Skip to content
Code for the Paper: "Security Analysis of Deep Neural Networks Operating in the Presence of Cache Side-Channel Attacks"
Python C Shell Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
Mastik @ ba7a6a2 Initialize --- include the Mastik side-channel toolkit May 29, 2019
attacks Upload the instructions for the future use May 30, 2019
defenses Upload the attack and defense codes May 29, 2019
etc Upload the attack and defense codes May 29, 2019
tensorflow @ 656e7a2
.gitignore Initial commit May 25, 2019
.gitmodules Initialize --- include the TensorFlow framework May 29, 2019
LICENSE Initial commit May 25, 2019 Upload the instructions for the future use May 30, 2019

Project: DeepRecon

Security Analysis of Deep Neural Networks Operating in the Presence of Cache Side-Channel Attacks

DeepRecon is an exemplary attack that reconstructs the architecture of the victim's DNN by using the internal information extracted via Flush+Reload, a cache side-channel technique. DeepRecon observes function invocations that map directly to architecture attributes of the victim network so that the attacker can reconstruct the victim's entire network architecture from her observations.

This repository is for the following paper:

Security Analysis of Deep Neural Networks Operating in the Presence of Cache Side-Channel Attacks.
Sanghyun Hong, Michael Davinroy, Yigitcan Kaya, Stuart Nevans Locke, Ian Rackow, Kevin Kulda, Dana Dachman-Soled, and Tudor Dumitras.

1. Runtime Environment

  • Ubuntu 16.04
  • Python 2.7.15-rc1
  • TensorFlow 1.10.0
  • Mastik v0.0.2

2. Preparations

To run DeepRecon, we require two preparation steps:

  1. Compiling TensorFlow from source to extract (only) the symbol table in use
  2. Compiling the attack code with the support of the off-the-shelf Flush+Reload library (Mastik).

2.1. Build TensorFlow from Source

The official instructions on building TensorFlow can be found at this website.

2.1.1 Install Bazel

Bazel is Google's build system, required to build TensorFlow. Building TensorFlow usually requires an up-to-date version of Bazel; there is a good chance that whatever your package manager provides will be outdated. There are various ways to obtain a build of Bazel (see

Note: we use the specific version of Bazel (v0.16.1). You can download and install from here.

2.1.2 Install Python Packages

  $ pip install -r requirements.txt

2.1.3 Build and Install TensorFlow w. Bazel

Run the configuration script (currently, we disable all the features) under the tensorflow dir. [Note: we recommend to use Python virtual environment, to suppress the conflicts with your system.]

  $ ./configure <<< 'n'

Compile This command will build Tensorflow using optimized settings for the current machine architecture.

  $ bazel build -c dbg --strip=never //tensorflow/tools/pip_package:build_pip_package

We still need to build a Python package using the now generated build_pip_package script.

  $ bazel-bin/tensorflow/tools/pip_package/build_pip_package /tmp/tensorflow_pkg

Now there will be a package inside /tmp/tensorflow_pkg, which can be installed with pip.

  $ pip install /tmp/tensorflow_pkg/tensorflow-<version>-<architecture>.whl

2.2. Compile the Attack Source

Our attack reconstructs the DNN's architecture from the extracted attributes via Flush+Reload. We first build Mastik library that implements side-channel attacks and incorporate the library into the extraction code.

2.2.1 Build Mastik

  $ ./

2.2.2 Build Attack Code

  $ cd attacks
  $ make

3. Running DeepRecon

Run the inference with the model using a sample (mug.jpg). [Note that in the real-attack, we do not need to query the victim model; this can be achieved by a user's query while we are passively monitoring the cache behaviors.]

  $ cd models
  $ python
  Using TensorFlow backend.
  0 iteration, press any key to perform...

  (wait until the extraction is ready.)

After that, run the DeepRecon attack code (specify the location to store the output file).
[Note: in the flush_reload.c, the thresholds and monitor parameters should be tuned in advance.]

  $ cd attacks
  $ ./flush_reload .
  ------------ Monitor -------------
   Searching [ 0] for [_ZN10tensorflow12_GL]: : the func. offset [   4f8be5f]
   Searching [ 1] for [_ZN10tensorflow6Bias]: : the func. offset [   7a38bb6]
   Searching [ 2] for [_ZN10tensorflow9Soft]: : the func. offset [   7e99738]
   Searching [ 3] for [_ZN10tensorflow18Una]: : the func. offset [   7e4d57a]
   Searching [ 4] for [_ZN10tensorflow7Unar]: : the func. offset [   96dc50a]
   Searching [ 5] for [_ZN10tensorflow7Unar]: : the func. offset [   957f404]
   Searching [ 6] for [_ZN10tensorflow18Una]: : the func. offset [   7e4d172]
   Searching [ 7] for [_ZN10tensorflow18Una]: : the func. offset [   7ebe46c]
   Searching [ 8] for [_ZN10tensorflow18Una]: : the func. offset [   7eea696]
   Searching [ 9] for [_ZN10tensorflow18Una]: : the func. offset [   7e4b942]
   Searching [10] for [_ZN10tensorflow18Una]: : the func. offset [   7e4bd4a]
   Searching [11] for [_ZN10tensorflow14Lau]: : the func. offset [   9d72242]
   Searching [12] for [_ZN10tensorflow8MatM]: : the func. offset [   7759dfa]
   Searching [13] for [_ZN10tensorflow12Max]: : the func. offset [   97baa4e]
   Searching [14] for [_ZN10tensorflow8Bina]: : the func. offset [   898505e]
   Searching [15] for [_ZN10tensorflow12Avg]: : the func. offset [   975f21a]
   Searching [16] for [_ZN10tensorflow12Con]: : the func. offset [   5519e1a]
   Searching [17] for [_ZN10tensorflow14Lau]: : the func. offset [   9d722c2]
  ------------- Total --------------
   Monitored: [18]
  Do analysis of collected data

The extracted data stored into the accesses.raw.csv file.

  3487174,17,30,hit,End Conv
  3487190,17,28,hit,End Conv
  3487206,17,30,hit,End Conv

4. Running Defenses

To test the effectiveness of defenses, run the decoy processes during the above attack times or run the unraveled models instead of running the off-the-shelf model available on the Internet.

4.1 Run Decoy Processes

Run the scripts in the defenses/decoys along with the victim network.

  1. convolutional layer only.
  2. convolutional layer + ReLU activation.
  3. convolutional layer + ReLU activation + skip-connections.

4.2 Do Obfuscations Based on the Unraveling Method

Run the script in the defenses/obfuscations and extract the architecture attributes.

Cite This Work

You are encouraged to cite our paper if you use DeepRecon for academic research.

  author    = {Sanghyun Hong and
               Michael Davinroy and
               Yigitcan Kaya and
               Stuart Nevans Locke and
               Ian Rackow and
               Kevin Kulda and
               Dana Dachman{-}Soled and
               Tudor Dumitras},
  title     = {Security Analysis of Deep Neural Networks Operating in the Presence
               of Cache Side-Channel Attacks},
  journal   = {CoRR},
  volume    = {abs/1810.03487},
  year      = {2018},
  url       = {},
  archivePrefix = {arXiv},
  eprint    = {1810.03487},
  timestamp = {Tue, 30 Oct 2018 10:49:09 +0100},


You can’t perform that action at this time.