侧通道攻击对加密算法构成了严重的威胁,包括广泛使用的算法,例如AES和RSA,利用硬件或软件中的算法实现,以通过计时和/或电力侧通道来提取秘密信息。软件掩蔽是一种针对电力侧通道攻击的软件缓解方法,旨在将秘密浏览依赖性隐藏在脆弱实现的功率足迹之外。但是,这种类型的软件缓解通常取决于通用编译器,这些编译器不保留非功能性能。此外,Microarchitectural特征(例如内存总线和寄存器重复使用)也可能揭示秘密信息。这些抽象在该程序的高级实施中不可见。相反,它们是在编译时间决定的。为了解决这些问题,安全工程师通常通过关闭编译器优化和/或执行本地兼容后转换来牺牲代码效率。本文提出了SECCONCG,这是一种基于约束的编译器方法,该方法生成了优化但安全的代码。 SECCONCG通过根据处理器成本模型有效地搜索最佳的低级实施来控制缓解程序的质量。在我们在MIPS32和ARM Cortex M0上进行十项掩盖实现的实验中,与非优化优化代码相比,SECCONCG的速度将生成的代码从10%提高到10%至10倍。对于安全和编译器研究人员,本文提出了一个正式模型,以生成安全的低级代码。对于软件工程师,SECCONCG提供了一种实用方法来优化保留安全属性的代码。
translated by 谷歌翻译
现代软件部署过程产生统一的软件,因此容易受到大规模的代码重用攻击,例如跳转编程(JOP)攻击。基于编译器的多样化通过自动生成给定程序的不同装配代码版本来提高软件系统的恢复。现有技术是有效的,但不具有对所产生变体的质量的精确控制。本文介绍了建筑(Divcon)的多样性,基于约束的软件多样化方法。与以前的方法不同,Divcon允许用户控制和调整多样性和代码质量的冲突目标。关键推动器是使用大型邻域搜索(LNS)以有效地生成高度多样化的代码。对于更大的问题,我们提出了LNS的组合,其结构分解了问题。为了进一步提高Divcon对JOP攻击的多样化效率,我们提出了一种针对JOP攻击特征的特定于应用的距离测量。我们评估嵌入式系统的流行基准套件20个功能。这些实验表明,LNS和我们的应用程序特定距离测量的组合产生了对JOP攻击具有高度弹性的二进制程序。我们的结果证实,每个汇编代码版本和整个版本池的多样性之间存在权衡。特别是,实验表明,Divcon生成近最佳的二进制程序,这些程序共享少量小工具。对于约束编程研究人员和从业者,本文表明LNS是寻找多样化解决方案的宝贵技术。对于安全研究人员和软件工程师,Divcon将基于编译的多样化范围扩展到性能关键和资源受限应用程序。
translated by 谷歌翻译
在过去十年中,已经开发出新的深度学习(DL)算法,工作负载和硬件来解决各种问题。尽管工作量和硬件生态系统的进步,DL系统的编程方法是停滞不前的。 DL工作负载从DL库中的高度优化,特定于平台和不灵活的内核,或者在新颖的操作员的情况下,通过具有强大性能的DL框架基元建立参考实现。这项工作介绍了Tensor加工基元(TPP),一个编程抽象,用于高效的DL工作负载的高效,便携式实现。 TPPS定义了一组紧凑而多才多艺的2D张镜操作员(或虚拟张量ISA),随后可以用作构建块,以在高维张量上构建复杂的运算符。 TPP规范是平台 - 不可行的,因此通过TPPS表示的代码是便携式的,而TPP实现是高度优化的,并且特定于平台。我们展示了我们使用独立内核和端到端DL&HPC工作负载完全通过TPPS表达的方法的效力和生存性,这在多个平台上优于最先进的实现。
translated by 谷歌翻译
本文介绍了正向和反向模式的校正和高效自动分化的校正和高效自动化。自动差异是获得数值节目梯度的方法,这对于优化,不确定量化和机器学习至关重要。计算渐变的计算成本是实践中的常见瓶颈。对于使用OpenMP为多核CPU或GPU并行化的应用程序,还希望并行计算渐变。我们提出了一个框架,原因是生成的衍生代码的正确性,我们向差异化模型证明了我们的OpenMP扩展。我们在自动差异化工具磁带上实施此模型,并在我们的扩展差异化过程之后差异化的目前的测试用例。生成的衍生程序的性能在前进和反向模式优于顺序,尽管我们的反向模式通常比输入程序更差。
translated by 谷歌翻译
There is an increasing need to bring machine learning to a wide diversity of hardware devices. Current frameworks rely on vendor-specific operator libraries and optimize for a narrow range of server-class GPUs. Deploying workloads to new platforms -such as mobile phones, embedded devices, and accelerators (e.g., FPGAs, ASICs) -requires significant manual effort. We propose TVM, a compiler that exposes graph-level and operator-level optimizations to provide performance portability to deep learning workloads across diverse hardware back-ends. TVM solves optimization challenges specific to deep learning, such as high-level operator fusion, mapping to arbitrary hardware primitives, and memory latency hiding. It also automates optimization of low-level programs to hardware characteristics by employing a novel, learning-based cost modeling method for rapid exploration of code optimizations. Experimental results show that TVM delivers performance across hardware back-ends that are competitive with state-ofthe-art, hand-tuned libraries for low-power CPU, mobile GPU, and server-class GPUs. We also demonstrate TVM's ability to target new accelerator back-ends, such as the FPGA-based generic deep learning accelerator.The system is open sourced and in production use inside several major companies.
translated by 谷歌翻译
