Hardware and Software Platform Inference

TL;DR

This paper presents HSPI, a novel method to identify the GPU hardware and software stack used in machine learning model inference solely based on input-output behavior, addressing verification and authenticity concerns.

Contribution

Introduction of HSPI, a classification framework that accurately infers GPU architecture and software stack from black-box model outputs, enhancing verification of inference service authenticity.

Findings

Achieves 83.9% to 100% accuracy in white-box GPU identification.

Outperforms random guessing by up to 3x in black-box scenarios.

Demonstrates feasibility of GPU inference identification from output patterns.

Abstract

It is now a common business practice to buy access to large language model (LLM) inference rather than self-host, because of significant upfront hardware infrastructure and energy costs. However, as a buyer, there is no mechanism to verify the authenticity of the advertised service including the serving hardware platform, e.g. that it is actually being served using an NVIDIA H100. Furthermore, there are reports suggesting that model providers may deliver models that differ slightly from the advertised ones, often to make them run on less expensive hardware. That way, a client pays premium for a capable model access on more expensive hardware, yet ends up being served by a (potentially less capable) cheaper model on cheaper hardware. In this paper we introduce hardware and software platform inference (HSPI) -- a method for identifying the underlying GPU architecture and software stack of a (black-box) machine learning model solely based on its input-output behavior. Our method leverages the inherent differences of various GPU architectures and compilers to distinguish between different GPU types and software stacks. By analyzing the numerical patterns in the model's outputs, we propose a classification framework capable of accurately identifying the GPU used for model inference as well as the underlying software configuration. Our findings demonstrate the feasibility of inferring GPU type from black-box models. We evaluate HSPI against models served on different real hardware and find that in a white-box setting we can distinguish between different GPUs with between $83.9\%$ and $100\%$ accuracy. Even in a black-box setting we achieve results that are up to 3x higher than random guess accuracy. Our code is available at https://github.com/ChengZhang-98/HSPI.