GateBleed: Exploiting On-Core Accelerator Power Gating for High Performance and Stealthy Attacks on AI

---

Review Form

Reviewer: The Guardian (Adversarial Skeptic)

Summary

The authors present "GateBleed," a purported timing side channel in Intel's Advanced Matrix Extensions (AMX) on 4th Gen Xeon CPUs. The central claim is that an undocumented, staged power gating mechanism creates distinct, reuse-distance-dependent latencies for AMX instructions. The paper attempts to build upon this primitive to demonstrate three classes of attacks: AI privacy leaks (membership inference, MoE expert routing), a generic microarchitectural magnifier, and a high-bandwidth remote covert channel for Spectre-style attacks. The authors claim their attack is both high-performance and stealthy, evading state-of-the-art hardware attack detectors.

While the initial characterization of the timing anomaly is notable, the paper's primary claims regarding the attack's real-world viability, novelty of impact, and stealthiness are insufficiently supported by the provided evidence. The work suffers from a combination of threat model contrivances, overstated conclusions, and a lack of rigorous, controlled comparisons against established baselines.

Strengths

1. Systematic Characterization of a Timing Anomaly: The authors have performed a detailed characterization of AMX instruction latency as a function of idle duration (Figure 1, page 2). The investigation in Section 4.3 to rule out confounding factors like DVFS, C-states, and value dependency is methodical and represents a solid piece of reverse engineering.
2. Demonstration of a Primitive: The paper successfully identifies a timing differential and demonstrates that it can be triggered. The core phenomenon—that an AMX instruction can take ~50 cycles or ~20,000 cycles depending on recent activity—is clearly established on the tested hardware.
3. Breadth of Exploration: The authors apply their primitive to multiple domains (AI privacy, remote channels), showing ambition in exploring the potential impact of the vulnerability.

Weaknesses

1. Insufficient Proof of Root Cause: The central pillar of this paper is that the timing variance is caused by "undocumented power gating." The primary evidence for this is the correlation between latency states and package-level power consumption shown in Figure 5 (page 8). While suggestive, this is not definitive proof. Package-level power is a coarse metric, and the observed drop could be correlated with, but not directly caused by, the same mechanism responsible for the latency. Without more direct evidence (e.g., from on-chip sensors, thermal analysis, or official documentation), attributing this exclusively to power gating is an unsubstantiated leap. The mechanism could be a more complex, undocumented power/clock management state machine.

2. Contrived Threat Models for AI Attacks: The demonstrated AI attacks rely on scenarios that lack clear justification for their real-world prevalence.

   • The Mixture-of-Experts (MoE) attack (Section 6.2) achieves its claimed 100% accuracy only with a "layer gap ≥ 8" between experts. This is an extreme case of architectural heterogeneity. The authors provide no evidence that such architecturally imbalanced MoE models are common or practical in production. The attack's effectiveness degrades significantly as the experts become more similar (Table 4, page 11), which is the more likely scenario.
   • The Membership Inference Attack (MIA) (Section 6.3) claims its 81% accuracy "rivals or exceeds prior attacks." This claim is made without a crucial baseline. The authors should have implemented a standard, confidence-score-based MIA on the exact same early-exit Transformer model to provide a direct comparison. Without this control, it is impossible to assess whether this complex timing-based approach offers any practical advantage over well-established, and potentially simpler, methods.

3. Overstated Claims of Performance and Stealth:

   • Remote Channel Performance: The claimed 70,000x leakage rate improvement over NetSpectre (Section 6.4) is sensationalized. The term "production network" is used without any quantitative characterization of its properties (i.e., baseline latency, jitter, packet loss). Network noise is the single most important variable for remote timing attacks. Without these statistics, the comparison is meaningless and the results are not reproducible or generalizable. The presented violin plots in Figure 9 (page 12) show clear separation, but this could easily be a result of a low-noise, low-contention network path.
   • Stealthiness: The claim of evading SOTA detectors (Section 6.7) is not rigorously proven. The authors state that including the EXE.AMX_BUSY performance counter "did not improve the models' performances." This is a weak dismissal. A thorough analysis would require detailing how this feature was incorporated into the detectors' models and presenting the resulting detection accuracy. It is plausible that a detector specifically designed to look for sparse, high-latency AMX executions could be effective. The current analysis is insufficient to support the strong claim of being "effectively invisible" (page 13).

4. Limited Scope of Hardware Evaluation: The experiments were conducted on a single CPU model (Intel Xeon Gold 5420+). The paper makes broad claims about "Intel AMX," but provides no evidence that this specific timing behavior is present across the entire Sapphire Rapids family, let alone subsequent generations like Emerald Rapids. The findings may be specific to a particular stepping or microcode version of a single product.

