Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Vulnerabilities in Partial TEE-Shielded LLM Inference with Precomputed Noise

Abhishek Saini, Haolin Jiang, Hang Liu

TL;DR

This work identifies a prevalent performance-driven pattern in Partial TEE-Shielded Inference: the use of a precomputed, static secret basis to accelerate noise-based masking and fingerprinting. It shows that this pattern induces a low-dimensional subspace that enables algebraic attacks, compromising both model confidentiality and computational integrity. The authors formalize two attacks—one recovering secret permutations and weights in a TLG-like system, and another bypassing integrity checks in Soter—validating them on large LLMs and demonstrating realistic time-to-compromise scales from minutes to hours. The findings expose a fundamental tension between efficiency and provable security in PTSE, and motivate design principles for dynamic noise generation and cross-query obfuscation resistant to subspace leakage. Practically, the attacks threaten total IP theft and undetectable tampering of offloaded computations, underscoring the need for cryptographic mechanisms that avoid reusing secret material across queries.

Abstract

The deployment of large language models (LLMs) on third-party devices requires new ways to protect model intellectual property. While Trusted Execution Environments (TEEs) offer a promising solution, their performance limits can lead to a critical compromise: using a precomputed, static secret basis to accelerate cryptographic operations. We demonstrate that this mainstream design pattern introduces a classic cryptographic flaw, the reuse of secret keying material, into the system's protocol. We prove its vulnerability with two distinct attacks: First, our attack on a model confidentiality system achieves a full confidentiality break by recovering its secret permutations and model weights. Second, our integrity attack completely bypasses the integrity checks of systems like Soter and TSQP. We demonstrate the practicality of our attacks against state-of-the-art LLMs, recovering a layer's secrets from a LLaMA-3 8B model in about 6 minutes and showing the attack scales to compromise 405B-parameter LLMs across a variety of configurations.

Vulnerabilities in Partial TEE-Shielded LLM Inference with Precomputed Noise

TL;DR

This work identifies a prevalent performance-driven pattern in Partial TEE-Shielded Inference: the use of a precomputed, static secret basis to accelerate noise-based masking and fingerprinting. It shows that this pattern induces a low-dimensional subspace that enables algebraic attacks, compromising both model confidentiality and computational integrity. The authors formalize two attacks—one recovering secret permutations and weights in a TLG-like system, and another bypassing integrity checks in Soter—validating them on large LLMs and demonstrating realistic time-to-compromise scales from minutes to hours. The findings expose a fundamental tension between efficiency and provable security in PTSE, and motivate design principles for dynamic noise generation and cross-query obfuscation resistant to subspace leakage. Practically, the attacks threaten total IP theft and undetectable tampering of offloaded computations, underscoring the need for cryptographic mechanisms that avoid reusing secret material across queries.

Abstract

The deployment of large language models (LLMs) on third-party devices requires new ways to protect model intellectual property. While Trusted Execution Environments (TEEs) offer a promising solution, their performance limits can lead to a critical compromise: using a precomputed, static secret basis to accelerate cryptographic operations. We demonstrate that this mainstream design pattern introduces a classic cryptographic flaw, the reuse of secret keying material, into the system's protocol. We prove its vulnerability with two distinct attacks: First, our attack on a model confidentiality system achieves a full confidentiality break by recovering its secret permutations and model weights. Second, our integrity attack completely bypasses the integrity checks of systems like Soter and TSQP. We demonstrate the practicality of our attacks against state-of-the-art LLMs, recovering a layer's secrets from a LLaMA-3 8B model in about 6 minutes and showing the attack scales to compromise 405B-parameter LLMs across a variety of configurations.
Paper Structure (43 sections, 13 equations, 13 figures, 5 tables, 2 algorithms)

This paper contains 43 sections, 13 equations, 13 figures, 5 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background and Threat Model
  3. TEE-based Model Confidentiality
  4. TEE-based Computational Integrity
  5. Threat Model
  6. Key Observations on the Trade-off between Security vs Computation Cost
  7. Key Observations
  8. Detailed Analysis
  9. Attack on TEE-based Model Confidentiality
  10. Attack Formalization
  11. Stage 1: Extracting the Subspace Basis for $m\rho_l$
  12. Stage 2: Extracting the Permutation Matrix $\rho_l$
  13. Discussion on sampling strategy, $K$ and $\delta$
  14. Attack on TEE-based Computational Integrity
  15. Attack Formalization
  16. ...and 28 more sections

Figures (13)

  • Figure 1: Activation flow in a Llama transformer layer secured using TLG li_translinkguard_2024.
  • Figure 2: Soter's mechanism for generating integrity fingerprints from a static basis of precomputed cornerstones.
  • Figure 3: A comparison of two methods for calculating noise effects inside the TEE. (a) The on-the-fly approach. (b) The precomputation approach.
  • Figure 4: An illustration of the two-stage attack to reveal $\rho_l$ of in Figure \ref{['fig:onthefly_vs_precomputation']}(b).
  • Figure 5: An illustration of the two-stage computation integrity attack on Soter. Stage 1: Subspace Recovery. The attacker collects two independent sets of vectors from the TEE's output, Set A and Set B. By computing the intersection of the vector spaces they span, the attacker recovers the secret cornerstone fingerprint subspace ($V_C$). Stage 2: Integrity Bypass. The attacker intercepts a new query (4), uses the recovered subspace as a filter to identify the challenge fingerprints.
  • ...and 8 more figures