-
LLoCO: Learning Long Contexts Offline
Authors:
Sijun Tan,
Xiuyu Li,
Shishir Patil,
Ziyang Wu,
Tianjun Zhang,
Kurt Keutzer,
Joseph E. Gonzalez,
Raluca Ada Popa
Abstract:
Processing long contexts remains a challenge for large language models (LLMs) due to the quadratic computational and memory overhead of the self-attention mechanism and the substantial KV cache sizes during generation. We propose a novel approach to address this problem by learning contexts offline through context compression and in-domain parameter-efficient finetuning. Our method enables an LLM…
▽ More
Processing long contexts remains a challenge for large language models (LLMs) due to the quadratic computational and memory overhead of the self-attention mechanism and the substantial KV cache sizes during generation. We propose a novel approach to address this problem by learning contexts offline through context compression and in-domain parameter-efficient finetuning. Our method enables an LLM to create a concise representation of the original context and efficiently retrieve relevant information to answer questions accurately. We introduce LLoCO, a technique that combines context compression, retrieval, and parameter-efficient finetuning using LoRA. Our approach extends the effective context window of a 4k token LLaMA2-7B model to handle up to 128k tokens. We evaluate our approach on several long-context question-answering datasets, demonstrating that LLoCO significantly outperforms in-context learning while using $30\times$ fewer tokens during inference. LLoCO achieves up to $7.62\times$ speed-up and substantially reduces the cost of long document question answering, making it a promising solution for efficient long context processing. Our code is publicly available at https://github.com/jeffreysijuntan/lloco.
△ Less
Submitted 11 April, 2024;
originally announced April 2024.
-
GoEX: Perspectives and Designs Towards a Runtime for Autonomous LLM Applications
Authors:
Shishir G. Patil,
Tianjun Zhang,
Vivian Fang,
Noppapon C.,
Roy Huang,
Aaron Hao,
Martin Casado,
Joseph E. Gonzalez,
Raluca Ada Popa,
Ion Stoica
Abstract:
Large Language Models (LLMs) are evolving beyond their classical role of providing information within dialogue systems to actively engaging with tools and performing actions on real-world applications and services. Today, humans verify the correctness and appropriateness of the LLM-generated outputs (e.g., code, functions, or actions) before putting them into real-world execution. This poses signi…
▽ More
Large Language Models (LLMs) are evolving beyond their classical role of providing information within dialogue systems to actively engaging with tools and performing actions on real-world applications and services. Today, humans verify the correctness and appropriateness of the LLM-generated outputs (e.g., code, functions, or actions) before putting them into real-world execution. This poses significant challenges as code comprehension is well known to be notoriously difficult. In this paper, we study how humans can efficiently collaborate with, delegate to, and supervise autonomous LLMs in the future. We argue that in many cases, "post-facto validation" - verifying the correctness of a proposed action after seeing the output - is much easier than the aforementioned "pre-facto validation" setting. The core concept behind enabling a post-facto validation system is the integration of an intuitive undo feature, and establishing a damage confinement for the LLM-generated actions as effective strategies to mitigate the associated risks. Using this, a human can now either revert the effect of an LLM-generated output or be confident that the potential risk is bounded. We believe this is critical to unlock the potential for LLM agents to interact with applications and services with limited (post-facto) human involvement. We describe the design and implementation of our open-source runtime for executing LLM actions, Gorilla Execution Engine (GoEX), and present open research questions towards realizing the goal of LLMs and applications interacting with each other with minimal human supervision. We release GoEX at https://github.com/ShishirPatil/gorilla/.
△ Less
Submitted 10 April, 2024;
originally announced April 2024.
