DeepSteal demonstrates a digital side channel that can steal fine-grained machine learning model weight information, which enables subsequent advanced DNN model extractions. At its core, DeepSteal leverages the memory rowhammer vulnerability as an information leakage attack vector that effectively exfiltrates fined-grained (but partial) model weight bits in bulk. DeepSteal then utilizes such partially-revealed model parameters to build extremely powerful model extraction attacks for deep neural networks (DNNs), including the construction of substitute models with superior accuracy and fidelity as well as enhanced adversarial input attacks with close to white-box attack performance. In contrast to previous physical/microarchitecture attacks that leak DNN model hyperparameters or model architectures, DeepSteal unveils a more severe ML privacy concern of ML weight due to HW threats.
This repository contains code for the DeepSteal system-level exploits. Specifically, it includes tools to profile DRAMs to identify memory cells (bits) in DRAM DIMMS that are highly reliable and leakable (using rowhammer as a side channel). The repo also contains a proof-of-concept code example that can be used to leak ML model weight bits (HammerLeak) as proposed in the paper.
- Operating System: Ubuntu 20.04.4 LTS
- Kernel: 5.13.0-40-generic
- GCC: Ubuntu 9.4.0-1ubuntu1~20.04.1
- Python: 3.9.7 (Anaconda distribution)
- Pytorch: Source compiled (Tag: v1.7.1-rc3, FBGEMM commit: 1d71039)
- rh_leakage_tool
- contains a tool that profiles DRAM to identify leakable DRAM cells for rowhammer side channel exploit.
- system_exploit
- attacker
- Attacker proof-of-concept exploit for machine learning inference server (currently demonstrated on PyTorch)
- victim
- Example PyTorch inference server (adapted from: https://pytorch.org/tutorials/advanced/cpp_export.html)
- attacker
- dram-addressing-db.md: a list of DRAM addressing functions we reverse-engineered for Intel processors.
- utils
More information about DeepSteal can be found in our paper in IEEE Symposium on Security and Privacy, 2022. Our work can be cited using the following information.
@inproceedings{deepsteal,
title={Deepsteal: Advanced model extractions leveraging efficient weight stealing in memories},
author={Rakin, Adnan Siraj* and Chowdhuryy, Md Hafizul Islam* and Yao, Fan and Fan, Deliang},
booktitle={IEEE Symposium on Security and Privacy (S&P)},
year={2022},
organization={IEEE}
}