Running machine learning inference on tiny devices, known as TinyML, is an emerging research area. This task requires generating inference code that uses memory frugally, a task that standard ML frameworks are ill-suited for. A deployment framework for TinyML must be a) parametric in the number representation to take advantage of the emerging representations like posits, b) carefully assign high-precision to a few tensors so that most tensors can be kept in low-precision while still maintaining model accuracy, and c) avoid memory fragmentation. We describe MinUn, the first TinyML framework that holistically addresses these issues to generate efficient code for ARM microcontrollers (e.g., Arduino Uno, Due and STM32H747) that outperforms the prior TinyML frameworks.
translated by 谷歌翻译
With the increased usage of AI accelerators on mobile and edge devices, on-device machine learning (ML) is gaining popularity. Thousands of proprietary ML models are being deployed today on billions of untrusted devices. This raises serious security concerns about model privacy. However, protecting model privacy without losing access to the untrusted AI accelerators is a challenging problem. In this paper, we present a novel on-device model inference system, ShadowNet. ShadowNet protects the model privacy with Trusted Execution Environment (TEE) while securely outsourcing the heavy linear layers of the model to the untrusted hardware accelerators. ShadowNet achieves this by transforming the weights of the linear layers before outsourcing them and restoring the results inside the TEE. The non-linear layers are also kept secure inside the TEE. ShadowNet's design ensures efficient transformation of the weights and the subsequent restoration of the results. We build a ShadowNet prototype based on TensorFlow Lite and evaluate it on five popular CNNs, namely, MobileNet, ResNet-44, MiniVGG, ResNet-404, and YOLOv4-tiny. Our evaluation shows that ShadowNet achieves strong security guarantees with reasonable performance, offering a practical solution for secure on-device model inference.
translated by 谷歌翻译
A learned system uses machine learning (ML) internally to improve performance. We can expect such systems to be vulnerable to some adversarial-ML attacks. Often, the learned component is shared between mutually-distrusting users or processes, much like microarchitectural resources such as caches, potentially giving rise to highly-realistic attacker models. However, compared to attacks on other ML-based systems, attackers face a level of indirection as they cannot interact directly with the learned model. Additionally, the difference between the attack surface of learned and non-learned versions of the same system is often subtle. These factors obfuscate the de-facto risks that the incorporation of ML carries. We analyze the root causes of potentially-increased attack surface in learned systems and develop a framework for identifying vulnerabilities that stem from the use of ML. We apply our framework to a broad set of learned systems under active development. To empirically validate the many vulnerabilities surfaced by our framework, we choose 3 of them and implement and evaluate exploits against prominent learned-system instances. We show that the use of ML caused leakage of past queries in a database, enabled a poisoning attack that causes exponential memory blowup in an index structure and crashes it in seconds, and enabled index users to snoop on each others' key distributions by timing queries over their own keys. We find that adversarial ML is a universal threat against learned systems, point to open research gaps in our understanding of learned-systems security, and conclude by discussing mitigations, while noting that data leakage is inherent in systems whose learned component is shared between multiple parties.