-
Reflections on trusting distributed trust
Authors:
Emma Dauterman,
Vivian Fang,
Natacha Crooks,
Raluca Ada Popa
Abstract:
Many systems today distribute trust across multiple parties such that the system provides certain security properties if a subset of the parties are honest. In the past few years, we have seen an explosion of academic and industrial cryptographic systems built on distributed trust, including secure multi-party computation applications (e.g., private analytics, secure learning, and private key reco…
▽ More
Many systems today distribute trust across multiple parties such that the system provides certain security properties if a subset of the parties are honest. In the past few years, we have seen an explosion of academic and industrial cryptographic systems built on distributed trust, including secure multi-party computation applications (e.g., private analytics, secure learning, and private key recovery) and blockchains. These systems have great potential for improving security and privacy, but face a significant hurdle on the path to deployment. We initiate study of the following problem: a single organization is, by definition, a single party, and so how can a single organization build a distributed-trust system where corruptions are independent? We instead consider an alternative formulation of the problem: rather than ensuring that a distributed-trust system is set up correctly by design, what if instead, users can audit a distributed-trust deployment? We propose a framework that enables a developer to efficiently and cheaply set up any distributed-trust system in a publicly auditable way. To do this, we identify two application-independent building blocks that we can use to bootstrap arbitrary distributed-trust applications: secure hardware and an append-only log. We show how to leverage existing implementations of these building blocks to deploy distributed-trust systems, and we give recommendations for infrastructure changes that would make it easier to deploy distributed-trust systems in the future.
△ Less
Submitted 10 November, 2022; v1 submitted 14 October, 2022;
originally announced October 2022.
-
The Sky Above The Clouds
Authors:
Sarah Chasins,
Alvin Cheung,
Natacha Crooks,
Ali Ghodsi,
Ken Goldberg,
Joseph E. Gonzalez,
Joseph M. Hellerstein,
Michael I. Jordan,
Anthony D. Joseph,
Michael W. Mahoney,
Aditya Parameswaran,
David Patterson,
Raluca Ada Popa,
Koushik Sen,
Scott Shenker,
Dawn Song,
Ion Stoica
Abstract:
Technology ecosystems often undergo significant transformations as they mature. For example, telephony, the Internet, and PCs all started with a single provider, but in the United States each is now served by a competitive market that uses comprehensive and universal technology standards to provide compatibility. This white paper presents our view on how the cloud ecosystem, barely over fifteen ye…
▽ More
Technology ecosystems often undergo significant transformations as they mature. For example, telephony, the Internet, and PCs all started with a single provider, but in the United States each is now served by a competitive market that uses comprehensive and universal technology standards to provide compatibility. This white paper presents our view on how the cloud ecosystem, barely over fifteen years old, could evolve as it matures.
△ Less
Submitted 14 May, 2022;
originally announced May 2022.
-
MAGE: Nearly Zero-Cost Virtual Memory for Secure Computation
Authors:
Sam Kumar,
David E. Culler,
Raluca Ada Popa
Abstract:
Secure Computation (SC) is a family of cryptographic primitives for computing on encrypted data in single-party and multi-party settings. SC is being increasingly adopted by industry for a variety of applications. A significant obstacle to using SC for practical applications is the memory overhead of the underlying cryptography. We develop MAGE, an execution engine for SC that efficiently runs SC…
▽ More
Secure Computation (SC) is a family of cryptographic primitives for computing on encrypted data in single-party and multi-party settings. SC is being increasingly adopted by industry for a variety of applications. A significant obstacle to using SC for practical applications is the memory overhead of the underlying cryptography. We develop MAGE, an execution engine for SC that efficiently runs SC computations that do not fit in memory. We observe that, due to their intended security guarantees, SC schemes are inherently oblivious -- their memory access patterns are independent of the input data. Using this property, MAGE calculates the memory access pattern ahead of time and uses it to produce a memory management plan. This formulation of memory management, which we call memory programming, is a generalization of paging that allows MAGE to provide a highly efficient virtual memory abstraction for SC. MAGE outperforms the OS virtual memory system by up to an order of magnitude, and in many cases, runs SC computations that do not fit in memory at nearly the same speed as if the underlying machines had unbounded physical memory to fit the entire computation.
△ Less
Submitted 27 October, 2022; v1 submitted 23 June, 2021;
originally announced June 2021.
