Yannick Teglia

Lisa Bouger, Théo Lasnier, Philippe Looubet Moundi et al.

Backdoor attacks in Large Language Models (LLMs) are a growing security concern, where models can generate adversary-chosen content. Existing defenses target backdoors one at a time and typically require knowledge of the trigger, leaving the defender at a structural disadvantage when unknown backdoors may exist in a model. We show that backdoor neutralization through unlearning generalizes across backdoors: training a model to ignore a single trigger can also suppress other backdoors that were never explicitly targeted. We study this phenomenon across three model families, whose backdoors were injected via pretraining or continual pretraining, by analyzing the models obtained after removing one backdoor at a time. To understand why unlearning certain backdoors induces the suppression of others, we introduce the Cross Activation Shift Distance, to quantify the distance between model changes induced by different trainings. Our results open a new direction for LLM safety as defenders could deliberately inject controlled backdoors and then remove them, leveraging cross-backdoor transfer to also suppress unknown backdoors that an attacker may have previously introduced in the model.

Cody Clop, Yannick Teglia

Large Language Models (LLMs) have demonstrated remarkable capabilities in generating coherent text but remain limited by the static nature of their training data. Retrieval Augmented Generation (RAG) addresses this issue by combining LLMs with up-to-date information retrieval, but also expand the attack surface of the system. This paper investigates prompt injection attacks on RAG, focusing on malicious objectives beyond misinformation, such as inserting harmful links, promoting unauthorized services, and initiating denial-of-service behaviors. We build upon existing corpus poisoning techniques and propose a novel backdoor attack aimed at the fine-tuning process of the dense retriever component. Our experiments reveal that corpus poisoning can achieve significant attack success rates through the injection of a small number of compromised documents into the retriever corpus. In contrast, backdoor attacks demonstrate even higher success rates but necessitate a more complex setup, as the victim must fine-tune the retriever using the attacker poisoned dataset.

Quentin Le Roux, Yannick Teglia, Teddy Furon et al.

Face Recognition Systems that operate in unconstrained environments capture images under varying conditions,such as inconsistent lighting, or diverse face poses. These challenges require including a Face Detection module that regresses bounding boxes and landmark coordinates for proper Face Alignment. This paper shows the effectiveness of Object Generation Attacks on Face Detection, dubbed Face Generation Attacks, and demonstrates for the first time a Landmark Shift Attack that backdoors the coordinate regression task performed by face detectors. We then offer mitigations against these vulnerabilities.

Quentin Le Roux, Yannick Teglia, Teddy Furon et al.

The widespread deployment of Deep Learning-based Face Recognition Systems raises multiple security concerns. While prior research has identified backdoor vulnerabilities on isolated components, Backdoor Attacks on real-world, unconstrained pipelines remain underexplored. This paper presents the first comprehensive system-level analysis of Backdoor Attacks targeting Face Recognition Systems and provides three contributions. We first show that face feature extractors trained with large margin metric learning losses are susceptible to Backdoor Attacks. By analyzing 20 pipeline configurations and 15 attack scenarios, we then reveal that a single backdoor can compromise an entire Face Recognition System. Finally, we propose effective best practices and countermeasures for stakeholders.

Valentin Martinoli, Yannick Teglia, Abdellah Bouagoun et al.

Since Spectre and Meltdown's disclosure in 2018, a new category of attacks has been identified and characterized by the scientific community. The Foreshadow attack, which was the first one to target Intel's secure enclave technology (namely SGX) has been developed shortly after. It opened the way to micro architectural attacks on Intel's architecture, and led to the quick development of micro architectural attacks until today. While Spectre and Meltdown are often considered as the first micro architectural attacks, one can argue that cache attacks, as introduced by Osvik et al. in 2006, can be seen as the first types of micro architectural attacks that were developed. Now, even though there are many variants, they are still the most prominent type of micro architectural attacks. One example of cache micro architectural covert-channel is the Prime+Probe. Lately targeting the Intel architecture, the micro architectural attacks are now challenging a wider variety of CPUs. Recently, CPUs running the RISC-V Instruction Set Architecture have been targeted. One famous and widely used RISC-V CPU is the ETH Zurich's CVA6 (formerly Ariane) core. CVA6 is a 6-stage, single issue, in-order CPU. To the best of our knowledge, there is no existing document presenting very detailed aspects of the CVA6's micro architecture, especially with respect to the data cache. Such information is mandatory to deeply understand any architectural or micro architectural study successfully, such as the replication of the Prime+Probe attack on the CVA6 CPU proposed by Nils Wistoff. This paper presents the implementation of the Data cache in the CVA6 CPU from OpenHW Group by focusing on its memory structure and explaining through several examples what happens when a request for memory allocation occurs.

Joseph Gravellier, Jean-Max Dutertre, Yannick Teglia et al.

To meet the ever-growing need for performance in silicon devices, SoC providers have been increasingly relying on software-hardware cooperation. By controlling hardware resources such as power or clock management from the software, developers earn the possibility to build more flexible and power efficient applications. Despite the benefits, these hardware components are now exposed to software code and can potentially be misused as open-doors to jeopardize trusted environments, perform privilege escalation or steal cryptographic secrets. In this work, we introduce SideLine, a novel side-channel vector based on delay-line components widely implemented in high-end SoCs. After providing a detailed method on how to access and convert delay-line data into power consumption information, we demonstrate that these entities can be used to perform remote power side-channel attacks. We report experiments carried out on two SoCs from distinct vendors and we recount several core-vs-core attack scenarios in which an adversary process located in one processor core aims at eavesdropping the activity of a victim process located in another core. For each scenario, we demonstrate the adversary ability to fully recover the secret key of an OpenSSL AES running in the victim core. Even more detrimental, we show that these attacks are still practicable if the victim or the attacker program runs over an operating system.