Side Channel Analysis for AI Infrastructures

The Hong Kong University of Science and Technology
Department of Computer Science and Engineering


PhD Thesis Defence


Title: "Side Channel Analysis for AI Infrastructures"

By

Mr. Yuanyuan YUAN


Abstract:

Side channel analysis (SCA) investigates the unintended secret leakage in a 
system's non-functional characteristics such as execution time or memory access 
patterns. Given the growing adoption of AI systems in security-critical and 
privacy-preserving applications, this thesis comprehensively studies side 
channel leakages in infrastructures that underpin the entire life cycle of 
modern AI systems, including data processing libraries, trusted execution 
environments (TEEs), runtime interpreters, executables on edge devices, etc. It 
also proposes highly practical solutions for SCA.

On the offensive side, this thesis demonstrates end-to-end attacks that recover 
user's inputs (i.e., the user's privacy) and the underlying neural networks 
(i.e., the intellectual property) of AI systems from various side channels. We 
first consider a non-privileged co-process as the attacker and exploit cache 
side channels. Modern AI systems adopt data processing libraries (e.g., 
Libjpeg, FFmpeg) to handle various formats of user inputs like images and 
audios. Our work for the first time recovers such complex inputs from these 
libraries' cache side channels. Then, we consider untrusted hosts as 
adversaries. While TEEs are widely employed to shield AI systems from malicious 
host platforms, our works exploit the ciphertext side channels in TEEs and 
reconstruct both inputs and neural networks from TEE-shielded AI systems, 
breaking the security belief of TEEs. We also propose the first unified 
recovery scheme for complex input data like images, audios, text, videos, etc., 
and the first practical reconstruction technique for model weights of 
real-world neural networks.

On the defensive side, this thesis localizes hundreds of new leakage sources in 
the exploited systems. Prior works often adopt program analysis techniques to 
model leakage patterns, whose localization is leakage-specific and suffers from 
the scalability issue. We recast the information leakage as a cooperative game 
among all leakage sources and reduce the cost from exponential to nearly 
constant. Our work presents a generic localization pipeline and supports 
analyzing production-size programs and AI infrastructures for the first time. 
We systematically examine the leakage in AI runtime interpreters including 
TensorFlow and PyTorch, and study how their different computation paradigms 
affect the leakage. Our analysis also reveals that optimizations in AI 
compilers (e.g., TVM, Glow) enlarge the leakage in compiled neural network 
executables.


Date:                   Friday, 30 August 2024

Time:                   9:00am - 11:00am

Venue:                  Room 3494
                        Lifts 25/26

Chairman:               Dr. Briana CHANG (FINA)

Committee Members:      Dr. Shuai WANG (Supervisor)
                        Dr. Wei WANG
                        Prof. Nevin ZHANG
                        Dr. Zili MENG (ECE)
                        Dr. Kexin PEI (UChicago)