-
Senate: A Maliciously-Secure MPC Platform for Collaborative Analytics
Authors:
Rishabh Poddar,
Sukrit Kalra,
Avishay Yanai,
Ryan Deng,
Raluca Ada Popa,
Joseph M. Hellerstein
Abstract:
Many organizations stand to benefit from pooling their data together in order to draw mutually beneficial insights -- e.g., for fraud detection across banks, better medical studies across hospitals, etc. However, such organizations are often prevented from sharing their data with each other by privacy concerns, regulatory hurdles, or business competition. We present Senate, a system that allows mu…
▽ More
Many organizations stand to benefit from pooling their data together in order to draw mutually beneficial insights -- e.g., for fraud detection across banks, better medical studies across hospitals, etc. However, such organizations are often prevented from sharing their data with each other by privacy concerns, regulatory hurdles, or business competition. We present Senate, a system that allows multiple parties to collaboratively run analytical SQL queries without revealing their individual data to each other. Unlike prior works on secure multi-party computation (MPC) that assume that all parties are semi-honest, Senate protects the data even in the presence of malicious adversaries. At the heart of Senate lies a new MPC decomposition protocol that decomposes the cryptographic MPC computation into smaller units, some of which can be executed by subsets of parties and in parallel, while preserving its security guarantees. Senate then provides a new query planning algorithm that decomposes and plans the cryptographic computation effectively, achieving a performance of up to 145$\times$ faster than the state-of-the-art.
△ Less
Submitted 26 October, 2020;
originally announced October 2020.
-
Secure Collaborative Training and Inference for XGBoost
Authors:
Andrew Law,
Chester Leung,
Rishabh Poddar,
Raluca Ada Popa,
Chenyu Shi,
Octavian Sima,
Chaofan Yu,
Xingmeng Zhang,
Wenting Zheng
Abstract:
In recent years, gradient boosted decision tree learning has proven to be an effective method of training robust models. Moreover, collaborative learning among multiple parties has the potential to greatly benefit all parties involved, but organizations have also encountered obstacles in sharing sensitive data due to business, regulatory, and liability concerns.
We propose Secure XGBoost, a priv…
▽ More
In recent years, gradient boosted decision tree learning has proven to be an effective method of training robust models. Moreover, collaborative learning among multiple parties has the potential to greatly benefit all parties involved, but organizations have also encountered obstacles in sharing sensitive data due to business, regulatory, and liability concerns.
We propose Secure XGBoost, a privacy-preserving system that enables multiparty training and inference of XGBoost models. Secure XGBoost protects the privacy of each party's data as well as the integrity of the computation with the help of hardware enclaves. Crucially, Secure XGBoost augments the security of the enclaves using novel data-oblivious algorithms that prevent access side-channel attacks on enclaves induced via access pattern leakage.
△ Less
Submitted 6 October, 2020;
originally announced October 2020.
-
Practical Volume-Based Attacks on Encrypted Databases
Authors:
Rishabh Poddar,
Stephanie Wang,
Jianan Lu,
Raluca Ada Popa
Abstract:
Recent years have seen an increased interest towards strong security primitives for encrypted databases (such as oblivious protocols), that hide the access patterns of query execution, and reveal only the volume of results. However, recent work has shown that even volume leakage can enable the reconstruction of entire columns in the database. Yet, existing attacks rely on a set of assumptions that…
▽ More
Recent years have seen an increased interest towards strong security primitives for encrypted databases (such as oblivious protocols), that hide the access patterns of query execution, and reveal only the volume of results. However, recent work has shown that even volume leakage can enable the reconstruction of entire columns in the database. Yet, existing attacks rely on a set of assumptions that are unrealistic in practice: for example, they (i) require a large number of queries to be issued by the user, or (ii) assume certain distributions on the queries or underlying data (e.g., that the queries are distributed uniformly at random, or that the database does not contain missing values).
In this work, we present new attacks for recovering the content of individual user queries, assuming no leakage from the system except the number of results and avoiding the limiting assumptions above. Unlike prior attacks, our attacks require only a single query to be issued by the user for recovering the keyword. Furthermore, our attacks make no assumptions about the distribution of issued queries or the underlying data. Instead, our key insight is to exploit the behavior of real-world applications.
