Cryptographic protection of ML models

Transcript

1. Cryptographic protection of ML models @vixentael

2. @vixentael head of customer solutions, security software engineer focused on

   applied crypto, building e2ee protocols, and secure software development vixentael.dev

3. cossacklabs.com Data security tools & solutions @vixentael We make software

   to get data security right – from open-source and proprietary cryptographic tools to custom solutions and consulting. We are cryptographers, security engineers, system engineers, infrastructure engineers.

4. Working with companies that care about data security Critical infrastructure,

   healthcare, payment processors, ML/AI, popular apps — where data security is a hard requirement.

5. @vixentael Things we won’t talk about Adversarial networks, adversarial attacks

   Malware inside ML networks Deserialization bug in TensorFlow -> arbitrary code execution https://arxiv.org/abs/2107.08590 https://portswigger.net/daily-swig/deserialization-bug-in-tensor fl ow- machine-learning-framework-allowed-arbitrary-code-execution ML “Unlearning” http://yinzhicao.org/unlearning/UnlearningOakland15.pdf https://arxiv.org/abs/1712.09665

6. @vixentael What we will talk about Protecting IP Integrating cryptography

   with traditional security controls Application-level encryption cossacklabs.com/case-studies/ai-ml-ip-protection/ TensorFlow (a bit) HPKE-like scheme, DRM-like approach

7. Let’s start

8. @vixentael Protecting unique IP (ML models) against leakage and misuse

   Extremely popular AI/ML application. ML models everywhere. They wanted to switch ML execution from backend-side to client-side to decrease load and improve service.

9. @vixentael IP -> backend Client app sends request. Backend executes

   ML model. Backend sends ready result. Repeat every time. Before

10. @vixentael Client app sends request. Backend executes ML model. Backend

    sends ready result. Repeat every time. Before After Client app sends request. Backend generates unique Individual ML model (IML). Backend sends IML to client app. 
 Client app stores and executes IML locally. IMLs are unique per user (1 app - 1 user - N models). IP -> backend, client-side

11. @vixentael Business risks of decision R1 leakage of IP loss

    of IP, competitor advantage, investments into updating ML model. Losing 1 IML is not a problem, losing many IML is. R2 broken apps, clones apps, API fraud abuse of infrastructure, 
 revenue loss, 
 abuse of IP, competitor advantage, 
 reputation risks

12. @vixentael Tech stack Native mobile apps: iOS – Swift/ObjC +

    CoreML Android – Kotlin + TensorFlow Lite python backend, TensorFlow GCP: workers (GCE), storage, KMS, DBs, Firebase authN

13. API @vixentael Architecture and data fl ow user data GCE

    worker, TF native iOS app native Android app GCP, storing IMLs training servers main ML infra generating IMLs

14. API @vixentael IML data fl ow user data GCE worker,

    TF native iOS app native Android app GCP, storing IMLs training servers main ML infra generating IMLs

15. @vixentael IML lifecycle GCE worker generate IML, send to GCP

    storage memory, transit GCP storage store IML fi le storage, transit API URL on IML fi le transit mobile app download from GCP storage, 
 save locally as fi le, 
 unpack & execute IML transit, storage, memory

16. @vixentael Threat modelling [simpli fi ed] API leakage via API,

    credential leakage, abuse of IML generation pretending to be a paying user collect from storage, fi nd in backups, fi nd in logs leakage / eavesdropping, client-server passive MitM, client-server active MitM extract IML via RE, crowdsourcing, automation of broken apps, malicious 3rd party libs Cloud storage Transit Mobile app

17. @vixentael Authenticity Spoo fi ng DoS Tampering Disclosure Integrity Con

    fi dentiality Availability Threat modelling [simpli fi ed] API Cloud storage Transit Mobile app

18. Let’s use cryptography!

19. @vixentael What is ML model ML model – output of

    ML algorithm. A fi le. With model data and procedure/algorithm. Layers with weights. From security perspective – a fi le :)

20. @vixentael Encryption layer API GCE worker, TF native iOS app

    native Android app GCP, storing IMLs encrypts each IML stores encrypted decrypts IML decrypts IML

21. @vixentael Encryption layer: requirements 1. Minimize the lifetime of plaintext

    IMLs 2. Minimize the chance of accumulating IMLs 3. Fast, smooth, without complicated crypto 4. Easy key management, without PKI 5. Works across 3+ platforms

22. @vixentael Encryption layer: solutions 1. Minimize the lifetime of plaintext

    IMLs 2. Minimize the chance of accumulating IMLs 3. Fast, smooth, without complicated crypto 4. Easy key management, without PKI 5. Works across 3+ platforms => encrypt after generation, decrypt before usage => use unique keys per IML => AES-256-GCM + ECDH => ephemeral keys => Themis crypto lib

23. @vixentael IML encryption & decryption GCE worker, TF 1. Generate

    keypair. Send app.publicKey to backend. 2. Generate keypair. Use server.privateKey and app.publicKey to derive sharedKey (ECDH). 3. Generate random DEK. 4. Encrypt IML using DEK, AES-256-GCM. 5. Encrypt DEK using sharedKey, AES-256-GCM. 6. Send { encryptedIML, encryptedDEK, server.publicKey }. 7. Receive. Use app.privateKey and server.publicKey to derive sharedKey. 8. Decrypt DEK, decrypt IML.