translated by 谷歌翻译
这项工作侧重于特定于域的加速器的有效敏捷设计方法。我们采用垂直开发堆栈的功能逐个功能增强,并将其应用于TVM / VTA推理加速器。我们已经增强了VTA设计空间,并启用了用于额外工作负载的端到端支持。这是通过增强VTA微架构和指令集架构(ISA)来实现的,以及通过增强TVM编译堆栈来支持各种VTA配置。 VTA TSIM实现(基于凿子)已通过ALU / GEMM执行单元的完全流水线版本增强。在TSIM中,内存宽度现在可以在8-64字节之间。对于支持较大的刮板,已经使场宽度更加灵活。已添加新的说明:元素 - WISE 8位乘法,支持深度卷积,并使用焊盘值的选择加载以支持最大池。还添加了对更多层和更好的双缓冲。完全管制的ALU / GEMM有助于显着帮助:4.9倍的循环较少,最小区域更改为在默认配置下运行RESET-18。可以实例化特征在于11.5倍的循环计数的配置,以12倍的循环计数更大的区域。显示了区域性能帕累托曲线上的许多点,展示了执行单元尺寸,内存接口宽度和刻痕尺寸的余额。最后,VTA现在能够运行MobileNet 1.0和所有层进行Resnet,包括先前禁用的池和完全连接的图层。 TVM / VTA架构始终在几分钟内以RTL呈现端到端工作量评估。通过我们的修改,它现在提供了更大的可行配置,具有广泛的成本与性能。所有提到的所有功能都可以在OpenSource叉中提供,而这些功能的子集已经上游。
translated by 谷歌翻译
近年来,在平衡(超级)图分配算法的设计和评估中取得了重大进展。我们调查了过去十年的实用算法的趋势,用于平衡(超级)图形分区以及未来的研究方向。我们的工作是对先前有关该主题的调查的更新。特别是,该调查还通过涵盖了超图形分区和流算法来扩展先前的调查,并额外关注并行算法。
translated by 谷歌翻译
由于机器学习(ML)技术和应用正在迅速改变许多计算领域,以及与ML相关的安全问题也在出现。在系统安全领域中,已经进行了许多努力,以确保ML模型和数据机密性。ML计算通常不可避免地在不受信任的环境中执行,并因此需要复杂的多方安全要求。因此,研究人员利用可信任的执行环境(TEES)来构建机密ML计算系统。本文通过在不受信任的环境中分类攻击向量和缓解攻击载体和缓解来进行系统和全面的调查,分析多方ML安全要求,并讨论相关工程挑战。
translated by 谷歌翻译
一般矩阵乘法或GEMM内核在高性能计算和机器学习中占据中心位置。最近的NVIDIA GPU包括Gemm加速器,如Nvidia的张量核心。他们的剥削受到双语言问题的阻碍:它需要低级编程,这意味着低程序员的工作效率或使用只提供有限组件集的库。由于建立的组件方面的REPRASING算法经常引入开销,因此图书馆缺乏灵活性限制了探索新算法的自由。因此,使用GEMMS的研究人员无法立即享受编程生产力,高性能和研究灵活性。在本文中,我们解决了这个问题。我们在科学朱莉娅编程语言中展示了三组抽象和接口来编程宝石。界面和抽象共同设计用于研究人员的需求和朱莉娅的特征,以实现足够的担忧和灵活性的充分分离,以便在不支付性能价格的情况下轻松地扩展基本宝石。将我们的Gemms与最先进的图书馆Cublas和Cutlass进行比较,我们证明我们的性能在图书馆的相同球场中,并且在某些情况下甚至超过它,而无需在CUDA C ++中编写单行代码或者组装,而不面临灵活限制。
translated by 谷歌翻译
Differentially private federated learning (DP-FL) has received increasing attention to mitigate the privacy risk in federated learning. Although different schemes for DP-FL have been proposed, there is still a utility gap. Employing central Differential Privacy in FL (CDP-FL) can provide a good balance between the privacy and model utility, but requires a trusted server. Using Local Differential Privacy for FL (LDP-FL) does not require a trusted server, but suffers from lousy privacy-utility trade-off. Recently proposed shuffle DP based FL has the potential to bridge the gap between CDP-FL and LDP-FL without a trusted server; however, there is still a utility gap when the number of model parameters is large. In this work, we propose OLIVE, a system that combines the merits from CDP-FL and LDP-FL by leveraging Trusted Execution Environment (TEE). Our main technical contributions are the analysis and countermeasures against the vulnerability of TEE in OLIVE. Firstly, we theoretically analyze the memory access pattern leakage of OLIVE and find that there is a risk for sparsified gradients, which is common in FL. Secondly, we design an inference attack to understand how the memory access pattern could be linked to the training data. Thirdly, we propose oblivious yet efficient algorithms to prevent the memory access pattern leakage in OLIVE. Our experiments on real-world data demonstrate that OLIVE is efficient even when training a model with hundreds of thousands of parameters and effective against side-channel attacks on TEE.