We start by surveying 11 applications to identify two key characteristics that can be exploited by attackers: (i) file injection, and (ii) automatic query replay. We present attacks that leverage these two properties in concert with volume leakage, independent of the details of any encrypted database system. Subsequently, we perform an attack on the real Gmail web client by simulating a server-side adversary. Our attack on Gmail completes within a matter of minutes, demonstrating the feasibility of our techniques. We also present three ancillary attacks for situations when certain mitigation strategies are employed.
△ Less
Submitted 14 August, 2020;
originally announced August 2020.
-
Visor: Privacy-Preserving Video Analytics as a Cloud Service
Authors:
Rishabh Poddar,
Ganesh Ananthanarayanan,
Srinath Setty,
Stavros Volos,
Raluca Ada Popa
Abstract:
Video-analytics-as-a-service is becoming an important offering for cloud providers. A key concern in such services is privacy of the videos being analyzed. While trusted execution environments (TEEs) are promising options for preventing the direct leakage of private video content, they remain vulnerable to side-channel attacks.
We present Visor, a system that provides confidentiality for the use…
▽ More
Video-analytics-as-a-service is becoming an important offering for cloud providers. A key concern in such services is privacy of the videos being analyzed. While trusted execution environments (TEEs) are promising options for preventing the direct leakage of private video content, they remain vulnerable to side-channel attacks.
We present Visor, a system that provides confidentiality for the user's video stream as well as the ML models in the presence of a compromised cloud platform and untrusted co-tenants. Visor executes video pipelines in a hybrid TEE that spans both the CPU and GPU. It protects the pipeline against side-channel attacks induced by data-dependent access patterns of video modules, and also addresses leakage in the CPU-GPU communication channel. Visor is up to $1000\times$ faster than naïve oblivious solutions, and its overheads relative to a non-oblivious baseline are limited to $2\times$--$6\times$.
△ Less
Submitted 23 June, 2020; v1 submitted 16 June, 2020;
originally announced June 2020.
-
An Off-Chip Attack on Hardware Enclaves via the Memory Bus
Authors:
Dayeol Lee,
Dongha Jung,
Ian T. Fang,
Chia-Che Tsai,
Raluca Ada Popa
Abstract:
This paper shows how an attacker can break the confidentiality of a hardware enclave with Membuster, an off-chip attack based on snooping the memory bus. An attacker with physical access can observe an unencrypted address bus and extract fine-grained memory access patterns of the victim. Membuster is qualitatively different from prior on-chip attacks to enclaves and is more difficult to thwart.…
▽ More
This paper shows how an attacker can break the confidentiality of a hardware enclave with Membuster, an off-chip attack based on snooping the memory bus. An attacker with physical access can observe an unencrypted address bus and extract fine-grained memory access patterns of the victim. Membuster is qualitatively different from prior on-chip attacks to enclaves and is more difficult to thwart.
We highlight several challenges for Membuster. First, DRAM requests are only visible on the memory bus at last-level cache misses. Second, the attack needs to incur minimal interference or overhead to the victim to prevent the detection of the attack. Lastly, the attacker needs to reverse-engineer the translation between virtual, physical, and DRAM addresses to perform a robust attack. We introduce three techniques, critical page whitelisting, cache squeezing, and oracle-based fuzzy matching algorithm to increase cache misses for memory accesses that are useful for the attack, with no detectable interference to the victim, and to convert memory accesses to sensitive data. We demonstrate Membuster on an Intel SGX CPU to leak confidential data from two applications: Hunspell and Memcached. We show that a single uninterrupted run of the victim can leak most of the sensitive data with high accuracy.
△ Less
Submitted 3 December, 2019;
originally announced December 2019.
