Speed Kills: Exploring Confused Deputy Attacks Through Edge AI Accelerators

TL;DR

This paper investigates the security vulnerabilities of AI Accelerators (AIAs) to Confused Deputy Attacks, demonstrating their feasibility on multiple vendors' hardware and proposing a low-overhead defense mechanism.

Contribution

It presents the first comprehensive analysis of CDA vulnerabilities in AIAs, introduces DeputyHunt for information extraction, and proposes an effective validation defense with minimal runtime impact.

Findings

CDA is feasible on 6 out of 7 tested AIAs, affecting over 128 SOCs and 100 million devices.

The DeputyHunt framework effectively extracts CDA-relevant information using LLM-assisted analysis.

The proposed validation defense incurs approximately 15% runtime overhead, providing a practical security solution.

Abstract

AI Accelerator (AIA) are specialized hardware e.g., Tensor Processing Unit (TPU), that enable optimal and efficient execution of AI applications and on-device inference. The growing demand for AI applications has led to the widespread adoption of AIAs on Edge or embedded devices on Edge or embedded devices. Unlike applications, AIAs are not bound by Operating System (OS) restrictions and have limited visibility into Application Processor (AP) security mechanisms (e.g., kernel vs. application memory, process isolation). This semantic gap can lead to confused deputy vulnerabilities, i.e., AIA can be tricked by a malicious application to perform privileged operations on their behalf. In this paper, we conducted the first in-depth study of Confused Deputy Attacks (CDAs) using AIA. We design DeputyHunt, a Large Language Model (LLM) assisted framework to extract CDA relevant information for a given AIA through a combination of dynamic and static analysis. We used this information to explore the feasibility of CDA on seven different AIAs from popular vendors, i.e., Google, NVIDIA, Hailo, Texas Instruments, NXP, AWS, and Rockchip. Our analysis revealed that CDA is feasible on six out of the seven AIAs, impacting over 128 System On Chips (SOCs) and over 100 million devices. Our findings highlight critical security risks posed by AIA on system security. Our work has been acknowledged by the corresponding vendors and assigned the CVE-2025-66425. We propose an on-demand validation defense against CDA, and evaluation on the Gem5- salam simulator shows that it incurs minimal runtime overhead (i.e., ~15%).