Vulnerabilities in Partial TEE-Shielded LLM Inference with Precomputed Noise

TL;DR

This paper reveals that using precomputed noise in TEE-shielded LLM inference introduces cryptographic vulnerabilities, allowing full model and integrity breaches in state-of-the-art large language models.

Contribution

It identifies a critical security flaw in current TEE-based LLM protection methods and demonstrates practical attacks on large models.

Findings

Full confidentiality breach of model weights

Integrity checks bypassed in TEE systems

Attacks scalable to models with 405B parameters

Abstract

The deployment of large language models (LLMs) on third-party devices requires new ways to protect model intellectual property. While Trusted Execution Environments (TEEs) offer a promising solution, their performance limits can lead to a critical compromise: using a precomputed, static secret basis to accelerate cryptographic operations. We demonstrate that this mainstream design pattern introduces a classic cryptographic flaw, the reuse of secret keying material, into the system's protocol. We prove its vulnerability with two distinct attacks: First, our attack on a model confidentiality system achieves a full confidentiality break by recovering its secret permutations and model weights. Second, our integrity attack completely bypasses the integrity checks of systems like Soter and TSQP. We demonstrate the practicality of our attacks against state-of-the-art LLMs, recovering a layer's secrets from a LLaMA-3 8B model in about 6 minutes and showing the attack scales to compromise 405B-parameter LLMs across a variety of configurations.