-
Helen: Maliciously Secure Coopetitive Learning for Linear Models
Authors:
Wenting Zheng,
Raluca Ada Popa,
Joseph E. Gonzalez,
Ion Stoica
Abstract:
Many organizations wish to collaboratively train machine learning models on their combined datasets for a common benefit (e.g., better medical research, or fraud detection). However, they often cannot share their plaintext datasets due to privacy concerns and/or business competition. In this paper, we design and build Helen, a system that allows multiple parties to train a linear model without rev…
▽ More
Many organizations wish to collaboratively train machine learning models on their combined datasets for a common benefit (e.g., better medical research, or fraud detection). However, they often cannot share their plaintext datasets due to privacy concerns and/or business competition. In this paper, we design and build Helen, a system that allows multiple parties to train a linear model without revealing their data, a setting we call coopetitive learning. Compared to prior secure training systems, Helen protects against a much stronger adversary who is malicious and can compromise m-1 out of m parties. Our evaluation shows that Helen can achieve up to five orders of magnitude of performance improvement when compared to training using an existing state-of-the-art secure multi-party computation framework.
△ Less
Submitted 3 September, 2019; v1 submitted 16 July, 2019;
originally announced July 2019.
-
JEDI: Many-to-Many End-to-End Encryption and Key Delegation for IoT
Authors:
Sam Kumar,
Yuncong Hu,
Michael P Andersen,
Raluca Ada Popa,
David E. Culler
Abstract:
As the Internet of Things (IoT) emerges over the next decade, developing secure communication for IoT devices is of paramount importance. Achieving end-to-end encryption for large-scale IoT systems, like smart buildings or smart cities, is challenging because multiple principals typically interact indirectly via intermediaries, meaning that the recipient of a message is not known in advance. This…
▽ More
As the Internet of Things (IoT) emerges over the next decade, developing secure communication for IoT devices is of paramount importance. Achieving end-to-end encryption for large-scale IoT systems, like smart buildings or smart cities, is challenging because multiple principals typically interact indirectly via intermediaries, meaning that the recipient of a message is not known in advance. This paper proposes JEDI (Joining Encryption and Delegation for IoT), a many-to-many end-to-end encryption protocol for IoT. JEDI encrypts and signs messages end-to-end, while conforming to the decoupled communication model typical of IoT systems. JEDI's keys support expiry and fine-grained access to data, common in IoT. Furthermore, JEDI allows principals to delegate their keys, restricted in expiry or scope, to other principals, thereby granting access to data and managing access control in a scalable, distributed way. Through careful protocol design and implementation, JEDI can run across the spectrum of IoT devices, including ultra low-power deeply embedded sensors severely constrained in CPU, memory, and energy consumption. We apply JEDI to an existing IoT messaging system and demonstrate that its overhead is modest.
△ Less
Submitted 3 March, 2020; v1 submitted 30 May, 2019;
originally announced May 2019.
-
Cloud Programming Simplified: A Berkeley View on Serverless Computing
Authors:
Eric Jonas,
Johann Schleier-Smith,
Vikram Sreekanti,
Chia-Che Tsai,
Anurag Khandelwal,
Qifan Pu,
Vaishaal Shankar,
Joao Carreira,
Karl Krauth,
Neeraja Yadwadkar,
Joseph E. Gonzalez,
Raluca Ada Popa,
Ion Stoica,
David A. Patterson
Abstract:
Serverless cloud computing handles virtually all the system administration operations needed to make it easier for programmers to use the cloud. It provides an interface that greatly simplifies cloud programming, and represents an evolution that parallels the transition from assembly language to high-level programming languages. This paper gives a quick history of cloud computing, including an acc…
▽ More
Serverless cloud computing handles virtually all the system administration operations needed to make it easier for programmers to use the cloud. It provides an interface that greatly simplifies cloud programming, and represents an evolution that parallels the transition from assembly language to high-level programming languages. This paper gives a quick history of cloud computing, including an accounting of the predictions of the 2009 Berkeley View of Cloud Computing paper, explains the motivation for serverless computing, describes applications that stretch the current limits of serverless, and then lists obstacles and research opportunities required for serverless computing to fulfill its full potential. Just as the 2009 paper identified challenges for the cloud and predicted they would be addressed and that cloud use would accelerate, we predict these issues are solvable and that serverless computing will grow to dominate the future of cloud computing.
