Diffusion models are a powerful class of generative models that produce content, such as images, from user prompts, but they are computationally intensive. To mitigate this cost, recent academic and industry work has adopted approximate caching, which reuses intermediate states from similar prompts in a cache. While efficient, this optimization introduces new security risks by breaking isolation among users. This work aims to comprehensively assess new security vulnerabilities arising from approximate caching. First, we demonstrate a remote covert channel established with the cache, where a sender injects prompts with special keywords into the cache and a receiver can recover that even after days, to exchange information. Second, we introduce a prompt stealing attack using the cache, where an attacker can recover existing cached prompts based on cache hit prompts. Finally, we introduce a poisoning attack that embeds the attacker's logos into the previously stolen prompt, to render them in future user prompts that hit the cache. These attacks are all performed remotely through the serving system, which indicates severe security vulnerabilities in approximate caching.
翻译:扩散模型是一类强大的生成模型,能够根据用户提示生成图像等内容,但其计算开销巨大。为降低这一成本,近期学术界与工业界的研究采用了近似缓存技术,即从相似提示的中间状态中复用缓存内容。尽管这一优化提升了效率,却因破坏用户间的隔离性而引入了新的安全风险。本研究旨在全面评估近似缓存所引发的新型安全漏洞。首先,我们展示了一种通过缓存建立的远程隐蔽信道:发送方将含特定关键词的提示注入缓存,接收方甚至可在数日后恢复该信息以实现数据交换。其次,我们提出一种基于缓存的提示窃取攻击,攻击者可根据缓存命中提示恢复已缓存的原始提示。最后,我们设计了一种投毒攻击,将攻击者标识嵌入先前窃取的提示中,使其在未来命中缓存的用户提示中持续显现。这些攻击均可通过服务系统远程实施,揭示了近似缓存机制存在的严重安全漏洞。