24. @vixentael IML format { "data": base64_str(encrypted_IML), "key": base64_str(encrypted_DEK), "public_key": server_ephemeral_public_key,

    "version": MODEL_VERSION, "layers": { // additional ML layers encryption } }

25. @vixentael IML encryption import pythemis server_keypair = GenerateKeyPair(KEY_PAIR_TYPE.EC) s_private_key =

    server_keypair.export_private_key() s_public_key = server_keypair.export_public_key() secure_message = SMessage(s_private_key, app_public_key) encrypted_DEK = secure_message.wrap(DEK) DEK = GenerateSymmetricKey() cell = SCellSeal(DEK) encrypted_IML = cell.encrypt(IML, userID) send: { encrypted_IML, encrypted_DEK, s_public_key } github.com/cossacklabs/themis

26. @vixentael IML decryption import themis let keypair = TSKeyGen(algorithm: .EC)!

    let appPrivateKey = keypair.privateKey! let appPublicKey = keypair.publicKey! let cell = TSCellSeal(key: DEK)! let IML = try? cell.decrypt(encryptedIML, userID) let secureMessage = TSMessage(inEncryptModeWithPrivateKey: appPrivateKey, peerPublicKey: serverPublicKey)! let DEK = try? secureMessage.unwrapData(encryptedDEK) github.com/cossacklabs/themis

27. @vixentael Crypto engine: Themis github.com/cossacklabs/themis same API across 14 platforms

    boring crypto hidden crypto-details recommended by OWASP tons of docs

28. @vixentael Application-level encryption Encryption process happening within application context, triggered

    by application. ALE could work together with data-at-rest encryption and data- in-transit encryption. ALE could be client-side, server-side, end-to-end, etc. infoq.com/articles/ale-software-architects/

29. @vixentael encryption controls / events transit (TLS) disk / FS

    TDE / DB encryption ALE E2EE physical access to servers ⛔ ✅ ✅ ✅ ✅ MitM ✅ ⛔ ⛔ ✅ ✅ privileged DB access ⛔ ⛔ ⛔ ✅ ✅ privileged system access ⛔ ⛔ ⛔ Depends ✅ backups, logs, snapshots ⛔ ⛔ Few ✅ ✅ infoq.com/articles/ale-software-architects/

30. @vixentael Hybrid Public Key Encryption (HPKE) datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/ encrypt data with

    symmetric key using AEAD; encapsulate symmetric key with public key scheme RFC describes approach used before and implies standardization.

31. @vixentael Lightweight key management 1. Lightweight key management – server

    generates ephemeral keypair each time, no need for PKI. 2. NIST SP 800-57 – sorry, ephemeral keys FTW. 3. Store client-side public key in the user database to “pin” devices, or use ephemeral keypairs too. 4. Server authenticity problem – solve by server attestation, TLS pinning. 5. Mobile app storage problem – use Keychain/KeyStore, encrypt keys by SecureEnclave.

32. @vixentael Crypto defense in depth: let new_DEK = TSGenerateSymmetricKey() let

    cell = TSCellSeal(key: new_DEK)! let encrypted_IML_ID = try? cell.encrypt(IML) 1. Re-encrypt IML on device on receiving (AES-256-GCM).

33. @vixentael Crypto defense in depth: 1. Re-encrypt IML on device

    on receiving (AES-256-GCM). => to un-link server keys, to re-encrypt IML purely based on device keys Store re-encryption keys in Keychain/KeyStore. Bonus points for biometrics binding. let new_DEK = TSGenerateSymmetricKey() let cell = TSCellSeal(key: new_DEK)! let encrypted_IML_ID = try? cell.encrypt(IML)

34. @vixentael Crypto defense in depth: GCE worker, TF IML encryptedIML

    generation encryption storage transfer + TLS transfer + TLS decryption re-encryption & storage execution encryptedIML encryptedIML IML IML encryptedIML 2. IMLs are encrypted after generation for storage, then using TLS for transport, then re-encrypted on device.

