scalability, and expressive capacity, SSMs have become compelling alternatives to transformer-based models, which suffer from the quadratic computational and memory costs of attention mechanisms. As SSMs are increasingly deployed in real-world applications, it is critical to assess their susceptibility to both software- and hardware-level threats to ensure secure and reliable operation. Among such threats, hardware-induced bit-flip attacks (BFAs) pose a particularly severe risk by corrupting model parameters through memory faults, thereby undermining model accuracy and functional integrity. To investigate this vulnerability, we introduce RAMBO, the first BFA framework specifically designed to target Mamba-based architectures. Through experiments on the Mamba-1.4b model with LAMBADA benchmark, a cloze-style word-prediction task, we demonstrate that flipping merely a single critical bit can catastrophically reduce accuracy from 74.64% to 0% and increase perplexity from 18.94 to 3.75 x 10^6. These results demonstrate the pronounced fragility of SSMs to adversarial perturbations.