BarkBeetle: Stealing Decision Tree Models with Fault Injection

TL;DR

BarkBeetle is a novel fault injection attack that efficiently extracts internal structure of decision tree models, demonstrating practical feasibility and raising security concerns for ML models in sensitive applications.

Contribution

This work introduces BarkBeetle, a new fault injection attack that significantly improves the efficiency of extracting decision tree structures compared to prior methods.

Findings

BarkBeetle requires fewer queries than previous attacks.

It successfully recovers detailed decision tree structures.

The attack is feasible on low-cost hardware like Raspberry Pi.

Abstract

Machine learning models, particularly decision trees (DTs), are widely adopted across various domains due to their interpretability and efficiency. However, as ML models become increasingly integrated into privacy-sensitive applications, concerns about their confidentiality have grown, particularly in light of emerging threats such as model extraction and fault injection attacks. Assessing the vulnerability of DTs under such attacks is therefore important. In this work, we present BarkBeetle, a novel attack that leverages fault injection to extract internal structural information of DT models. BarkBeetle employs a bottom-up recovery strategy that uses targeted fault injection at specific nodes to efficiently infer feature splits and threshold values. Our proof-of-concept implementation demonstrates that BarkBeetle requires significantly fewer queries and recovers more structural information compared to prior approaches, when evaluated on DTs trained with public UCI datasets. To validate its practical feasibility, we implement BarkBeetle on a Raspberry Pi RP2350 board and perform fault injections using the Faultier voltage glitching tool. As BarkBeetle targets general DT models, we also provide an in-depth discussion on its applicability to a broader range of tree-based applications, including data stream classification, DT variants, and cryptography schemes.