David Pfaff

Marie-Therese Walter, David Pfaff, Stefan Nürnberger et al.

Memory corruption vulnerabilities often enable attackers to take control of a target system by overwriting control-flow relevant data (such as return addresses and function pointers), which are potentially stored in close proximity of related, typically user-controlled data on the stack. In this paper, we propose ProConDa, a general approach for protecting control-flow relevant data on the stack ProConDa leverages hardware features to enforce a strict separation between control-flow relevant and regular data of programs written in non-memory-safe languages such as C. Contrary to related approaches, ProConDa does not rely on information hiding and is therefore not susceptible to several recent attacks specifically targeting information hiding as a foundation for memory isolation. We show that ProConDa enforcement is compatible with existing software by applying a software-based prototype to industry benchmarks on an ARM CPU running Linux.

Kathrin Grosse, David Pfaff, Michael Thomas Smith et al.

Machine learning models are vulnerable to adversarial examples: minor perturbations to input samples intended to deliberately cause misclassification. While an obvious security threat, adversarial examples yield as well insights about the applied model itself. We investigate adversarial examples in the context of Bayesian neural network's (BNN's) uncertainty measures. As these measures are highly non-smooth, we use a smooth Gaussian process classifier (GPC) as substitute. We show that both confidence and uncertainty can be unsuspicious even if the output is wrong. Intriguingly, we find subtle differences in the features influencing uncertainty and confidence for most tasks.

Kathrin Grosse, David Pfaff, Michael Thomas Smith et al.

Machine learning models are vulnerable to Adversarial Examples: minor perturbations to input samples intended to deliberately cause misclassification. Current defenses against adversarial examples, especially for Deep Neural Networks (DNN), are primarily derived from empirical developments, and their security guarantees are often only justified retroactively. Many defenses therefore rely on hidden assumptions that are subsequently subverted by increasingly elaborate attacks. This is not surprising: deep learning notoriously lacks a comprehensive mathematical framework to provide meaningful guarantees. In this paper, we leverage Gaussian Processes to investigate adversarial examples in the framework of Bayesian inference. Across different models and datasets, we find deviating levels of uncertainty reflect the perturbation introduced to benign samples by state-of-the-art attacks, including novel white-box attacks on Gaussian Processes. Our experiments demonstrate that even unoptimized uncertainty thresholds already reject adversarial examples in many scenarios. Comment: Thresholds can be broken in a modified attack, which was done in arXiv:1812.02606 (The limitations of model uncertainty in adversarial settings).