Distinguished Paper Award for CipherSteal at IEEE S&P

Shielding neural networks (NNs) from untrusted hosts with Trusted Execution Environments (TEEs) has been increasingly adopted. Nevertheless, this paper shows that the confidentiality of NNs and user data is compromised by the recently disclosed ciphertext side channels in TEEs, which leak memory write patterns of TEE-shielded NNs to malicious hosts. While recent works have used ciphertext side channels to recover cryptographic key bits, the technique does not apply to NN inputs which are more complex and only have partial information leaked. We propose an automated input recovery framework, CipherSteal, and for the first time demonstrate the severe threat of ciphertext side channels to NN inputs. CipherSteal novelly recasts the input recovery as a two-step approach — information transformation and reconstruction — and proposes optimizations to fully utilize partial input information leaked in ciphertext side channels. We evaluate CipherSteal on diverse NNs (e.g., Transformer) and image/video inputs, and successfully recover visually identical inputs under different levels of attacker’s pre-knowledge towards the target NNs and their inputs. We comprehensively evaluate two popular NN frameworks, TensorFlow and PyTorch, and NN executables generated by two recent NN compilers, TVM and Glow, and study their different attack surfaces. Moreover, we further steal the target NN’s functionality by training a surrogate NN with our recovered inputs, and also leverage the surrogate NN to generate "white-box" adversarial examples, effectively manipulating the target NN’s predictions.

Yuanyuan Yuan, Zhibo Liu, Sen Deng, Yanzuo Chen, Shuai Wang, Yinqian Zhang, Zhendong Su, "CipherSteal: Stealing Input Data from TEE-Shielded Neural Networks with Ciphertext Side Channels," in 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2025, doi: 10.1109/SP61157.2025.00079 [external page Paper: ACM Digital Library]