translated by 谷歌翻译
Decompilation aims to transform a low-level program language (LPL) (eg., binary file) into its functionally-equivalent high-level program language (HPL) (e.g., C/C++). It is a core technology in software security, especially in vulnerability discovery and malware analysis. In recent years, with the successful application of neural machine translation (NMT) models in natural language processing (NLP), researchers have tried to build neural decompilers by borrowing the idea of NMT. They formulate the decompilation process as a translation problem between LPL and HPL, aiming to reduce the human cost required to develop decompilation tools and improve their generalizability. However, state-of-the-art learning-based decompilers do not cope well with compiler-optimized binaries. Since real-world binaries are mostly compiler-optimized, decompilers that do not consider optimized binaries have limited practical significance. In this paper, we propose a novel learning-based approach named NeurDP, that targets compiler-optimized binaries. NeurDP uses a graph neural network (GNN) model to convert LPL to an intermediate representation (IR), which bridges the gap between source code and optimized binary. We also design an Optimized Translation Unit (OTU) to split functions into smaller code fragments for better translation performance. Evaluation results on datasets containing various types of statements show that NeurDP can decompile optimized binaries with 45.21% higher accuracy than state-of-the-art neural decompilation frameworks.
translated by 谷歌翻译
我们介绍了一种新颖的方法来对计算机程序进行自动终止分析:我们使用神经网络来表示排名功能。排名函数映射程序状态为从下面界限并随着程序运行而减小的值;排名函数的存在证明了程序终止。我们从程序的采样执行轨迹训练神经网络,以使网络的输出沿轨迹降低;然后,我们使用符号推理正式验证其对所有可能执行的概括。通过肯定的答案,我们获得了该计划的正式终止证书,我们称之为神经排名函数。我们证明,由于神经网络代表非线性功能的能力,我们的方法成功地超过了最先进工具的程序。这包括在其循环条件和包括非线性表达式的程序中使用析取的程序。
translated by 谷歌翻译
