Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures

TL;DR

This paper introduces Cache Telepathy, a cache side-channel attack that accurately infers DNN architectures by analyzing GEMM operations, significantly narrowing the search space for model identification.

Contribution

It presents a novel cache side-channel method to extract DNN architecture details, leveraging the dependence of inference on GEMM parameters, which was not previously exploited.

Findings

Successfully reduces architecture search space from over 10^35 to 16 for VGG with OpenBLAS.

Effective in attacking VGG and ResNet models using Prime+Probe and Flush+Reload.

Leverages the dependence of GEMM calls on DNN architecture parameters.

Abstract

Deep Neural Networks (DNNs) are fast becoming ubiquitous for their ability to attain good accuracy in various machine learning tasks. A DNN's architecture (i.e., its hyper-parameters) broadly determines the DNN's accuracy and performance, and is often confidential. Attacking a DNN in the cloud to obtain its architecture can potentially provide major commercial value. Further, attaining a DNN's architecture facilitates other, existing DNN attacks. This paper presents Cache Telepathy: a fast and accurate mechanism to steal a DNN's architecture using the cache side channel. Our attack is based on the insight that DNN inference relies heavily on tiled GEMM (Generalized Matrix Multiply), and that DNN architecture parameters determine the number of GEMM calls and the dimensions of the matrices used in the GEMM functions. Such information can be leaked through the cache side channel. This paper uses Prime+Probe and Flush+Reload to attack VGG and ResNet DNNs running OpenBLAS and Intel MKL libraries. Our attack is effective in helping obtain the architectures by very substantially reducing the search space of target DNN architectures. For example, for VGG using OpenBLAS, it reduces the search space from more than $10^{35}$ architectures to just 16.