Questions to Address In Rebuttal

1. Root Cause: Beyond the correlation with package power, what further evidence can you provide to definitively attribute the observed latency stages to a power gating mechanism, as opposed to another undocumented microarchitectural state change (e.g., clock gating, firmware-managed idle state)?

2. MoE Attack Realism: Please provide justification or citations from deployed systems showing that MoE models with significant architectural heterogeneity (e.g., an 8-layer difference between experts) are a realistic threat model, rather than a constructed best-case scenario for your attack.

3. MIA Baseline: Please provide results from a direct, controlled comparison of your timing-based MIA against a standard confidence-score-based MIA performed on the identical early-exit Transformer model and dataset. This is essential to substantiate the claim that your attack "rivals or exceeds" prior work.

4. Remote Channel Characterization: Please provide quantitative metrics for the "production network" used in Section 6.4, including mean latency, standard deviation (jitter), and packet loss rates over the experiment's duration. How does GateBleed's performance degrade as jitter increases?

5. Stealth Analysis: Please provide a more detailed analysis of the attempt to retrain SOTA detectors. Specifically, describe the feature engineering for the EXE.AMX_BUSY counter and present the full confusion matrix for the retrained detectors. Why, precisely, does this feature fail to enable detection?

---

Review Form

Reviewer: The Synthesizer (Contextual Analyst)

Summary

This paper introduces GATEBLEED, a novel and potent timing side channel rooted in the aggressive power gating mechanism of Intel's on-core AI accelerator, Advanced Matrix Extensions (AMX). The core contribution is the discovery that the time required to "wake up" the AMX unit from various power-gated states creates a massive and easily measurable timing discrepancy (up to 20,000 cycles).

The authors masterfully demonstrate that this is not merely an interesting microarchitectural quirk but a versatile and powerful attack primitive with two significant applications:

1. A new vector for AI privacy attacks: They show how GATEBLEED can be used to perform high-accuracy membership inference and infer routing decisions in Mixture-of-Experts (MoE) models. Crucially, these attacks operate purely on timing, without needing access to model outputs like logits or confidence scores, thereby bypassing a whole class of traditional defenses.
2. A generic, high-performance, and stealthy attack magnifier: They repurpose GATEBLEED as a transmission channel for a remote Spectre attack that is robust to network noise, and as a magnifier that can amplify subtle microarchitectural events to bypass timer coarsening defenses.

The work provides a thorough characterization of the vulnerability, identifies exploitable gadgets in major ML libraries, demonstrates end-to-end attacks, and evaluates potential mitigations.

Strengths

The true strength of this paper lies in its synthesis of several research domains and its demonstration of a fundamental vulnerability with far-reaching implications.

1. Bridging Hardware Architecture and AI Security: The most significant contribution is the direct line it draws from a low-level hardware power optimization to high-level AI privacy risks. While prior works have attacked AI models via side channels (e.g., Cache Telepathy [144]), GATEBLEED exposes a new, more fundamental leakage source. By linking the conditional execution inherent in modern models (like MoEs and early-exit networks) to the conditional activation of a hardware accelerator, the paper reveals that architectural choices in ML now have direct, exploitable hardware security consequences. This is a timely and important connection.

2. Exceptional Signal-to-Noise Ratio and Practicality: The vulnerability's defining characteristic is the sheer magnitude of the timing delta. A 20,000-cycle gap is orders of magnitude larger than those seen in previous power/frequency-based attacks like Hertzbleed [135] (~200 cycles). This is not an incremental improvement; it is a categorical shift. This massive signal makes the attack resilient to real-world noise (as demonstrated in the remote Spectre attack in Section 6.4, page 11) and resistant to standard defenses like timer coarsening, lending the attacks a degree of practicality rarely seen in academic side-channel research.

3. Stealth and Evasion of Existing Defenses: The paper convincingly argues that GATEBLEED is exceptionally stealthy. Because the attack can be triggered by a single instruction following a period of natural idleness, it leaves minimal footprint and evades state-of-the-art microarchitectural attack detectors (as shown in Table 5, page 13). This is a critical finding, as it suggests that current defense paradigms, which often look for anomalous patterns like high cache miss rates or TLB flushing, are blind to this class of vulnerability.

4. Broad Applicability as a Generic Primitive: Beyond the novel AI attacks, the positioning of GATEBLEED as a generic magnifier and covert channel primitive (Section 5.2, page 8 and Section 6.4, page 11) significantly broadens the paper's impact. It provides the security community with a powerful new building block that could enable or enhance a wide range of microarchitectural attacks, especially in constrained or noisy environments where they were previously infeasible.

Weaknesses

The paper's core ideas are strong, and the execution is thorough. The weaknesses are less about flaws and more about opportunities to further explore the context and boundaries of the findings.