随着机器学习(ml)的进步及其日益增长的意识,许多拥有数据但不是ML专业知识(数据所有者)的组织希望汇集他们的数据并与那些具有专业知识的人合作,但需要来自不同来源的数据,以便训练真正普遍的资料模型(模型所有者)。在这种协作ML中,数据所有者希望保护其培训数据的隐私,而模型所有者希望模型的机密性和可能包含知识产权的培训方法。但是,现有的私人ML解决方案,如联合学习和分裂学习,不能同时满足数据和模型所有者的隐私要求。本文介绍了城可扩展的协作ML系统,可根据英特尔SGX在不受信任的基础架构中保护两个数据所有者和模型所有者的隐私。 CITADEL在代表数据所有者和代表模型所有者运行的多个训练环路中执行分布式训练。 CITADEL通过零和屏蔽和分层聚合进一步在这些外地之间建立了强大的信息屏障,以防止在协同培训期间防止数据/模型泄漏。与现有的SGX保护培训系统相比,Citadel实现了合作ML的更好的可扩展性和更强大的隐私保障。具有各种ML模型的云部署显示,Citadel缩放到大量的环路,由SGX引起的小于1.73x放缓。
translated by 谷歌翻译
域特异性启发式方法是有效解决组合问题的必不可少的技术。当前将特定于域的启发式方法与答案集编程(ASP)集成的方法在处理基于部分分配的非单调指定的启发式方法时,这是不令人满意的。例如,在挑选尚未放入垃圾箱中的物品时,这种启发式方法经常发生。因此,我们介绍了ASP中域特异性启发式方法声明性规范的新颖语法和语义。我们的方法支持启发式陈述,依赖于解决过程中所维持的部分任务,这是不可能的。我们在Alpha中提供了一种实现,该实现使Alpha成为第一个支持声明指定的域特定启发式方法的懒惰的ASP系统。使用两个实际的示例域来证明我们的提议的好处。此外,我们使用我们的方法用A*实施知情},该搜索首次在ASP中解决。 A*应用于两个进一步的搜索问题。实验证实,结合懒惰的ASP解决方案和我们的新型启发式方法对于解决工业大小的问题至关重要。
translated by 谷歌翻译
基于von-neumann架构的传统计算系统,数据密集型工作负载和应用程序(如机器学习)和应用程序都是基本上限制的。随着数据移动操作和能量消耗成为计算系统设计中的关键瓶颈,对近数据处理(NDP),机器学习和特别是神经网络(NN)的加速器等非传统方法的兴趣显着增加。诸如Reram和3D堆叠的新兴内存技术,这是有效地架构基于NN的基于NN的加速器,因为它们的工作能力是:高密度/低能量存储和近记忆计算/搜索引擎。在本文中,我们提出了一种为NN设计NDP架构的技术调查。通过基于所采用的内存技术对技术进行分类,我们强调了它们的相似之处和差异。最后,我们讨论了需要探索的开放挑战和未来的观点,以便改进和扩展未来计算平台的NDP架构。本文对计算机学习领域的计算机架构师,芯片设计师和研究人员来说是有价值的。
translated by 谷歌翻译
机器学习中的隐私和安全挑战(ML)已成为ML普遍的开发以及最近对大型攻击表面的展示,已成为一个关键的话题。作为一种成熟的以系统为导向的方法,在学术界和行业中越来越多地使用机密计算来改善各种ML场景的隐私和安全性。在本文中,我们将基于机密计算辅助的ML安全性和隐私技术的发现系统化,以提供i)保密保证和ii)完整性保证。我们进一步确定了关键挑战,并提供有关ML用例现有可信赖的执行环境(TEE)系统中限制的专门分析。我们讨论了潜在的工作,包括基础隐私定义,分区的ML执行,针对ML的专用发球台设计,TEE Awawe Aware ML和ML Full Pipeline保证。这些潜在的解决方案可以帮助实现强大的TEE ML,以保证无需引入计算和系统成本。
translated by 谷歌翻译
想象一组愿意集体贡献他们的个人数据的公民,以获得共同的益处,以产生社会有用的信息,由数据分析或机器学习计算产生。使用执行计算的集中式服务器共享原始的个人数据可能会引发对隐私和感知风险的担忧。相反,公民可以相互信任,并且他们自己的设备可以参与分散的计算,以协同生成要共享的聚合数据释放。在安全计算节点在运行时在安全信道交换消息的上下文中,密钥安全问题是保护对观察流量的外部攻击者,其对数据的依赖可以揭示个人信息。现有解决方案专为云设置而设计,目标是隐藏底层数据集的所有属性,并且不解决上述背景下出现的特定隐私和效率挑战。在本文中,我们定义了一般执行模型,以控制用户侧分散计算中通信的数据依赖性,其中通过组合在局部节点的局部集群上的保证来分析全局执行计划中的差异隐私保证。我们提出了一系列算法,可以在隐私,效用和效率之间进行权衡。我们的正式隐私保障利用,并通过洗牌延长隐私放大的结果。我们说明了我们对具有数据依赖通信的分散执行计划的两个代表性示例的提案的有用性。
translated by 谷歌翻译