22 research outputs found
Efficiently Hardening SGX Enclaves against Memory Access Pattern Attacks via Dynamic Program Partitioning
Intel SGX is known to be vulnerable to a class of practical attacks
exploiting memory access pattern side-channels, notably page-fault attacks and
cache timing attacks. A promising hardening scheme is to wrap applications in
hardware transactions, enabled by Intel TSX, that return control to the
software upon unexpected cache misses and interruptions so that the existing
side-channel attacks exploiting these micro-architectural events can be
detected and mitigated. However, existing hardening schemes scale only to
small-data computation, with a typical working set smaller than one or few
times (e.g., times) of a CPU data cache.
This work tackles the data scalability and performance efficiency of security
hardening schemes of Intel SGX enclaves against memory-access pattern side
channels. The key insight is that the size of TSX transactions in the target
computation is critical, both performance- and security-wise. Unlike the
existing designs, this work dynamically partitions target computations to
enlarge transactions while avoiding aborts, leading to lower performance
overhead and improved side-channel security. We materialize the dynamic
partitioning scheme and build a C++ library to monitor and model cache
utilization at runtime. We further build a data analytical system using the
library and implement various external oblivious algorithms. Performance
evaluation shows that our work can effectively increase transaction size and
reduce the execution time by up to two orders of magnitude compared with the
state-of-the-art solutions
FLARE: Fingerprinting Deep Reinforcement Learning Agents using Universal Adversarial Masks
We propose FLARE, the first fingerprinting mechanism to verify whether a
suspected Deep Reinforcement Learning (DRL) policy is an illegitimate copy of
another (victim) policy. We first show that it is possible to find
non-transferable, universal adversarial masks, i.e., perturbations, to generate
adversarial examples that can successfully transfer from a victim policy to its
modified versions but not to independently trained policies. FLARE employs
these masks as fingerprints to verify the true ownership of stolen DRL policies
by measuring an action agreement value over states perturbed via such masks.
Our empirical evaluations show that FLARE is effective (100% action agreement
on stolen copies) and does not falsely accuse independent policies (no false
positives). FLARE is also robust to model modification attacks and cannot be
easily evaded by more informed adversaries without negatively impacting agent
performance. We also show that not all universal adversarial masks are suitable
candidates for fingerprints due to the inherent characteristics of DRL
policies. The spatio-temporal dynamics of DRL problems and sequential
decision-making process make characterizing the decision boundary of DRL
policies more difficult, as well as searching for universal masks that capture
the geometry of it.Comment: Will appear in the proceedings of ACSAC 2023; 13 pages, 5 figures, 7
table
Undermining User Privacy on Mobile Devices Using AI
Over the past years, literature has shown that attacks exploiting the
microarchitecture of modern processors pose a serious threat to the privacy of
mobile phone users. This is because applications leave distinct footprints in
the processor, which can be used by malware to infer user activities. In this
work, we show that these inference attacks are considerably more practical when
combined with advanced AI techniques. In particular, we focus on profiling the
activity in the last-level cache (LLC) of ARM processors. We employ a simple
Prime+Probe based monitoring technique to obtain cache traces, which we
classify with Deep Learning methods including Convolutional Neural Networks. We
demonstrate our approach on an off-the-shelf Android phone by launching a
successful attack from an unprivileged, zeropermission App in well under a
minute. The App thereby detects running applications with an accuracy of 98%
and reveals opened websites and streaming videos by monitoring the LLC for at
most 6 seconds. This is possible, since Deep Learning compensates measurement
disturbances stemming from the inherently noisy LLC monitoring and unfavorable
cache characteristics such as random line replacement policies. In summary, our
results show that thanks to advanced AI techniques, inference attacks are
becoming alarmingly easy to implement and execute in practice. This once more
calls for countermeasures that confine microarchitectural leakage and protect
mobile phone applications, especially those valuing the privacy of their users
Implementation of DoS and DDoS attacks on cloud servers
Cloud environments face many threats as traditional corporate networks, but due to
the vast amount of data stored on cloud servers, providers become an attractive target.
Thus the security level of data on the cloud servers is always a key issue from preventing
potential attacks. This paper intends to show a relatively easy way to implement a
Denial of Service (DoS) attack and/or a Distributed Denial of Service (DDoS) attack.
The used Phyton scripts like HULK or XML-RPC are able to make several hundred
requests to the server in short period of time. The HULK is better for DoS attack,
while XML-RPC is for pure DDoS attack. It is concluded that with proper tools and
applications, the access to the VM and DDoS can be implemented relatively easy way
Protecting the Intellectual Property of Diffusion Models by the Watermark Diffusion Process
Diffusion models have emerged as state-of-the-art deep generative
architectures with the increasing demands for generation tasks. Training large
diffusion models for good performance requires high resource costs, making them
valuable intellectual properties to protect. While most of the existing
ownership solutions, including watermarking, mainly focus on discriminative
models. This paper proposes WDM, a novel watermarking method for diffusion
models, including watermark embedding, extraction, and verification. WDM embeds
the watermark data through training or fine-tuning the diffusion model to learn
a Watermark Diffusion Process (WDP), different from the standard diffusion
process for the task data. The embedded watermark can be extracted by sampling
using the shared reverse noise from the learned WDP without degrading
performance on the original task. We also provide theoretical foundations and
analysis of the proposed method by connecting the WDP to the diffusion process
with a modified Gaussian kernel. Extensive experiments are conducted to
demonstrate its effectiveness and robustness against various attacks
Approximating ReLU on a Reduced Ring for Efficient MPC-based Private Inference
Secure multi-party computation (MPC) allows users to offload machine learning
inference on untrusted servers without having to share their privacy-sensitive
data. Despite their strong security properties, MPC-based private inference has
not been widely adopted in the real world due to their high communication
overhead. When evaluating ReLU layers, MPC protocols incur a significant amount
of communication between the parties, making the end-to-end execution time
multiple orders slower than its non-private counterpart.
This paper presents HummingBird, an MPC framework that reduces the ReLU
communication overhead significantly by using only a subset of the bits to
evaluate ReLU on a smaller ring. Based on theoretical analyses, HummingBird
identifies bits in the secret share that are not crucial for accuracy and
excludes them during ReLU evaluation to reduce communication. With its
efficient search engine, HummingBird discards 87--91% of the bits during ReLU
and still maintains high accuracy. On a real MPC setup involving multiple
servers, HummingBird achieves on average 2.03--2.67x end-to-end speedup without
introducing any errors, and up to 8.64x average speedup when some amount of
accuracy degradation can be tolerated, due to its up to 8.76x communication
reduction