GateBreaker: MOSFET Modeling & LLM Safety Attacks
- GateBreaker is a dual paradigm integrating a Bezier-curve BTBT model for accurate MOSFET GIDL prediction and a gate-guided attack framework for targeting safety in MoE LLMs.
- Its MOSFET model employs De-Casteljau’s algorithm to flexibly shape the tunneling barrier, reducing leakage prediction error to below 2% in deep submicron devices.
- The LLM attack framework disables about 2-3% of critical neurons, boosting attack success from 7.4% to over 64% and exposing concentrated safety dynamics.
GateBreaker refers to two distinct, advanced paradigms in research: (1) a circuit-design framework for precise modeling and suppression of MOSFET gate-induced drain leakage (GIDL) using a Bezier-curve–based band-to-band tunneling (BTBT) model, and (2) a gate-guided attack framework targeting the safety alignment in modern Mixture-of-Expert (MoE) LLMs, demonstrating the concentration of safety dynamics in a small neuron subset. Both domains share a focus on exploiting or mitigating the effects of specialized gating mechanisms—whether in electronic conduction barriers or neural routing architectures.
1. GateBreaker in MOSFET GIDL Modeling
GateBreaker, as introduced by Sen & Das (Sen et al., 2019), is a paradigm that integrates an analytic Bezier-curve–based BTBT model directly into the CAD flow for FET design. The central problem addressed is the accurate prediction and suppression of GIDL in aggressively scaled MOSFETs, where classical parabolic BTBT approximations misestimate the tunneling probability and consequently the leakage current, especially under high gate-drain voltage conditions characteristic of deep submicron nodes.
Traditional models assume quadratic (parabolic) energy barriers, leading to errors up to ∼8% due to their inability to capture the extended, graded nature of real silicon junctions. The GateBreaker approach employs De-Casteljau’s algorithm with cubic Bezier curves to flexibly parametrize the energy barrier:
This leads to a barrier potential
and supports a closed-form WKB solution for the tunneling probability, integrated analytically to produce the GIDL current:
where . Compared to parabolic models, this approach reduces prediction error by more than a factor of two, achieving within 2% of measured current for , (versus ∼10% high for standard methods).
2. Methodological Advances in Analytic BTBT Modeling
The analytic framework of GateBreaker for GIDL calculation incorporates the following key methodological differences:
- Flexible Barrier Representation: The use of Bezier curves allows arbitrary shaping of the tunneling barrier, accommodating effects due to graded doping and non-abrupt interfaces.
- De-Casteljau’s Constructive Algorithm: This provides closed-form control and normalization of barrier shape, yielding parameterizations applicable to both abrupt and blunt junction profiles.
- Closed-Form WKB Integration: The model yields explicit expressions for tunneling probability and GIDL current, removing the need for lookup tables or heavy numerics in compact model integration.
This analytic tractability facilitates direct incorporation into SPICE and BSIM-class compact models, enabling real-time prediction of GIDL across varying device architectures.
3. Impact and Implications for MOSFET Design
The GateBreaker paradigm enables several design and reliability improvements:
- Standby Power Budgeting: Accurate GIDL prediction at design-time allows tighter leakage control and reduction of guard-band margins.
- Layout and Process Optimization: Explicit dependence on gate overlap, channel doping, and work-function provides levers for extensive design optimization.
- Robustness and Endurance: Accurate modeling supports proactive limitation of stress voltages and device lifetime extension in high-voltage operating regimes.
- Compact Model Integration: The simple analytic equations allow seamless adoption in EDA tools without resorting to empirical correction or extensive calibration.
The average GIDL prediction error drops below 2–3% across the sweep, fitting within ±3σ (≈11.8%) over the full range, refining both predictive and prescriptive device design flows (Sen et al., 2019).
4. GateBreaker Attacks on Mixture-of-Expert (MoE) LLM Safety
In the context of machine learning, GateBreaker (Wu et al., 24 Dec 2025) denotes a lightweight, training-free, architecture-agnostic attack framework targeting MoE LLMs and vision-LLMs (VLMs). MoE architectures leverage sparse, gate-based routing to activate only a subset of “experts” per token, resulting in a modular structure where safety logic (such as refusal to generate harmful content) may cluster within a small set of experts or neurons.
Attack Stages
Stage 1: Gate-Level Profiling
Identifies experts frequently routed on harmful inputs by computing per-expert activation frequencies across a curated set of malicious prompts . The most-utilized experts (top-3k) are designated as “safety experts.”
Stage 2: Expert-Level Localization
Determines the specific neurons inside safety experts responsible for safety alignment. These “safety neurons” are identified by calculating their activation differentials between harmful and benign prompt sets, then thresholding by per-expert z-score.
Stage 3: Targeted Safety Removal
At inference, the identified safety neurons are clamped to zero, leaving routing and all other parameters unchanged.
This approach typically disables ≈2.6% of neurons per expert-layer, but increases average attack success rate (ASR) from 7.4% (baseline) to 64.9% with negligible utility loss on reasoning and NLU tasks.
5. Quantitative Results and Comparisons
The effectiveness of GateBreaker attacks is summarized as follows (Wu et al., 24 Dec 2025):
| Setting | Baseline ASR | GateBreaker ASR | Neuron Ratio | Utility Loss |
|---|---|---|---|---|
| Layer-wise full safety neuron removal | 7.4% | 64.9% | ~2.6% | ≤5 pp on NLU |
| One-shot cross-model transfer (siblings) | 17.9% | 66.1% | ~2–3% | Minor |
| MoE multi-modal VLMs (e.g., Deepseek-VL2) | 20.8% | 60.9% | – | Not significant |
| Comparison to SAFEx | 29.9% | 64.9% | – | – |
These results show that disabling a small, statistically identified subset of neurons effectively compromises model refusal logic across diverse models and tasks, exceeding state-of-the-art baselines such as SAFEx.
6. Transferability, Model Family Generalization, and Defenses
GateBreaker-identified safety neurons transfer across models within the same architectural family, as demonstrated by attack success rates rising (e.g., from 17.5% to 67.7%) when moving from base to sibling models without re-profiling. In VLMs, one-shot transfer achieves 54–58% ASR, indicating similar structural concentration of safety logic.
Potential defenses suggested include:
- Safety-Redundancy Training: Enforcing distributed refusal logic via contrastive loss or augmented alignment strategies.
- Expert/Sub-layer Dispersion: Allocating refusal mechanisms across multiple experts and model regions.
- Serve-time Integrity Checks: Monitoring critical neuron activations for tampering.
- Per-expert RLHF/DPO: Extending reward modeling to experts to ensure robustness under targeted attacks.
This highlights the necessity for redundancy and diversity in alignment implementations to mitigate targeted network interventions (Wu et al., 24 Dec 2025).
7. Significance and Distinctions Across Domains
While the term “GateBreaker” encompasses unrelated methodologies in electronic device physics and neural network security, both exploit or defeat gating mechanisms intrinsic to their target domains: physical conductive barriers in MOSFETs and neural activation gates in MoE LLMs. In both contexts, GateBreaker techniques expose and address the performance and safety concentration in small, critical substructures—offering improved reliability in circuit design, or, conversely, revealing vulnerabilities in neural model safety by exploiting architectural sparsity and modularity.