Randomness supports many critical functions in the field of machine learning (ML) including optimisation, data selection, privacy, and security. ML systems outsource the task of generating or harvesting randomness to the compiler, the cloud service provider or elsewhere in the toolchain. Yet there is a long history of attackers exploiting poor randomness, or even creating it -- as when the NSA put backdoors in random number generators to break cryptography. In this paper we consider whether attackers can compromise an ML system using only the randomness on which they commonly rely. We focus our effort on Randomised Smoothing, a popular approach to train certifiably robust models, and to certify specific input datapoints of an arbitrary model. We choose Randomised Smoothing since it is used for both security and safety -- to counteract adversarial examples and quantify uncertainty respectively. Under the hood, it relies on sampling Gaussian noise to explore the volume around a data point to certify that a model is not vulnerable to adversarial examples. We demonstrate an entirely novel attack against it, where an attacker backdoors the supplied randomness to falsely certify either an overestimate or an underestimate of robustness. We demonstrate that such attacks are possible, that they require very small changes to randomness to succeed, and that they can be hard to detect. As an example, we hide an attack in the random number generator and show that the randomness tests suggested by NIST fail to detect it. We advocate updating the NIST guidelines on random number testing to make them more appropriate for safety-critical and security-critical machine-learning applications.

翻译：随机性支撑着机器学习领域的许多关键功能，包括优化、数据选择、隐私和安全。机器学习系统将生成或采集随机性的任务外包给编译器、云服务提供商或工具链中的其他环节。然而，长期以来攻击者一直利用有缺陷的随机性甚至主动制造此类缺陷——例如美国国家安全局在随机数生成器中植入后门以破解密码学。本文探讨攻击者是否仅利用机器学习系统普遍依赖的随机性即可破坏该系统。我们重点研究随机平滑方法——这是一种用于训练可认证鲁棒模型以及认证任意模型特定输入数据点的流行技术。选择随机平滑的原因在于它同时用于安全性和可靠性目标：分别用于对抗对抗样本和量化不确定性。其底层机制依赖高斯噪声采样来探索数据点周围的体积，以认证模型对对抗样本不具有脆弱性。我们提出了一种针对它的全新攻击方法：攻击者通过后门操纵提供的随机性，从而虚假地认证过高或过低的鲁棒性估计。我们证明此类攻击是可行的，仅需对随机性进行极小的修改即可成功，且难以检测。作为示例，我们在随机数生成器中隐藏攻击，并证明美国国家标准与技术研究院推荐的随机性测试未能检测到该攻击。我们主张更新NIST关于随机数测试的指南，使其更适合安全关键型和安保关键型机器学习应用。