Reviews and Comments

As someone who sees a lot of LLM & security research, this keynote is a nice summary of where LLMs will likely (or have already) add value, and where they will never help, regardless of LLM ability.

In short, using LLMs to generate inputs is orders of magnitude too slow to outpace the shear speed of random/semi-random mutation. Using LLMs to generate fuzzing harnesses, and to build generator logic that generates inputs will pay off, LLMs can ingest specs, code, and revise their output to get around coverage blocks.

A nice talk that blends the personal story of the speaker with a prediction about where investments in fuzzing will go to maximize their ROI.

This paper explores input to DNN models that cause an asymptotic increase in power usage or timing. By using genetic algorithms in a white-box setting, the researchers could find image and text inputs that would drive up inference effort.

The results were impressive, causing a 6000x slowdown on a hosted Azure translation model.

This paper explores recovering victim key-presses through a Wi-Fi data channel know as Beam-forming Feedback Information. BFI is used to help wireless APs adjust their beam-forming TX to improve performance, but BFI contains data correlated by changes in device orientation, and the attenuation from nearby movement (e.g., fingers on keyboard). By training a NN, the researchers were able to recover numeric key-presses (from a numeric keyboard) with ~88% accuracy across a variety of devices.

Pretty impressive, and shows how difficult it is to account for side-channels across all the layers of the stack when it's relatively easy to train a very sensitive ML model to extract a tiny signal from the noise.

Short easy read comparing three different compression algorithms for their performance in detecting suspicious log data from the DARPA '99 dataset.

A frank look into the long-term, and ongoing rewriting of history by the CCP, as well as the brave few who manage to continue to document and catalog the past as a time capsule for future generations.

Amazing how one of the largest man-made mass deaths is little known, and almost never studied in Western history. This book opens more questions than it answers, but helpfully comes with a guide for where to go next to learn more.

Not particularly cheery, but there is a glimmer of hope that shines throughout.

A good story, obviously a rosy view, but nice to see how things were done so long ago. Thanks to @casey for the recommendation, and a nice reminder about how regulatory scar-tissue will be the death of any DoD-connected innovation centers.

Another @casey recommendation

This paper covers a compiler for more traditional imperative code to be converted to optimized (and batched) FHE operations via the SEAL library. The frontend is Python, which is then converted to multiple simplification and optimization passes in the CPP MLIR.

Both synthetic/toy examples and more real-world applications are created in pure imperative implementations (that require non-performant emulation steps), compiled with HECO, and built with FHE optimizations manually. The HECO performance is close to the hand-optimized in most scenarios, even edging it out in a few.

Hopefully the spread of this tool will help FHE reach the masses.

This paper covers a highly-effective (85%+) hijack attack where training data is tainted by an adversary, and then the model can be cajoled into performing other types of tasks. While this work is a steep closer to a more general-type of attack, the model is less plausible than inference-time attacks popularized in the Adversarial Reprogramming literature.

I have sent this paper to a number of people over the years from when it first came out, I am surprised there is less attention to this type of attack, despite being a white-box model. This is the first class of attack that lets the attacker reprogram an image classification model to perform an attacker-determined task (e.g., turning an image classifier into a counter task).

Reviewing this paper 5 years after its release, it still stands up, and I see there is a small field of work in this lineage that includes similar attacks against NLP classifiers. I would count this paper as the starting point for this class of attack, which is an impressive and high-impact field.

While silent SMSes have been used by authorities for quite some time to geolocate cell-phones, this work puts a less powerful capability into the hands of anyone. By training a ML model on the RTT from sending a silent SMS to phones in different [known] locations, a temporal map of the GSM network can be made to later classify RTTs when targeting a victim phone and approximate their location to country/region.

Without cooperation of the cell infrastructure it's pretty coarse-grained, but still a scary way to figure out where a target of interest is without alerting them.