△ Less
Submitted 9 February, 2019;
originally announced February 2019.
-
A Berkeley View of Systems Challenges for AI
Authors:
Ion Stoica,
Dawn Song,
Raluca Ada Popa,
David Patterson,
Michael W. Mahoney,
Randy Katz,
Anthony D. Joseph,
Michael Jordan,
Joseph M. Hellerstein,
Joseph E. Gonzalez,
Ken Goldberg,
Ali Ghodsi,
David Culler,
Pieter Abbeel
Abstract:
With the increasing commoditization of computer vision, speech recognition and machine translation systems and the widespread deployment of learning-based back-end technologies such as digital advertising and intelligent infrastructures, AI (Artificial Intelligence) has moved from research labs to production. These changes have been made possible by unprecedented levels of data and computation, by…
▽ More
With the increasing commoditization of computer vision, speech recognition and machine translation systems and the widespread deployment of learning-based back-end technologies such as digital advertising and intelligent infrastructures, AI (Artificial Intelligence) has moved from research labs to production. These changes have been made possible by unprecedented levels of data and computation, by methodological advances in machine learning, by innovations in systems software and architectures, and by the broad accessibility of these technologies.
The next generation of AI systems promises to accelerate these developments and increasingly impact our lives via frequent interactions and making (often mission-critical) decisions on our behalf, often in highly personalized contexts. Realizing this promise, however, raises daunting challenges. In particular, we need AI systems that make timely and safe decisions in unpredictable environments, that are robust against sophisticated adversaries, and that can process ever increasing amounts of data across organizations and individuals without compromising confidentiality. These challenges will be exacerbated by the end of the Moore's Law, which will constrain the amount of data these technologies can store and process. In this paper, we propose several open research directions in systems, architectures, and security that can address these challenges and help unlock AI's potential to improve lives and society.
△ Less
Submitted 15 December, 2017;
originally announced December 2017.
-
Going Beyond Pollution Attacks: Forcing Byzantine Clients to Code Correctly
Authors:
Raluca Ada Popa,
Alessandro Chiesa,
Tural Badirkhanli,
Muriel Médard
Abstract:
Network coding achieves optimal throughput in multicast networks. However, throughput optimality \emph{relies} on the network nodes or routers to code \emph{correctly}. A Byzantine node may introduce junk packets in the network (thus polluting downstream packets and causing the sinks to receive the wrong data) or may choose coding coefficients in a way that significantly reduces the throughput of…
▽ More
Network coding achieves optimal throughput in multicast networks. However, throughput optimality \emph{relies} on the network nodes or routers to code \emph{correctly}. A Byzantine node may introduce junk packets in the network (thus polluting downstream packets and causing the sinks to receive the wrong data) or may choose coding coefficients in a way that significantly reduces the throughput of the network.
Most prior work focused on the problem of Byzantine nodes polluting packets. However, even if a Byzantine node does not pollute packets, he can still affect significantly the throughput of the network by not coding correctly. No previous work attempted to verify if a certain node \emph{coded correctly using random coefficients} over \emph{all} of the packets he was supposed to code over.
We provide two novel protocols (which we call PIP and Log-PIP) for detecting whether a node coded correctly over all the packets received (i.e., according to a random linear network coding algorithm). Our protocols enable any node in the network to examine a packet received from another node by running a "verification test". With our protocols, the worst an adversary can do and still pass the packet verification test is in fact equivalent to random linear network coding, which has been shown to be optimal in multicast networks. Our protocols resist collusion among nodes and are applicable to a variety of settings.
Our topology simulations show that the throughput in the worst case for our protocol is two to three times larger than the throughput in various adversarial strategies allowed by prior work. We implemented our protocols in C/C++ and Java, as well as incorporated them on the Android platform (Nexus One). Our evaluation shows that our protocols impose modest overhead.
△ Less
Submitted 9 August, 2011;
originally announced August 2011.
