ML Security PapersSentry: Authenticating Machine Learning Artifacts on the Fly
Published on arXiv
2510.00554
AI Supply Chain Attacks
OWASP ML Top 10 — ML06
Key Finding
Sentry achieves orders of magnitude speedup over a CPU-based cryptographic verification baseline while providing on-the-fly authentication of ML artifacts during GPU memory loading
Sentry
Novel technique introduced
Machine learning systems increasingly rely on open-source artifacts such as datasets and models that are created or hosted by other parties. The reliance on external datasets and pre-trained models exposes the system to supply chain attacks where an artifact can be poisoned before it is delivered to the end-user. Such attacks are possible due to the lack of any authenticity verification in existing machine learning systems. Incorporating cryptographic solutions such as hashing and signing can mitigate the risk of supply chain attacks. However, existing frameworks for integrity verification based on cryptographic techniques can incur significant overhead when applied to state-of-the-art machine learning artifacts due to their scale, and are not compatible with GPU platforms. In this paper, we develop Sentry, a novel GPU-based framework that verifies the authenticity of machine learning artifacts by implementing cryptographic signing and verification for datasets and models. Sentry ties developer identities to signatures and performs authentication on the fly as artifacts are loaded on GPU memory, making it compatible with GPU data movement solutions such as NVIDIA GPUDirect that bypass the CPU. Sentry incorporates GPU acceleration of cryptographic hash constructions such as Merkle tree and lattice hashing, implementing memory optimizations and resource partitioning schemes for a high throughput performance. Our evaluations show that Sentry is a practical solution to bring authenticity to machine learning systems, achieving orders of magnitude speedup over a CPU-based baseline.
Key Contributions
- Sentry: a GPU-native framework that performs cryptographic signing and verification of ML artifacts (datasets and models) on the fly as they are loaded into GPU memory, compatible with CPU-bypassing solutions like NVIDIA GPUDirect
- GPU-accelerated cryptographic hash constructions (Merkle tree and lattice hashing) with memory optimizations and resource partitioning for high-throughput artifact authentication
- Developer identity binding to artifact signatures, enabling end-to-end provenance verification across the ML supply chain
🛡️ Threat Analysis
Sentry directly defends against ML supply chain attacks — specifically, adversaries poisoning or substituting open-source datasets and pre-trained models hosted by third parties before delivery to the end-user. The paper explicitly frames its threat model around supply chain compromise and proposes cryptographic signing/verification as the countermeasure.