SPSL: Secure and Private Systems for Machine Learning

Vitaly Shmatikov is a Professor of Computer Science at Cornell University and Cornell Tech. Before joining Cornell, he worked at the University of Texas at Austin and SRI International. He received the Caspar Bowden PET Award for Outstanding Research in Privacy Enhancing Technologies three times, in 2008, 2014, and 2018, and was a runner-up in 2013. Dr. Shmatikov’s research group won the Test-of-Time Awards from the IEEE Symposium on Security and Privacy and the ACM Conference on Computer and Communications Security (CCS), multiple Best Practical Paper and Best Student Paper Awards from IEEE S&P and NDSS, and the NYU-Poly AT&T Best Applied Security Paper Award. Dr. Shmatikov earned his PhD in computer science and MS in engineering-economic systems from Stanford University.

Krinstin Lauter is currently West Coast Head of Research Science in Facebook AI Research, leading the groups in Core Machine Learning, Computer Vision, Robotics, Natural Language Processing, and other areas. Prior to joining Facebook, she was in Microsoft working on developing new cryptographic systems, research on post quantum systems, and researching to find faults in current cryptographic systems. She worked with coworkers at Microsoft to develop a cryptographic algorithm from supersingular isogeny graphs. She created a HASH function from it and presented it at NIST HASH function competition. Prior to joining Microsoft, she held positions as a visiting scholar at Max Planck Institut fur Mathematik in Bonn, Germany, T.H. Hildebrandt research assistant professor at the University of Michigan, and a visiting researcher at Institut de Mathematiques Luminy in France. Dr. Luter earned her MS and PhD in mathematics from University of Chicago.

Nicholas Carlini is a research scientist at Google Brain. He studies the security and privacy of machine learning, for which he has received best paper awards at ICML and IEEE S&P. He obtained his Ph.D. from the University of California, Berkeley in 2018.

Abstract of the Talk: Driven by the recent advances in hardware acceleration, neural networks can now train ever larger models on ever larger datasets. Because supervised datasets are often comparatively small, in order to make use of these vast compute resources, neural networks now have to train on underspecified objectives: those where the model itself defines its own objective function.

In this talk, he argues that while training underspecified models at scale may benefit accuracy, it comes at a cost to security and privacy. Compared to their supervised counterparts, large underspecified models are less adversarially robust, less stable, and less private. Addressing these challenges will require new solutions.

Ahmad-Reza Sadeghi is a professor of Computer Science at the TU Darmstadt, Germany. He is the head of the Systems Security Lab at the Cybersecurity Research Center of TU Darmstadt. Since 2012 he has also been leading three several Intel Collaborative Research Centers on Secure Mobile and Embedded Computing, Trustworthy Autonomous Systems, and since 2020 on Private AI.

Prof. Sadeghi holds a Ph.D. in Computer Science and MScs in Electrical Engineering as well as Industrial Engineering. Prior to academia, he has been working in R&D of Telecommunications enterprises, amongst others Ericsson. For his influential research on Trusted and Trustworthy Computing he received the renowned German “Karl Heinz Beckurts” award. This award honors excellent scientific achievements with high impact on industrial innovations in Germany. In 2018, Prof. Sadeghi received the ACM SIGSAC Outstanding Contributions Award for dedicated research, education, and management leadership in the security community and for pioneering contributions in content protection, mobile security and hardware-assisted security.

Jakub Szefer’s research focuses on computer architecture and hardware security. His research encompasses secure processor architectures, cloud security, FPGA attacks and defenses, and hardware FPGA implementation of cryptographic algorithms. He is currently an Associate Professor of Electrical Engineering at Yale University, where he leads the Computer Architecture and Security Laboratory (CASLAB). Prior to joining Yale, he received Ph.D. and M.A. degrees in Electrical Engineering from Princeton University, and B.S. degree with highest honors in Electrical and Computer Engineering from University of Illinois at Urbana-Champaign. He has received the NSF CAREER award in 2017. Jakub is the author of first book focusing on processor architecture security: “Principles of Secure Processor Architecture Design”. Recently, he has received the 2021 Ackerman Award for Teaching and Mentoring from Yale’s School of Engineering and Applied Science.

Abstract of the Talk: In this talk we will show how, in a multi-tenant FPGA setting, it is possible for adversaries to steal machine learning inputs or architecture details through voltage-based channels. This talk will cover our recent work on analyzing security of custom-built neural network accelerators, as well as attacks on off-the-shelf processor-like accelerators, both realized on commercial cloud-based FPGAs.