Topics in the Area of Hardware Security:

1. TEE GPUs: Advancing Security in High-Performance Systems

TEEs are widely adapted to ensure confidentiality in the Cloud. For a long time, TEEs were only available for CPUs. However, modern workloads increasingly rely on GPUs for tasks such as image processing and AI inference. This seminar will explore the evolution of TEEs to secure GPU workloads.

Goal:

• Outline the relevance and benefit of TEE GPUs.
• Describe the solutions StrongBox [1] and Graviton [2] in detail. This includes the threat model, the design, and security considerations.
• Compare these soltuions with respect to performance, security, and hardware requirements.

[1] https://dl.acm.org/doi/abs/10.1145/3548606.3560627

[2] https://www.usenix.org/conference/osdi18/presentation/volos

 

2. The Threat of Micro-Op Cache Leakage

Micro-op caches in x86 CPUs add a cache level on top of the L1 cache. This cache stores translations of instructions into so-called micro-ops which can be highly parallelized in execution. However, similar to other cache levels, the micro-op cache incurs timing differences, which can be exploited as a side channel.

Goal:

• Outline the relevance and technical details of the micro-op cache in modern x86 processors.
• Describe the timing variances uncovered in the papers [1,2,3] in detail. This includes a detailed description of the specifics of the micro-op cache and front-end leading to a distinguishable execution time. Further provide details of how this behavior can be exploited as a side channel.
• Compare the side channels in terms of performance and bandwidth as well as their stealthiness. Further go into detail about mitigation strategies and their applicability.

[1] https://www.cs.virginia.edu/venkat/papers/isca2021a.pdf

[2] https://caslab.csl.yale.edu/publications/deng2022leaky.pdf

[3] https://dl.acm.org/doi/pdf/10.1145/3466752.3480079

 

Topics in the area of Machine Learning Security:

3. Lifespan of Backdoor Attacks against HFL Systems

Federated Learning [1] is an emerging paradigm for privacy-preserving distributed machine learning. Due to their decentralized nature, FL systems are particularly vulnerable to backdoor attacks, which cause the system to generate false output if the backdoor trigger is

embedded during inference [2]. As an attacker in HFL may be excluded from training at some point, its goal is to keep the attack success rate high for as long as possible when he leaves the system. Recent research focuses on approaches that increase this so-called “backdoor lifespan” [3,4].

Goal: Give an overview about the functioning of federated learning and explain the threat model of backdoor attacks with special focus on their lifespan. Explain recent backdoor attacks that focus on increasing the backdoor lifespan and discuss defenses against said attacks.

[1] McMahan et al., “Communication-Efficient Learning of Deep Networks from Decentralized Data”, AISTATS 2020

[2] Bagdasaryan et al., “How To Backdoor Federated Learning”, AISTATS 2020

[3] Dai and Li, “Chameleon: Adapting to Peer Images for Planting Durable Backdoors in Federated Learning”, ICML 2023

[4] Zhang et al., “A3FL: Adversarially Adaptive Backdoor Attacks to Federated Learning”, NeurIPS 2023

 

4. Backdoor Attacks against VFL Systems

Federated Learning [1] is an emerging paradigm for privacy-preserving distributed machine learning. It comes in two different flavors: horizontal and vertical FL. Due to their decentralized nature, FL systems are particularly vulnerable to backdoor attacks, which cause the system to generate false output if the backdoor trigger is embedded during inference [2]. While backdoor attacks against HFL are well studied, backdoor attacks against VFL are a rather new research topic [2, 3]. Protecting against such backdoor attacks in VFL is a difficult challenge because backdoor defenses from HFL do not simply transfer to VFL [4].

Goal: Give an overview about the functioning of federated learning with special focus on vertical federated learning (VFL). Explain how backdoors can be implanted in the global model and outline the threat model for backdoor attackers in VFL. Then discuss and present different approaches from the literature how to prevent these backdoor attacks.

[1]: McMahan et al., “Communication-Efficient Learning of Deep Networks from Decentralized Data”, AISTATS 2020

[2]: Naseri et al., “BadVFL: Backdoor Attacks in Vertical Federated Learning”, S&P 2024

[3]: Bai et al., “VILLAIN: backdoor attacks against vertical split learning”, USENIX 2023

[4]: Cho et al., “VFLIP: A Backdoor Defense for Vertical Federated Learning via Identification and Purification”, ESORICS 2024

 

5. Backdooring Diffusion Models through Personalization

Diffusion models [1] are a contributor to the advances of generative AI but require costly (re-)training for the acquisition of new concepts. Recent personalization methods [2, 3] can introduce new concepts to such a model with lightweight computations and a minimal number of samples. Unfortunately, this also opens up the possibility to efficiently  introduce backdoors into a diffusion model [4] for further redistribution as part of a supply-chain attack.

