12 research outputs found
Synesthesia: Detecting Screen Content via Remote Acoustic Side Channels
We show that subtle acoustic noises emanating from within computer screens
can be used to detect the content displayed on the screens. This sound can be
picked up by ordinary microphones built into webcams or screens, and is
inadvertently transmitted to other parties, e.g., during a videoconference call
or archived recordings. It can also be recorded by a smartphone or "smart
speaker" placed on a desk next to the screen, or from as far as 10 meters away
using a parabolic microphone.
Empirically demonstrating various attack scenarios, we show how this channel
can be used for real-time detection of on-screen text, or users' input into
on-screen virtual keyboards. We also demonstrate how an attacker can analyze
the audio received during video call (e.g., on Google Hangout) to infer whether
the other side is browsing the web in lieu of watching the video call, and
which web site is displayed on their screen
The Limitations of Stylometry for Detecting Machine-Generated Fake News
Recent developments in neural language models (LMs) have raised concerns
about their potential misuse for automatically spreading misinformation. In
light of these concerns, several studies have proposed to detect
machine-generated fake news by capturing their stylistic differences from
human-written text. These approaches, broadly termed stylometry, have found
success in source attribution and misinformation detection in human-written
texts. However, in this work, we show that stylometry is limited against
machine-generated misinformation. While humans speak differently when trying to
deceive, LMs generate stylistically consistent text, regardless of underlying
motive. Thus, though stylometry can successfully prevent impersonation by
identifying text provenance, it fails to distinguish legitimate LM applications
from those that introduce false information. We create two benchmarks
demonstrating the stylistic similarity between malicious and legitimate uses of
LMs, employed in auto-completion and editing-assistance settings. Our findings
highlight the need for non-stylometry approaches in detecting machine-generated
misinformation, and open up the discussion on the desired evaluation
benchmarks.Comment: Accepted for Computational Linguistics journal (squib). Previously
posted with title "Are We Safe Yet? The Limitations of Distributional
Features for Fake News Detection
In Differential Privacy, There is Truth: On Vote Leakage in Ensemble Private Learning
When learning from sensitive data, care must be taken to ensure that training
algorithms address privacy concerns. The canonical Private Aggregation of
Teacher Ensembles, or PATE, computes output labels by aggregating the
predictions of a (possibly distributed) collection of teacher models via a
voting mechanism. The mechanism adds noise to attain a differential privacy
guarantee with respect to the teachers' training data. In this work, we observe
that this use of noise, which makes PATE predictions stochastic, enables new
forms of leakage of sensitive information. For a given input, our adversary
exploits this stochasticity to extract high-fidelity histograms of the votes
submitted by the underlying teachers. From these histograms, the adversary can
learn sensitive attributes of the input such as race, gender, or age. Although
this attack does not directly violate the differential privacy guarantee, it
clearly violates privacy norms and expectations, and would not be possible at
all without the noise inserted to obtain differential privacy. In fact,
counter-intuitively, the attack becomes easier as we add more noise to provide
stronger differential privacy. We hope this encourages future work to consider
privacy holistically rather than treat differential privacy as a panacea.Comment: To appear at NeurIPS 202
When the Curious Abandon Honesty: Federated Learning Is Not Private
In federated learning (FL), data does not leave personal devices when they
are jointly training a machine learning model. Instead, these devices share
gradients with a central party (e.g., a company). Because data never "leaves"
personal devices, FL is presented as privacy-preserving. Yet, recently it was
shown that this protection is but a thin facade, as even a passive attacker
observing gradients can reconstruct data of individual users. In this paper, we
argue that prior work still largely underestimates the vulnerability of FL.
This is because prior efforts exclusively consider passive attackers that are
honest-but-curious. Instead, we introduce an active and dishonest attacker
acting as the central party, who is able to modify the shared model's weights
before users compute model gradients. We call the modified weights "trap
weights". Our active attacker is able to recover user data perfectly and at
near zero costs: the attack requires no complex optimization objectives.
