Vulnerabilities in Partial TEE-Shielded LLM Inference with Precomputed Noise

The deployment of large language models (LLMs) on third-party devices requires new ways to protect model intellectual property. While Trusted Execution Environments (TEEs) offer a promising solution, their performance limits can lead to a critical compromise: using a precomputed, static secret basis to accelerate cryptographic operations. We demonstrate that this mainstream design pattern introduces a classic cryptographic flaw, the reuse of secret keying material, into the system's protocol. We prove its vulnerability with two distinct attacks: First, our attack on a model confidentiality system achieves a full confidentiality break by recovering its secret permutations and model weights. Second, our integrity attack completely bypasses the integrity checks of systems like Soter and TSQP. We demonstrate the practicality of our attacks against state-of-the-art LLMs, recovering a layer's secrets from a LLaMA-3 8B model in about 6 minutes and showing the attack scales to compromise 405B-parameter LLMs across a variety of configurations.

Key Contributions

• Identifies that the mainstream design pattern of using a precomputed static secret basis in partial TEE-shielded LLM inference introduces a classic key-reuse cryptographic flaw
• Confidentiality attack that fully recovers secret permutations and model weights by exploiting cross-query correlation of the static secret basis
• Integrity attack that completely bypasses the integrity verification of deployed systems (Soter, TSQP), demonstrated to scale to 405B-parameter LLMs

🛡️ Threat Analysis

Details

Similar Papers