🤖 AI Summary
This work identifies, for the first time, a novel non-speculative, value-dependent timing side channel in Intel’s Advanced Matrix Extensions (AMX) accelerator—enabling unprivileged, remote inference of neural network weight sparsity patterns without physical access or reliance on model confidence scores.
Method: The authors construct an AMX instruction-level microarchitectural latency model and integrate precise timing measurements with statistical signal processing and sparse pattern reverse-engineering techniques to accurately recover the sparsity structure of weights corresponding to 64-element inputs.
Contribution/Results: The full sparsity structure is reconstructed within 50 minutes—631% faster than Hertzbleed. This is the first empirically validated value-sensitive timing leakage on AMX, breaking the conventional dependence of timing side channels on speculative execution or privileged execution environments. It establishes a new paradigm for hardware accelerator security evaluation, demonstrating that even non-speculative, privilege-free software attacks can extract sensitive structural information from accelerators via fine-grained timing analysis.
📝 Abstract
The rise of on-chip accelerators signifies a major shift in computing, driven by the growing demands of artificial intelligence (AI) and specialized applications. These accelerators have gained popularity due to their ability to substantially boost performance, cut energy usage, lower total cost of ownership (TCO), and promote sustainability. Intel's Advanced Matrix Extensions (AMX) is one such on-chip accelerator, specifically designed for handling tasks involving large matrix multiplications commonly used in machine learning (ML) models, image processing, and other computational-heavy operations. In this paper, we introduce a novel value-dependent timing side-channel vulnerability in Intel AMX. By exploiting this weakness, we demonstrate a software-based, value-dependent timing side-channel attack capable of inferring the sparsity of neural network weights without requiring any knowledge of the confidence score, privileged access or physical proximity. Our attack method can fully recover the sparsity of weights assigned to 64 input elements within 50 minutes, which is 631% faster than the maximum leakage rate achieved in the Hertzbleed attack.