BarkBeetle: Stealing Decision Tree Models with Fault Injection

Machine learning models, particularly decision trees (DTs), are widely adopted across various domains due to their interpretability and efficiency. However, as ML models become increasingly integrated into privacy-sensitive applications, concerns about their confidentiality have grown, particularly in light of emerging threats such as model extraction and fault injection attacks. Assessing the vulnerability of DTs under such attacks is therefore important. In this work, we present BarkBeetle, a novel attack that leverages fault injection to extract internal structural information of DT models. BarkBeetle employs a bottom-up recovery strategy that uses targeted fault injection at specific nodes to efficiently infer feature splits and threshold values. Our proof-of-concept implementation demonstrates that BarkBeetle requires significantly fewer queries and recovers more structural information compared to prior approaches, when evaluated on DTs trained with public UCI datasets. To validate its practical feasibility, we implement BarkBeetle on a Raspberry Pi RP2350 board and perform fault injections using the Faultier voltage glitching tool. As BarkBeetle targets general DT models, we also provide an in-depth discussion on its applicability to a broader range of tree-based applications, including data stream classification, DT variants, and cryptography schemes.

💡 Research Summary

BarkBeetle introduces a novel model‑extraction attack that combines fault injection with decision‑tree reconstruction. The authors observe that decision trees, while popular for their interpretability and low computational cost, have received little attention in the context of hardware‑level attacks. Existing extraction techniques for trees rely heavily on rich side‑channel information such as leaf identifiers, incomplete queries, or explainable‑AI outputs, and they often require a large number of black‑box queries.

The core idea of BarkBeetle is to inject a controlled fault (e.g., a voltage glitch) at a specific internal node during inference. By forcing the node to mis‑evaluate its split condition, the attacker can deliberately steer the execution to the left or right subtree regardless of the true comparison result. Observing the change in the final prediction label after such a forced traversal reveals which feature and threshold the targeted node uses. Repeating this process in a bottom‑up fashion—starting from the leaves and moving toward the root—allows the attacker to reconstruct the entire tree structure with far fewer queries than prior methods.

The paper presents a detailed algorithmic framework. For each node, a single fault injection is performed, followed by a small set of verification queries to confirm the direction of the forced branch. Because decision trees have a hierarchical, deterministic structure, the information gained at lower levels dramatically reduces the uncertainty at higher levels. The authors prove that, for a binary tree of depth d, the worst‑case query complexity of BarkBeetle grows linearly with d, compared to the exponential growth of naïve black‑box traversal.

Experimental evaluation uses several UCI benchmark datasets (e.g., Diabetes, Adult) to train decision trees of varying depth and leaf count. The authors compare BarkBeetle against three representative prior works: the original Tramèr extraction method, an IWAL‑based approach that does not rely on auxiliary information, and an XAI‑driven surrogate‑model technique. Results show that BarkBeetle reduces the total number of queries by 30 %–70 % across all configurations and, uniquely, recovers repeated feature occurrences along a single path—information that previous attacks completely miss.

To demonstrate practical feasibility, the authors implement the attack on a Raspberry Pi RP2350 microcontroller running a lightweight inference library. They use the open‑source Faultier tool to generate precise voltage glitches. In a case study with a depth‑5 tree (11 leaves) trained on the Diabetes dataset, the attack required 703 additional queries caused by repeated glitch attempts. The authors note that more accurate timing control or alternative fault‑injection modalities (clock glitch, EM pulse, laser) could further reduce this overhead.

The security discussion highlights several implications. First, even when an API hides leaf identifiers and disables incomplete queries, a hardware adversary can still recover the full decision logic via fault injection. Second, knowledge of the exact tree structure enables downstream attacks such as membership inference, training‑data reconstruction, and targeted adversarial example generation. Third, many modern applications—gradient‑boosted decision trees, XGBoost, and tree‑based zero‑knowledge proofs—share the same hierarchical split mechanism, making them vulnerable to similar attacks.

Countermeasure suggestions include: (1) monitoring power and clock lines for anomalous glitches; (2) adding redundancy or randomization to split evaluations (e.g., secret‑sharing thresholds across multiple micro‑operations); (3) employing hardware‑level integrity checks such as instruction‑level duplication or control‑flow integrity; and (4) limiting the amount of information returned by prediction APIs (removing confidence scores, suppressing deterministic leaf IDs). The authors also propose structural obfuscation techniques, such as inserting dummy splits or deliberately repeating features in a way that confounds bottom‑up reconstruction.

In conclusion, BarkBeetle is the first work to demonstrate that fault injection can be leveraged to extract decision‑tree models efficiently and comprehensively. The attack works on both cloud‑based ML‑as‑a‑service and resource‑constrained edge devices, raising new concerns for the confidentiality of tree‑based machine‑learning models. Future research directions include refining fault‑injection precision, extending the methodology to ensemble models (random forests, GBDTs), and developing robust hardware and software defenses tailored to tree‑structured inference.