This repository contains the code for the paper "How to 0wn NAS in Your Spare Time"
Published at the International Conference on Learning Representation (ICLR) 2020, Addis Ababa, Ethoipia.

Authors: Sanghyun Hong, Michael Davinroy, Yigitcan Kaya, Dana Dachman-Soled, and Tudor Dumitras
Contact: Sanghyun Hong

Our study presents an algorithm that reconstructs the key components of a novel deep learning systems—i.e., a novel data pre-preprocessing pipeline and a neural network architecture---by exploiting information leakage from a cache side-channel attack, Flush+Reload. Based on the trace of computations and the timing for each computation observed by Flush+Reload, we generate candidate computational graphs from the trace and eliminate incompatible candidates through a parameter estimation process. We demonstrate experimentally that we can reconstruct MalConv, a novel data pre-processing pipeline for malware detection, and ProxylessNAS-CPU, a novel network architecture for the ImageNet classification optimized to run on CPUs, without knowing the architecture family. This repository contains the traces that we observed by the side-channel attack and the scripts for reconstructing victim architectures.

Note: this repository currently includes the code for the ToyNet and MalConv reconstructions.

You can install the required Python packages by running the following command:

  $ pip install -r requirements.txt

To run the script for reconstructing the MalConv architecture:

  $ ./reconstruct_malconv.sh

The reconstruction results are stored under the results/reconstruct/<victim> folder.

• computational_graphs: contains the computational graphs reconstructed from a trace.
• architecture_candidates: contains the candidate architecture reconstructed by pruning.
• architectures: contains the final architecture after removing unrealistic candidates.

This PDF shows the final architecture from this reconstruction.

You can see the traces observed from the cache side-channel attack (Flush+Reload) in the traces/<victim> folder. We use the Mastik toolkit to extract those traces. If you're interested in this process, you can refer to this repository for our previous project.

• raw: contains the raw traces observed by the side-channel attacker.
• processed: contains the traces processed offline, used as an input to the reconstruction algorithm.

You are encouraged to cite our paper if you use this code for academic research.

@inproceedings{Hong200wn,
  author    = {Sanghyun Hong and
               Michael Davinroy and
               Yigitcan Kaya and
               Dana Dachman{-}Soled and
               Tudor Dumitras},
  title     = {How to 0wn NAS in Your Spare Time},
  booktitle = {International Conference on Learning Representations},
  year      = {2020},
  url       = {https://arxiv.org/pdf/2002.06776.pdf},
}

This project is licensed under the MIT License - see the LICENSE file for details

Fin.