35. @vixentael Crypto defense in depth: GCE worker, TF IML encryptedIML

    generation encryption storage transfer + TLS transfer + TLS decryption re-encryption & storage execution encryptedIML encryptedIML IML IML encryptedIML 😿 2. IMLs are encrypted after generation for storage, then using TLS for transport, then re-encrypted on device.

36. @vixentael Crypto defense in depth: 3. In-memory encryption. CoreML requires

    plaintext model fi le when loads.

37. @vixentael Crypto defense in depth: 3. In-memory encryption. CoreML requires

    plaintext model fi le when loads. => create MLCustomLayer with encrypted weights, decrypt before load to shader (CPU) => create custom shader function to obfuscate weights before execution on shader (GPU) (also see Apple docs on encrypting ML models that are parts of app bundle)

38. @vixentael Performance considerations 1. GPU shaders have limited cache memory,

    can’t run “normal” ciphers. 2. Use fast crypto: ECC & AES-GCM. 3. Crypto adds performance penalty, but AES-GCM has hardware support everywhere. No noticeable UX penalty. 4. Some Android devices are extremely slow, but if the device can render ML with 50-60 FPS, it can run crypto fast. 5. Generating IMLs and encrypting them might be still faster than executing server-side ML for each request.

39. @vixentael Overlapped security controls 1. Encryption to protect IMLs globally

    during the whole data fl ow. 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. ✅

40. Crypto is more useful when integrated with traditional security controls.

41. @vixentael API GCE worker, TF native iOS app native Android

    app GCP, storing IMLs crypto crypto crypto crypto Integration with other security controls

42. @vixentael Integration with other security controls API GCE worker, TF

    native iOS app native Android app GCP, storing IMLs AuthN AuthN TTL crypto anti- RE appsec crypto anti- RE appsec API sec anti- fraud crypto crypto ACL logging monitoring appsec

43. @vixentael Cloud storage security 101 AuthN TTL ACL 1. IMLs

    are stored min time – apps are expected to grab their IML quickly. 2. URL TTL (expire after mins). 3. URL authentication & access control. 4. Clean up IML fi les (every hour). 5. Do not backup IMLs. 6. URLs are not logged. 7. Monitoring of access errors. (also see OWASP WSTG-CONF-11)

44. @vixentael API protection 101 1. User authN, IMLs are available

    only after successful authN. 2. API limits, requests throttling, fi rewalling. 3. IML request limits – after N model requests, server returns error. (also see OWASP ASVS :) ) AuthN appsec API sec API

45. @vixentael Anti-fraud system 201 1. Limit access to IML based

    on user behaviour. 2. Gather events from mobile apps and from server side. 3. Calculate user scoring based on events (“stop- factors”, rules). 4. User scoring: OK, suspicious, malicious. 5. Block malicious, limit suspicious. API anti- fraud

46. @vixentael Anti-fraud system 201 JB detected same public key, different

    device invalid app signature remote device attestation failed 🛑 stop factors } URL download failure app reinstall too many requests keychain not accessible 🤨 implicative rules } wrong API version … honey token deviceID … malicious suspicious OK

47. @vixentael Remote device attestation developer.apple.com/ documentation/devicecheck Apple DeviceCheck developer.android.com/training/ safetynet/attestation

    Android SafetyNet 1. Use as part of user authN. 2. Use as source for anti-fraud system. 3. Block apps installed not from stores.

48. @vixentael Anti-reverse engineering mobile apps (also see OWASP MASVS-R)

49. @vixentael Special improvements for ML models 1. Watermarks. 2. Custom

    ML layers. 3. Model binding (ML models that work only with custom data -> non- general purpose ML models, no risks to steal).

50. @vixentael Integration with other security controls API GCE worker, TF

    native iOS app native Android app GCP, storing IMLs AuthN AuthN TTL crypto anti- RE appsec crypto anti- RE appsec API sec anti- fraud crypto crypto ACL logging monitoring appsec

51. @vixentael Overlapped security controls 1. Encryption to protect IMLs globally

    during the whole data fl ow. 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. ✅ ✅ ✅

52. Failure of a single security control is a question of

    time. Failure of a security system is a question of design.

53. @vixentael vixentael.dev/talks/use-crypto-dont-learn-it/ Use cryptography; don’t learn it infoq.com/articles/ale-software-architects/ Application Level

    Encryption for Software Architects, by @9gunpi cossacklabs.com/blog/crypto-signed-audit-logs.html Cryptographically signed audit logs cossacklabs.com/blog/react-native-app-security.html React Native security: things to keep in mind, by @julepka

54. @vixentael vixentael.dev cossacklabs.com cossacklabs.com/whitepapers cossacklabs.com/blog