Deep Learning
Two Essential Steps to Creating an Air Gapped Deep Learning Environment
September 25, 2018
3 min read
What Are Side-Channel Attacks?
With Deep Learning for Computer vision and Natural Language Processing being the current technology obsession, privacy and security considerations are often overlooked. When a company implements a "deep learning for x", typically op-sec gaps are left wide open. Sensitive data such as photos, videos, names, email addresses, billing information, or other confidential information are often easy targets for malicious actors looking to exploit such channels. A properly air gapped system is resistant to side-channel attacks, which is any attack based on information that is gained from the implementation of a computer system.
Methods of Side-Channel Attacks
Side-channel actors have become exceedingly crafty in their methods, for example; maliciously utilizing a smartphone’s magnetic sensors in order to infiltrate information from air gapped computers (1), or other electromagnetic based covert channels (2) which in turn have prompted more extreme countermeasures including Magnetic Shielding using special ferromagnetic materials, Signal Jamming which generates a signal in the vicinity of the computer so that it interferes with unauthorized communications, and zoning standards such as NATO SDIP-27 and SDIP-28 standards which define separate zones in which electronic equipment is allowed (1) (3).
So now assuming you've hardened your work area from as many attack vectors as possible, let's take a look so we can harness the power of deep learning in a secure air gapped environment.
The Basic Commands Are As Follows:
1. On another system with docker
- Use docker pull <docker name> to save the docker image
pull <docker name> |
Note: you can specify specific versions in both processes via :x.x.x.x for example, if you leave it off, it’s the latest version for that image
Next...
Docker save <docker name> > ~/image/location/image_name.tar |
Note: you can specify specific versions in both processes via :x.x.x.x for example, if you leave it off, it’s the latest version for that image
2. On the air gapped server, copy over the tarball, use docker load < /image/location/image_name.tar
docker load < /image/location/image_name.tar |
Note: You may want to dump the previous version to make things easier, but it *should* just import the new version of that specific image
In Conclusion
While it may seem like an uphill battle, ultimately, air gapping and securing your deep learning environment (as mentioned above) from as many side channel attacks as possible can help protect sensitive data from falling into the hands of an adversary. It's a cat and mouse game, one must remain vigilant and privy to the idea that sensitive data on your deep learning machine must be protected as any highly valuable asset would.
Have any questions about air gapped environments or side-channel attacks? Contact us directly here.
References
(1) M. Guri, A. Daidakulov, and Y. Elovici, "MAGNETO: Covert Channel between Air-Gapped Systems and Nearby Smartphones via CPU-Generated Magnetic Fields". February 2018.
(2) Samuel B. Moore, J. Gatlin, S. Belikovetsky, M. Yampolskiy, W. King3, and Y. Elovici "Power Consumption-based Detection of Sabotage Attacks in Additive Manufacturing" September 2017.
(3) R. Anderson, “Emission security,” Security Engineering,, pp. 523–546, 2008.
Deep Learning
Two Essential Steps to Creating an Air Gapped Deep Learning Environment
September 25, 20183 min read
What Are Side-Channel Attacks?
With Deep Learning for Computer vision and Natural Language Processing being the current technology obsession, privacy and security considerations are often overlooked. When a company implements a "deep learning for x", typically op-sec gaps are left wide open. Sensitive data such as photos, videos, names, email addresses, billing information, or other confidential information are often easy targets for malicious actors looking to exploit such channels. A properly air gapped system is resistant to side-channel attacks, which is any attack based on information that is gained from the implementation of a computer system.
Methods of Side-Channel Attacks
Side-channel actors have become exceedingly crafty in their methods, for example; maliciously utilizing a smartphone’s magnetic sensors in order to infiltrate information from air gapped computers (1), or other electromagnetic based covert channels (2) which in turn have prompted more extreme countermeasures including Magnetic Shielding using special ferromagnetic materials, Signal Jamming which generates a signal in the vicinity of the computer so that it interferes with unauthorized communications, and zoning standards such as NATO SDIP-27 and SDIP-28 standards which define separate zones in which electronic equipment is allowed (1) (3).
So now assuming you've hardened your work area from as many attack vectors as possible, let's take a look so we can harness the power of deep learning in a secure air gapped environment.
The Basic Commands Are As Follows:
1. On another system with docker
- Use docker pull <docker name> to save the docker image
pull <docker name> |
Note: you can specify specific versions in both processes via :x.x.x.x for example, if you leave it off, it’s the latest version for that image
Next...
Docker save <docker name> > ~/image/location/image_name.tar |
Note: you can specify specific versions in both processes via :x.x.x.x for example, if you leave it off, it’s the latest version for that image
2. On the air gapped server, copy over the tarball, use docker load < /image/location/image_name.tar
docker load < /image/location/image_name.tar |
Note: You may want to dump the previous version to make things easier, but it *should* just import the new version of that specific image
In Conclusion
While it may seem like an uphill battle, ultimately, air gapping and securing your deep learning environment (as mentioned above) from as many side channel attacks as possible can help protect sensitive data from falling into the hands of an adversary. It's a cat and mouse game, one must remain vigilant and privy to the idea that sensitive data on your deep learning machine must be protected as any highly valuable asset would.
Have any questions about air gapped environments or side-channel attacks? Contact us directly here.
References
(1) M. Guri, A. Daidakulov, and Y. Elovici, "MAGNETO: Covert Channel between Air-Gapped Systems and Nearby Smartphones via CPU-Generated Magnetic Fields". February 2018.
(2) Samuel B. Moore, J. Gatlin, S. Belikovetsky, M. Yampolskiy, W. King3, and Y. Elovici "Power Consumption-based Detection of Sabotage Attacks in Additive Manufacturing" September 2017.
(3) R. Anderson, “Emission security,” Security Engineering,, pp. 523–546, 2008.
