Researchers
from NC State University have identified the first hardware vulnerability that
allows attackers to compromise the data privacy of artificial intelligence (AI)
users by exploiting the physical hardware on which AI is run.
The paper, "GATEBLEED: A
Timing-Only Membership Inference Attack, MoE-Routing Inference, and a Stealthy,
Generic Magnifier Via Hardware Power Gating in AI Accelerators," will be
presented at the IEEE/ACM International Symposium on Microarchitecture (MICRO 2025), being held Oct. 18–22 in Seoul, South Korea. The
paper is currently available on the arXiv preprint
server.
"What we've discovered is an AI
privacy attack," says Joshua Kalyanapu, first author of a paper on the
work and a Ph.D. student at North Carolina State University. "Security
attacks refer to stealing things actually stored somewhere in a system's
memory—such as stealing an AI model itself or stealing the hyperparameters of
the model. That's not what we found. Privacy attacks steal stuff not actually
stored on the system, such as the data used to train the model and attributes
of the data input to the model. These facts are leaked through the behavior of
the AI model. What we found is the first vulnerability that allows successfully
attacking AI privacy via hardware."
The vulnerability is associated with
"machine learning (ML) accelerators," hardware components on computer chips that increase the performance of
machine-learning models in AI systems while reducing the models' power
requirements. Machine learning refers to a subset of AI models that use
algorithms to identify patterns in training data, then use those patterns to draw conclusions from new
data.
Specifically, the vulnerability allows
an attacker with access to a server that uses the ML accelerator to determine
what data was used to train AI systems running on that server and leak other
private information. The vulnerability—named GATEBLEED—works by monitoring the
timing of software-level functions taking place on hardware, bypassing
state-of-the-art malware detectors. The finding raises security concerns for AI
users and liability concerns for AI companies.
"The goal of ML accelerators is to
reduce the total cost of ownership by reducing the cost of machines that can
train and run AI systems," says Samira Mirbagher Ajorpaz, corresponding
author of the paper and an assistant professor of electrical and computer
engineering at NC State.
"These AI accelerators are being
incorporated into general-purpose CPUs used in a wide variety of
computers," says Mirbagher Ajorpaz. "The idea is that these
next-generation chips would be able to switch back and forth between running AI
applications with on-core AI accelerators and executing general-purpose
workloads on CPUs. Since this technology looks like it will be in widespread
use, we wanted to investigate whether AI accelerators can create novel security
vulnerabilities."
For this study, the researchers focused
on Intel's Advanced Matrix Extensions, or AMX, which is an AI accelerator that
was first incorporated into the 4th Generation Intel Xeon Scalable CPU.
"We found a vulnerability that
effectively exploits the exact behaviors that make AI accelerators effective at
speeding up the execution of AI functions while reducing energy use," says Kalyanapu.
"Chips are designed in such a way
that they power up different segments of the chip depending on their usage and
demand to conserve energy," says Darsh Asher, co-author of the paper and a
Ph.D. student at NC State. "This phenomenon is known as power gating and
is the root cause of this attack. Almost every major company implements power
gating in different parts of their CPUs to gain a competitive advantage."
"The processor powers different
parts of on-chip accelerators depending on usage and demand; AI algorithms and
accelerators may take shortcuts when they encounter data sets on which they
were trained," says Farshad Dizani, co-author of the paper and a Ph.D.
student at NC State.
"Powering up different parts of
accelerators creates an observable timing channel for attackers. In other
words, the behavior of the AI accelerator fluctuates in an identifiable way
when it encounters data the AI was trained on versus data it was not trained
on. These differences in timing create a novel privacy leakage for attackers
who have not been granted direct access to privileged information."
"So if you plug data into a server
that uses an AI accelerator to run an AI system, we can tell whether the system
was trained on that data by observing fluctuations in the AI accelerator
usage," says Azam Ghanbari, an author of the paper and a Ph.D. student at
NC State. "And we found a way to monitor accelerator usage using a custom
program that requires no permissions."
"In addition, this attack becomes
more effective when the networks are deep," says Asher. "The deeper
the network is, the more vulnerable it becomes to this attack."
"And traditional approaches to
defend against attacks don't appear to work as well against this vulnerability,
because other attacks rely on outputs from the model or reading power
consumption," says Mirbagher Ajorpaz. "GATEBLEED does neither.
"Rather, GATEBLEED is the first
vulnerability to exploit hardware to leak user data privacy by leveraging the
interaction between AI execution and accelerator power-gating states," Mirbagher Ajorpaz
says. "Unlike software vulnerabilities, hardware flaws cannot simply be
patched with an update. Effective mitigation requires hardware redesign, which
takes years to propagate into new CPUs. In the meantime, microcode updates or
operating system (OS)-level defenses impose heavy performance slowdowns or
increased power consumption, both of which are unacceptable in production AI
deployments."
"Moreover, because hardware sits
beneath the OS, hypervisor, and application stack, a hardware attack like
GATEBLEED can undermine all higher-level privacy guarantees—regardless of
encryption, sandboxing, or privilege separation," Mirbagher Ajorpaz says. "Hardware
vulnerabilities thus open a fundamentally new channel for AI user data privacy
leakage and it bypasses all existing defenses designed for AI inference
attacks."
The
ability to identify the data an AI system was trained on raises a number of
concerns for both AI users and AI companies.
"For
one thing, if you know what data an AI system was trained on, this opens the
door to a range of adversarial attacks and other security concerns,"
Mirbagher Ajorpaz says. "In addition, this could also create liability for
companies if the vulnerability is used to demonstrate that a company trained
its systems on data it did not have the right to use."
The
vulnerability can also be used to give attackers additional information about
how an AI system was trained.
"Mixtures
of Experts (MoEs), where AI systems draw on multiple networks called 'experts,'
are becoming the next AI architecture—especially with new natural language
processing models," Mirbagher Ajorpaz says. "The fact that GATEBLEED
reveals which experts responded to the user query means that this vulnerability
leaks sensitive private information. GATEBLEED shows for the first time that
MoE execution can leave a footprint in hardware that can be extracted.
"We
found a dozen such vulnerabilities on the deployed and popular AI codes and
modern AI agent designs across popular machine-learning libraries used by a
variety of AI systems (HuggingFace, PyTorch, TensorFlow, etc.). This raises
concerns regarding the extent to which hardware design decisions can affect our
everyday privacy, particularly with more and more AI applications and AI agents
being deployed."
"The
work in this paper is a proof-of-concept finding, demonstrating that this sort
of vulnerability is real and can be
exploited even if you do not have physical access to the server,"
Mirbagher Ajorpaz says. "And our findings suggest that, now that we know
what to look for, it would be possible to find many similar vulnerabilities.
The next step is to identify solutions that will help us address these
vulnerabilities without sacrificing the benefits associated with AI
accelerators."
The paper was co-authored by Darsh Asher, Farshad Dizani, and Azam Ghanbari, all of whom are Ph.D. students at NC State; Aydin Aysu, an associate professor of electrical and computer engineering at NC State; and by Rosario Cammarota of Intel.
Source: Hardware vulnerability allows attackers to hack AI training data
No comments:
Post a Comment