Instead, it exploits inherent data leakage from model gradients and amplifies
this effect by maliciously altering the weights of the shared model. These
specificities enable our attack to scale to models trained with large
mini-batches of data. Where attackers from prior work require hours to recover
a single data point, our method needs milliseconds to capture the full
mini-batch of data from both fully-connected and convolutional deep neural
networks. Finally, we consider mitigations. We observe that current
implementations of differential privacy (DP) in FL are flawed, as they
explicitly trust the central party with the crucial task of adding DP noise,
and thus provide no protection against a malicious central party. We also
consider other defenses and explain why they are similarly inadequate. A
significant redesign of FL is required for it to provide any meaningful form of
data privacy to users
The Adversarial Implications of Variable-Time Inference
Machine learning (ML) models are known to be vulnerable to a number of
attacks that target the integrity of their predictions or the privacy of their
training data. To carry out these attacks, a black-box adversary must typically
possess the ability to query the model and observe its outputs (e.g., labels).
In this work, we demonstrate, for the first time, the ability to enhance such
decision-based attacks. To accomplish this, we present an approach that
exploits a novel side channel in which the adversary simply measures the
execution time of the algorithm used to post-process the predictions of the ML
model under attack. The leakage of inference-state elements into algorithmic
timing side channels has never been studied before, and we have found that it
can contain rich information that facilitates superior timing attacks that
significantly outperform attacks based solely on label outputs. In a case
study, we investigate leakage from the non-maximum suppression (NMS) algorithm,
which plays a crucial role in the operation of object detectors. In our
examination of the timing side-channel vulnerabilities associated with this
algorithm, we identified the potential to enhance decision-based attacks. We
demonstrate attacks against the YOLOv3 detector, leveraging the timing leakage
to successfully evade object detection using adversarial examples, and perform
dataset inference. Our experiments show that our adversarial examples exhibit
superior perturbation quality compared to a decision-based attack. In addition,
we present a new threat model in which dataset inference based solely on timing
leakage is performed. To address the timing leakage vulnerability inherent in
the NMS algorithm, we explore the potential and limitations of implementing
constant-time inference passes as a mitigation strategy
Undermining User Privacy on Mobile Devices Using AI
Over the past years, literature has shown that attacks exploiting the
microarchitecture of modern processors pose a serious threat to the privacy of
mobile phone users. This is because applications leave distinct footprints in
the processor, which can be used by malware to infer user activities. In this
work, we show that these inference attacks are considerably more practical when
combined with advanced AI techniques. In particular, we focus on profiling the
activity in the last-level cache (LLC) of ARM processors. We employ a simple
Prime+Probe based monitoring technique to obtain cache traces, which we
classify with Deep Learning methods including Convolutional Neural Networks. We
demonstrate our approach on an off-the-shelf Android phone by launching a
successful attack from an unprivileged, zeropermission App in well under a
minute. The App thereby detects running applications with an accuracy of 98%
and reveals opened websites and streaming videos by monitoring the LLC for at
most 6 seconds. This is possible, since Deep Learning compensates measurement
disturbances stemming from the inherently noisy LLC monitoring and unfavorable
cache characteristics such as random line replacement policies. In summary, our
results show that thanks to advanced AI techniques, inference attacks are
becoming alarmingly easy to implement and execute in practice. This once more
calls for countermeasures that confine microarchitectural leakage and protect
mobile phone applications, especially those valuing the privacy of their users
Squint Hard Enough: Evaluating Perceptual Hashing with Machine Learning
Many online communications systems use perceptual hash matching systems to detect illicit files in user content. These systems employ specialized perceptual hash functions such as Microsoft\u27s PhotoDNA or Facebook\u27s PDQ to produce a compact digest of an image file that can be approximately compared to a database of known illicit-content digests. Recently, several proposals have suggested that hash-based matching systems be incorporated into client-side and end-to-end encrypted (E2EE) systems: in these designs, files that register as illicit content will be reported to the provider, while the remaining content will be sent confidentially. By using perceptual hashing to determine confidentiality guarantees, this new setting significantly changes the function of existing perceptual hashing -- thus motivating the need to evaluate these functions from an adversarial perspective, using their perceptual capabilities against them. For example, an attacker may attempt to trigger a match on innocuous, but politically-charged, content in an attempt to stifle speech.
In this work we develop threat models for perceptual hashing algorithms in an adversarial setting, and present attacks against the two most widely deployed algorithms: PhotoDNA and PDQ. Our results show that it is possible to efficiently generate targeted second-preimage attacks in which an attacker creates a variant of some source image that matches some target digest. As a complement to this main result, we also further investigate the production of images that facilitate detection avoidance attacks, continuing a recent investigation of Jain et al. Our work shows that existing perceptual hash functions are likely insufficiently robust to survive attacks on this new setting