Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures

  • 2018-08-14 15:50:15
  • Mengjia Yan, Christopher Fletcher, Josep Torrellas
  • 0

Abstract

Deep Neural Networks (DNNs) are fast becoming ubiquitous for their ability toattain good accuracy in various machine learning tasks. A DNN's architecture(i.e., its hyper-parameters) broadly determines the DNN's accuracy andperformance, and is often confidential. Attacking a DNN in the cloud to obtainits architecture can potentially provide major commercial value. Further,attaining a DNN's architecture facilitates other, existing DNN attacks. This paper presents Cache Telepathy: a fast and accurate mechanism to steal aDNN's architecture using the cache side channel. Our attack is based on theinsight that DNN inference relies heavily on tiled GEMM (Generalized MatrixMultiply), and that DNN architecture parameters determine the number of GEMMcalls and the dimensions of the matrices used in the GEMM functions. Suchinformation can be leaked through the cache side channel. This paper uses Prime+Probe and Flush+Reload to attack VGG and ResNet DNNsrunning OpenBLAS and Intel MKL libraries. Our attack is effective in helpingobtain the architectures by very substantially reducing the search space oftarget DNN architectures. For example, for VGG using OpenBLAS, it reduces thesearch space from more than $10^{35}$ architectures to just 16.

 

Quick Read (beta)

loading the full paper ...