THOR: A Non-Speculative Value Dependent Timing Side Channel Attack Exploiting Intel AMX

TL;DR

This paper uncovers a new timing side-channel vulnerability in Intel AMX, enabling attackers to infer neural network weight sparsity efficiently without privileged access, highlighting security risks in AI accelerators.

Contribution

It introduces a novel value-dependent timing side-channel attack on Intel AMX that can recover neural network weight sparsity rapidly and without prior knowledge.

Findings

Attack recovers weight sparsity within 50 minutes

Achieves 631% faster leakage rate than Hertzbleed

Demonstrates a significant security vulnerability in Intel AMX

Abstract

The rise of on-chip accelerators signifies a major shift in computing, driven by the growing demands of artificial intelligence (AI) and specialized applications. These accelerators have gained popularity due to their ability to substantially boost performance, cut energy usage, lower total cost of ownership (TCO), and promote sustainability. Intel's Advanced Matrix Extensions (AMX) is one such on-chip accelerator, specifically designed for handling tasks involving large matrix multiplications commonly used in machine learning (ML) models, image processing, and other computational-heavy operations. In this paper, we introduce a novel value-dependent timing side-channel vulnerability in Intel AMX. By exploiting this weakness, we demonstrate a software-based, value-dependent timing side-channel attack capable of inferring the sparsity of neural network weights without requiring any knowledge of the confidence score, privileged access or physical proximity. Our attack method can fully recover the sparsity of weights assigned to 64 input elements within 50 minutes, which is 631% faster than the maximum leakage rate achieved in the Hertzbleed attack.