Goal: Briefly give an overview on the functional principle of (latent) diffusion models [1]. Summarize what kind of personalization methods exist, e.g., Textual Inversion [2] and DreamBooth [3]. Finally, present the possibilities for exploitation of these personalization schemes for embedding backdoors into diffusion models [4].

[1] High-Resolution Image Synthesis With Latent Diffusion Models, Rombach et al., CVPR 2022.

[2] An Image is Worth One Word: Personalizing Text-to-Image Generation using Textual Inversion, Gal et al., ICLR 2023.

[3] DreamBooth: Fine Tuning Text-to-Image Diffusion Models for Subject-Driven Generation, Ruiz et al., CVPR 2023.

[4] Personalization as a Shortcut for Few-Shot Backdoor Attack against Text-to-Image Diffusion Models, Huang et al., AAAI 2024.

 

6. Machine Unlearning and Backdoors Attacks

With the recent privacy advances of GDPR and the right to be forgotten, machine unlearning [1] is crucial for the removal of once learned data from a machine learning model. However, malicious unlearning requests can alter the model behavior by injecting backdoors or activate already embedded ones [2]. On the other hand,  machine unlearning can also be used for defenses. It can reveal the impact of features inherent to the model and the features injected by an attacker on the final classification [3].

Goal: Briefly give an overview on the functional principle of machine unlearning. Then outline how backdoors can be implanted with this method and how unlearning can be used to remove backdoors.

[1] Bourtoule et al.; “Machine Unlearning”, Oakland S&P, 2021.

[2] Liu et al.; “Backdoor Attacks via Machine Unlearning”, AAAI 2024.

[3] Zhao et al.; “UMA: Facilitating Backdoor Scanning via Unlearning-Based Model Ablation”, AAAI 2024.

 

7. Unrestricted Adversarial Examples
 (UAE)

Diffusion models are the state of the art for image generation. Research on their security aspects is very active right now.
Adversarial Examples are usually generated by adding a small perturbation onto an existing image to change its classification.
With diffusion models, we can generate synthetic images that evade classifiers right away, without any further perturbation. These are called Unrestricted Adversarial Examples (UAEs).

Goal:

• Explain how in AdvDiff improves upon previous methods
• Explain in detail how AdvDiff differs from common adversarial examples
• Try to find further literature on similar attacks, as well as possible targets for this method and provide a short overview. Can you come up with new attacks that become possible with AdvDiff on your own?

[1] AdvDiff: Generating Unrestricted Adversarial Examples Using Diffusion Models
Xuelong Dai, Kaisheng Liang, Bin Xiao
In European Conference on Computer Vision (ECCV), 2024.

[2] Denoising Diffusion Probabilistic Models.
Jonathan Ho, Ajay Jain, Pieter Abbeel.
In Advances in Neural Information Processing Systems (NeurIPS), 2020.

 

8. Energy-Latency Attacks on VLMs

So-called sponge example are inputs to machine learning systems which are specifically designed to increase energy and latency. A recent paper describes a method for triggering this behaviour on large, multimodal chatbots such as GPT-4 using carefully manipulated images.

Goal:

• Outline the concept of energy-latency on machine learning systems
• Describe paper [1] in detail. This includes the threat model, possible damage scenarios, the methods used, and the evaluations.
• Describe what the authors mean by inducing hallucinations in the VLM and how this is evaluated
• Try to find further literature on similar attacks and provide a short overview. Can you come up with new target systems for this kind of attack on your own?

[1] Inducing High Energy-Latency of Large Vision-Language Models with Verbose Images, https://openreview.net/forum?id=BteuUysuXX

[2] Sponge Examples: Energy-Latency Attacks on Neural Networks, https://ieeexplore.ieee.org/document/9581273

Topics in the area of Blockchain Security:

 

9. Proof of “Crypto exchange has NOT run away with all your money”

Many cryptocurrency users keep funds at Binance, Coinbase etc.

Sometimes, crypto exchanges go bankrupt. Users would like assurance that they can always get their deposits back. How can the exchange prove its solvency to the users?

Goal: study, present and compare protocols for decentralized privacy-preserving solvency audits [1, 2].

[1] Ji, Chalkias, “Generalized Proof of Liabilities”, 2021, https://dl.acm.org/doi/abs/10.1145/3460120.3484802

[2] Xin et al., “Notus”, 2024, https://eprint.iacr.org/2024/395

 

10. Proof of Solvency #2: coin ownership

Proof of solvency = proof of liabilities (last topic) + proof of assets.

