Open justheuristic opened 4 years ago
We have outlined a draft with a number of attack vectors for hivemind and possible defense strategies. This list is not guaranteed to be complete.
These are arguably the most critical vulnerabilities, since an attacker is able not only to spoil an ongoing deep learning experiment, but to take control of participant's computers (e.g. turn them into botnet nodes). This makes participation in an open experiment unsafe.
Deserializers like pickle
and everything that built on top of it (like torch.load
) can load and execute arbitrary attacker's code (example).
Possible solution:
Attacker's nodes may send fake contents, omit writings, etc.
Possible solution:
An attacker may rewrite DHT records corresponding to other node user IDs (e.g. to ruin their statistics or results).
Possible solution:
For example, an attacker may write immortal records that will constantly ruin the experiment operation.
Possible solution:
An attacker may interfere with the DHT operation by pretending that it has many nodes forming a majority.
Possible solution:
DoS attacks become possible if a small request to a service causes expensive computations or generation of a big response. In hivemind, this may be the case for the server and the trainer.
The forward pass and backward pass requests may cause expensive computations.
Possible solution:
TODO
Possible solution:
In hivemind server,
TODO
Note on DoS: in hivemind.dht.protocol.DHTProtocol, there's an rpc_find where the output size is roughly 10x larger than input size. Is this alright or can it also cause DoS?
Reading that seems useful: DHT Security Survey (Urdaneta et al.)
Right now, hivemind works with default tcp protocol with no security. If we are to run on a global scheme, we need to:
1. make sure peers do not risk their personal data by running hivemind nodes This is the boring, but necessary one: we need to make sure we use up-to-date security protocols in both hivemind.dht and hivemind.client/server interaction
2. figure out how to make hivemind model resistant to malicious peers This part is more tricky, there are several attack vectors: 2a. send NaN or wrong gradients to the expert in order to jeopardize its parameters 2b. overwrite existing keys in DHT with wrong information to prevent other peers from finding experts
There are intuitive ways to resist both of these vectors by e.g. dropping outlier gradients in 2a, but security usually works better with expertise, not intuition.
We would appreciate any advice on potential attack vectors and ways to mitigate them.