Attacks on Approximate Caches in Text-to-Image Diffusion Models
For users and providers of diffusion model services, this paper reveals that approximate caching, while efficient, introduces critical security vulnerabilities that can be exploited remotely.
This paper identifies and demonstrates three security vulnerabilities in approximate caching for text-to-image diffusion models: a remote covert channel, a prompt stealing attack, and a poisoning attack. All attacks are performed remotely through the serving system, showing that approximate caching breaks user isolation and introduces severe security risks.
Diffusion models are a powerful class of generative models that produce images and other content from user prompts, but they are computationally intensive. To mitigate this cost, recent academic and industry work has adopted approximate caching, which reuses intermediate states from similar prompts in a cache. While efficient, this optimization introduces new security risks by breaking isolation among users. This paper provides a comprehensive assessment of the security vulnerabilities introduced by approximate caching. First, we demonstrate a remote covert channel established with the approximate cache, where a sender injects prompts with special keywords into the cache system and a receiver can recover that even after days, to exchange information. Second, we introduce a prompt stealing attack using the approximate cache, where an attacker can recover existing cached prompts from hits. Finally, we introduce a poisoning attack that embeds the attacker's logos into the previously stolen prompt, leading to unexpected logo rendering for the requests that hit the poisoned cache prompts. These attacks are all performed remotely through the serving system, demonstrating severe security vulnerabilities in approximate caching. The code for this work is available.