HyperTheft: Thieving Model Weights from TEE-Shielded Neural Networks via Ciphertext Side Channels

Trusted execution environments (TEEs) are widely employed to protect deep neural networks (DNNs) from untrusted hosts (e.g., hypervisors). By shielding DNNs as fully black-box via encryption, TEEs mitigate model weight leakage and its follow-up white-box attacks. However, this paper uncovers that the confidentiality of TEEshielded DNNs can be violated due to an emerging threat towards TEEs: ciphertext side channels of TEEs create weight-dependent observations during a DNN's execution. Despite the potential of inferring DNN weights from ciphertext side channels, existing techniques are inapplicable due to their over-strong requirements and the high precision required by DNN weights. A DNN can have millions of weight elements, and even a few incorrectly recovered weight elements may make the DNN non-functional. We propose a novel viewpoint that focuses on the functionality of DNN weights, rather than each weight element's exact value. Accordingly, we design HyperTheft to directly generate weights that are functionality-equivalent to the victim DNN using ciphertext side channels. HyperTheft is established for highly practical settings; it exhibits the weakest requirement compared to prior methods. When only knowing a victim DNN's input type and task type (which are public and denote the minimal information required to use a DNN), HyperTheft can recover its weight using ciphertext side channels logged during the victim DNN's one execution. The whole procedure does not require attackers to 1) query the