• To publicly prove ownership of X coins, the exchange could make its addresses public.

○ Everybody could see the addresses’ histories.

○ Not privacy preserving.

• Proof of assets without revealing additional information requires additional cryptographic techinques.

○ ZK, MPC, OT, PIR ← step 1: what are these tools, generally?

○ [1, 2] ← step 2: how can an exchange use such techniques in order to prove asset ownership?

[1] Dagher, Bünz, Bonneau, Clark, Boneh, “Provisions”, CCS 2015, https://dl.acm.org/doi/10.1145/2810103.2813674

[2] Baldimtsi, Chatzigiannis, Gordon, Le, McVicker, “gOTzilla”, PETS 2022, https://eprint.iacr.org/2022/170

 

11. Security and Privacy of Cross-Chain solutions

Interoperability is the ability of two or more software components to cooperate, despite differences in language, interface, and execution platform [2]. Nowadays, interoperability plays a fundamental role in cryptocurrency exchange, extension of existing systems, and bootstrapping of new blockchains [1]. However, achieving interoperability between blockchain systems comes with unique challenges in terms of protocol’s composability, correctness, security and privacy properties [1,2].

Goal:

• Highlight the cross-chain solution available in the literature
• Compare them in terms of security and privacy risks

[1] SoK: Communication Across Distributed Ledgers, FC 2021, https://link.springer.com/chapter/10.1007/978-3-662-64331-0_1

[2] SoK: Security and Privacy of Blockchain Interoperability, S&P 2024, https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10646648

 

12. DoS attacks in Ethereum

Blockchains’ intricate architecture comprises different layers, such as network, consensus, and application [1, 2]. This exposes them to various attack surfaces, leading to severe threats for the ecosystem. Among these threats, the frequency and severity of DoS attacks are rising [2].

Goal: Provide an overview of the three different attack strategies in Ethereum. Specifically, compare them in terms of:

• attack’s targets;
• attack’s techniques.

Consequently, briefly describe and compare the mitigations proposed.

[1] Speculative Denial-of-Service Attacks In Ethereum[1] , USENIX Sec’24, https://www.usenix.org/system/files/usenixsecurity24-yaish.pdf

[2] Nurgle: Exacerbating Resource Consumption in Blockchain State Storage via MPT Manipulation, S&P’24,  https://arxiv.org/pdf/2406.10687

[3] Partitioning Ethereum without Eclipsing It, NDSS’23 https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f465_paper.pd

 

13. Security-Performance Tradeoff in Blockchains

Scalability and security are both crucial properties in decentralized systems. However, prior work has shown a tradeoff/trilemma between decentralization, security, and performance.

Goal: summarize this tradeoff or trilemma and look into possible solutions.

[1] Larger-scale Nakamoto-style Blockchains Don't Necessarily Offer Better Security https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10646744

[2] A Formulation of the Trilemma in Proof of Work Blockchain https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10549891

[3] On the security and performance of proof of work blockchains

https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/system-security-group-dam/research/publications/pub2016/ccs16_gervais.pdf

 

14. The Availability-Finality Dilemma

According to the CAP theorem [2,3], no web-service cannot offer Consistency, Availability, and Partition-tolerance at the same time. This issue has already been discussed multiple decades ago, but gained further importance with the emergence of blockchains. While in the original setting, the number of nodes was fixed over time and commonly known, blockchains often require dynamic participation, i.e., an unknown number of nodes frequently joining and leaving the network. Dynamically available blockchains cannot offer finality for a network that might experience a network partition. The recently proposed Ebb-and-Flow protocols [1] offer both finality and availability by combining two consensus mechanisms into a single flexible consensus protocol.

Your task is to first summarize the CAP theorem and its linkage to the availability-finality dilemma in blockchain networks. Furthermore, you are expected to elaborate on the proposed Ebb-and-Flow protocols by Neu et al.[1]. What are the challenges of having a network with “sporadic participation” and what (security) properties do Ebb-and-Flow protocols provide to these networks?

[1] Joachim Neu, Ertem Nusret Tas, and David Tse, “Ebb-and-Flow Protocols: A Resolution of the Availability-Finality Dilemma”, SP 2021

[2] Rafael Pass and Elaine Shi, “The Sleepy Model of Consensus”, ASIACRYPT 2017

[3] Seth Gilbert and Nancy Lynch, “Brewer’s Conjecture and the Feasibility of Consistent,   Available, Partition-Tolerant Web Services”