Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

[ICLR'20] How to 0wn NAS in Your Spare Time

This repository contains the code for the paper "How to 0wn NAS in Your Spare Time"
Published at the International Conference on Learning Representation (ICLR) 2020, Addis Ababa, Ethoipia.

Authors: Sanghyun Hong, Michael Davinroy, Yigitcan Kaya, Dana Dachman-Soled, and Tudor Dumitras
Contact: Sanghyun Hong


Our study presents an algorithm that reconstructs the key components of a novel deep learning systems—i.e., a novel data pre-preprocessing pipeline and a neural network architecture---by exploiting information leakage from a cache side-channel attack, Flush+Reload. Based on the trace of computations and the timing for each computation observed by Flush+Reload, we generate candidate computational graphs from the trace and eliminate incompatible candidates through a parameter estimation process. We demonstrate experimentally that we can reconstruct MalConv, a novel data pre-processing pipeline for malware detection, and ProxylessNAS-CPU, a novel network architecture for the ImageNet classification optimized to run on CPUs, without knowing the architecture family. This repository contains the traces that we observed by the side-channel attack and the scripts for reconstructing victim architectures.

Note: this repository currently includes the code for the ToyNet and MalConv reconstructions.

Install Dependencies

You can install the required Python packages by running the following command:

  $ pip install -r requirements.txt

Run (MalConv)

To run the script for reconstructing the MalConv architecture:

  $ ./

The reconstruction results are stored under the results/reconstruct/<victim> folder.

  • computational_graphs: contains the computational graphs reconstructed from a trace.
  • architecture_candidates: contains the candidate architecture reconstructed by pruning.
  • architectures: contains the final architecture after removing unrealistic candidates.

This PDF shows the final architecture from this reconstruction.

Traces from Flush+Reload

You can see the traces observed from the cache side-channel attack (Flush+Reload) in the traces/<victim> folder. We use the Mastik toolkit to extract those traces. If you're interested in this process, you can refer to this repository for our previous project.

  • raw: contains the raw traces observed by the side-channel attacker.
  • processed: contains the traces processed offline, used as an input to the reconstruction algorithm.

Cite This Work

You are encouraged to cite our paper if you use this code for academic research.

  author    = {Sanghyun Hong and
               Michael Davinroy and
               Yigitcan Kaya and
               Dana Dachman{-}Soled and
               Tudor Dumitras},
  title     = {How to 0wn NAS in Your Spare Time},
  booktitle = {International Conference on Learning Representations},
  year      = {2020},
  url       = {},


This project is licensed under the MIT License - see the LICENSE file for details



No releases published


No packages published