top | item 33144742

(no title)

37ef_ced3 | 3 years ago

This will not be able to reverse engineer fully-customized, fully-fused neural networks generated by NN-512:

NN-512 generates custom code for all the operations, custom units of work for the threads, custom code around tensor edges, everything is fused and unrolled and customized. If they can deduce the network graph specification from the AVX-512 code, I will be astonished.

If you can do it, show me. But I know you can't.

Anyone who cares about model privacy will use their own variant of a tool like NN-512. It's security through obscurity, but that's the best you can hope for if you are distributing an executable.

discuss

j-krieger|3 years ago

I firmly believe that security by obscurity should be given more credit than is done normally. If you are a pretty uninteresting target and you want to protect your binaries, making them too tough of a nut to crack in comparison to the motivation of the reverse engineer is a valid strategy.

batch12|3 years ago

It's not that there's no value in security-by-obscurity. The issue is when it's the only control. I agree that some are too quick to dismiss operational security controls.

chii|3 years ago

it's certainly valid. Obscurity is cheap and easy.

The only problem is when it's the _only_ security for certain types of threat models that require defence in depth - such as credentials in authentication.

unknown|3 years ago

[deleted]

userbinator|3 years ago

If you can do it, show me. But I know you can't

I've been out of the cracking scene for over a decade now, but I expect that to be none other than a challenge, having seen how far publicly available decompilers have progressed.

37ef_ced3|3 years ago

Here is the C code for a DenseNet-121 generated by NN-512:

https://nn-512.com/browse/DenseNet121

Even if you had the C code available to you, you would have a hard time producing the input graph.

Good luck reverse engineering it after GCC has compiled it!

NN-512 has an incredibly flexible code generator. It can easily be tweaked to produce completely different code for the same convolution, so everyone can apply their own twist to defeat the reverse engineers ("the intellectual property thieves").

fxtentacle|3 years ago

Thing is, I don't have to to extract your AI.

I can just separate your obfuscated AI execution into a DLL. And then I call that DLL with lots of randomly generated input data and estimate the numerical gradients from that. And now I have everything I need to copy things over into a similar NN architecture.

Yes, it might take a few days to evaluate everything, but CPU time is cheap compared to research and employees needed to reverse engineer your implementation.

That said, NN-512 is great because it produces optimized CPU code, thus making deployment cheaper.

smeagull|3 years ago

Just transfer learn to a bunch of likely architectures.

bertr4nd|3 years ago

By “fully fused” do you mean no function call boundaries? (“Fused” is such an overloaded term)

37ef_ced3|3 years ago

Convolutions are fused into convolutions, elementwise operations are fused into convolutions, everything is inlined except where function calls are needed for pthread work units (and those work units are all custom/arbitrary).

rootw0rm|3 years ago

exe sample?

c0balt|3 years ago

I don't have a ms windows pc available nor the time to setup cross compilation for one rn. (Assuming you meant an executable file for one of those with 'exe').

However you ahould be able be able to compile one for yourself by downloading, from e.g. https://nn-512.com/browse/DenseNet121, one of the generated C files and compiling it with GCC[0]. It shouldn't require any special dependencies beside AVX support on your CPU.

Edit: Regarding general decompilation for neural networks this project might be interesting[1]

[0]: https://gcc.gnu.org/ [1]: https://github.com/monkbai/DNN-decompiler

37ef_ced3|3 years ago

So...

...you were unable to decipher this Hacker News comment thread...

...unable find some C code and build it with GCC and make an executable for yourself...

...but you think you can reverse engineer the executable?