Vulnerabilities in Partial TEE-Shielded LLM Inference with Precomputed Noise

The deployment of large language models (LLMs) on third-party devices requires new ways to protect model intellectual property. While Trusted Execution Environments (TEEs) offer a promising solution, their performance limits can lead to a critical compromise: using a precomputed, static secret basis to accelerate cryptographic operations. We demonstrate that this mainstream design pattern introduces a classic cryptographic flaw, the reuse of secret keying material, into the system’s protocol. We prove its vulnerability with two distinct attacks: First, our attack on a model confidentiality system achieves a full confidentiality break by recovering its secret permutations and model weights. Second, our integrity attack completely bypasses the integrity checks of systems like Soter and TSQP. We demonstrate the practicality of our attacks against state-of-the-art LLMs, recovering a layer’s secrets from a LLaMA-3 8B model in about 6 minutes and showing the attack scales to compromise 405B-parameter LLMs across a variety of configurations.

💡 Research Summary

The paper investigates a critical security flaw in contemporary partial‑TEE‑shielded inference architectures for large language models (LLMs). Because full LLM execution inside a Trusted Execution Environment (TEE) is infeasible due to memory and performance constraints, recent systems split the workload: a lightweight TEE handles secret management while heavy linear algebra (e.g., matrix‑vector multiplications, convolutions) is off‑loaded to untrusted accelerators such as GPUs. These systems uniformly adopt a three‑step “Mask‑Obfuscate‑Restore” protocol. In the Mask phase the TEE applies a secret transformation (one‑time pad, permutation, blinding scalar, etc.) to inputs or model weights; the Obfuscate phase sends the masked data to the accelerator for computation; the Restore phase removes the mask or verifies a hidden fingerprint.

To avoid the prohibitive cost of generating fresh, truly random masks for every inference, implementations pre‑compute a small set of K secret noise vectors and their corresponding effects (e.g., M·W). During runtime, the “random” mask is synthesized as a linear combination of these pre‑computed basis vectors with freshly sampled coefficients. This design dramatically reduces overhead but introduces a systematic cryptographic error: the mask space is confined to a K‑dimensional subspace, meaning the same secret material is effectively reused across many queries.

The authors formalize two attacks that exploit this key‑reuse flaw. The first targets model confidentiality. Many PTSE schemes lock model weights with secret permutations (e.g., TLG, ShadowNet). Because the permutation‑masked activations are further masked with the pre‑computed noise, an adversary who can observe many input‑output pairs can set up a system of linear equations whose unknowns are the permutation matrices and the noise basis coefficients. Solving this system (via Gaussian elimination, SVD, or lattice techniques) reveals the secret permutations; once recovered, the attacker can invert the permutation and retrieve the original weight matrices, fully compromising the model. The paper demonstrates this on a LLaMA‑3 8B model, extracting a single transformer layer’s secrets in roughly six minutes, and shows scalability to a 405‑billion‑parameter model with the same K=10 basis.

The second attack defeats computational‑integrity checks used in Soter and TSQP. These systems embed “oblivious fingerprints” by pre‑computing K cornerstone input‑output pairs and, at inference time, generating a dynamic challenge m′ = Σ αi mi as a random linear combination of the cornerstones. The challenge is mixed with genuine activations and sent to the GPU; the TEE later verifies that the GPU’s output on m′ matches the expected linear combination of pre‑computed results. Because m′ also lives in the same K‑dimensional subspace, an attacker who collects many batches can isolate the subspace component that corresponds solely to the fingerprint, recover the coefficients αi, and compute the expected fingerprint output locally. Consequently, the integrity verification is bypassed without triggering any alarms, allowing arbitrary tampering of the GPU’s computation.

Both attacks rely on the algebraic structure imposed by the static secret basis, not on side‑channels or statistical inference. The paper argues that any PTSE design that reuses a low‑dimensional secret basis is fundamentally vulnerable, regardless of the specific masking primitive. To remediate, the authors suggest either generating truly fresh one‑time masks per inference (accepting the performance cost) or dynamically expanding the basis size so that the number of observable equations required for an attack exceeds realistic query limits. They also propose a security‑evaluation framework for future PTSE systems to detect key‑reuse patterns early in the design phase.

Overall, the work uncovers a previously unrecognized class of key‑reuse vulnerabilities in partial TEE‑shielded LLM inference, provides concrete attacks that break both confidentiality and integrity, validates them on state‑of‑the‑art models, and offers practical guidance for designing truly secure PTSE architectures.