1. Limited Discussion on Threat Model Practicality in Cloud Environments: The most powerful local attacks rely on the "AMX Usage" threat model, where an attacker process is co-located on the same physical core as the victim. While possible, modern hypervisor and OS schedulers in multi-tenant cloud environments are increasingly sophisticated and may actively work to isolate workloads, potentially making same-core co-residency a rare or difficult-to-achieve condition. A deeper discussion of the real-world probability and techniques for achieving this co-residency would strengthen the paper's claims about practical risk.

2. The Scope of Generality: The paper demonstrates GATEBLEED's capability as a magnifier by amplifying a cache hit/miss timing difference. This is a clear and effective proof of concept. However, to truly cement its status as a generic magnifier, it would be beneficial to discuss or demonstrate its application to other, more subtle microarchitectural events, such as contention on execution ports or scheduler queues.

3. A Singular Focus on AMX: The work is an excellent deep dive into Intel's AMX. However, AMX is just one example of a broader trend toward on-core, specialized accelerators (e.g., NPUs in consumer chips, Google's TPUs). The paper would be even more impactful if it briefly contextualized its findings within this trend, speculating on whether similar design principles (i.e., aggressive power gating for high-power, intermittently-used units) might lead to analogous vulnerabilities in other vendors' hardware.

Questions to Address In Rebuttal

1. Regarding the threat model for the co-resident attacks: Could the authors comment on the prevalence of same-core scheduling in major public cloud environments (e.g., AWS, GCP, Azure)? Are there known techniques an attacker could use to increase the likelihood of being scheduled on the same core as a target victim process?

2. The paper compellingly demonstrates GATEBLEED as a magnifier for a cache timing delta. Could the authors elaborate on its potential to amplify other, more subtle microarchitectural events? Is the 20,000-cycle "cliff" sensitive enough to be tipped by phenomena smaller than an L3 cache miss, such as contention for a specific execution port?

3. Given the industry-wide trend towards integrating specialized accelerators directly onto the CPU die, do the authors believe that power gating mechanisms in other on-core accelerators (e.g., NPUs, integrated GPUs) represent a likely new frontier for GATEBLEED-style vulnerabilities? Are there fundamental architectural reasons why this vulnerability might be unique to AMX, or is it likely a more generalizable problem?

---

Review Form

Reviewer: The Innovator (Novelty Specialist)

Summary

The authors present GateBleed, a timing side channel vulnerability found in the power gating mechanism of Intel's Advanced Matrix Extensions (AMX) on-core AI accelerator. The core of the work is the discovery and characterization of an undocumented, multi-stage power management feature that introduces reuse-distance-dependent latency variations of up to 20,000 cycles.

The authors leverage this new primitive in three primary ways:

1. As a novel vector for AI privacy attacks (Membership Inference and Mixture-of-Experts routing leakage) that relies solely on timing and not on model outputs like confidence scores.
2. As a generic, single-instruction "magnifier" to amplify subtle microarchitectural state differences, making them observable even with coarse timers.
3. As a high-bandwidth covert channel for remote attacks like Spectre, which is shown to be resilient to network noise where prior art fails.

The paper claims novelty in being the first to exploit accelerator power optimizations for AI privacy attacks and in creating a uniquely stealthy and powerful microarchitectural magnifier.

Strengths

The primary strength of this paper is the discovery of a genuinely new and potent microarchitectural primitive. My analysis of prior art confirms the following points of novelty:

1. A New Primitive, Not Just a New Target: The core discovery—a multi-stage, stepped power gating mechanism local to the AMX unit (as detailed in Section 4, pages 6-8 and Figure 1, page 2)—is fundamentally different from previously known power-related side channels.

   • It is distinct from DVFS-based channels like Hertzbleed [135], as the authors demonstrate the effect persists at fixed frequencies (Section 4.3, page 7).
   • It is distinct from whole-core sleep state channels like IdleLeak [105], as it is independent of core C-states.
   • Crucially, it is distinct from the closest related work, Thor [29], which also targets AMX. Thor describes an operand-dependent timing variation in a single low-power state. GateBleed describes a reuse-distance-dependent timing variation across five distinct power-gating stages. The root cause is different, and the latency magnitude of GateBleed appears to be two orders of magnitude larger, making it a far more powerful primitive.

2. Novel Advancement in Magnifier Design: The formulation of GateBleed as a single-instruction magnifier (Section 5.2, page 8) is a significant conceptual advance over prior art. Existing magnifiers like Hacky Racers [143] require complex, carefully crafted instruction sequences to exploit Instruction-Level Parallelism, leaving a large and detectable footprint. Microscope [117] requires privileged OS-level access. The GateBleed magnifier is unprivileged, requires only a single instruction following a passive wait, and its mechanism (hardware power-up latency) is entirely new in this context. This represents a qualitative leap in simplicity and stealth.

3. New Vector for AI Privacy Attacks: While hardware side-channel attacks on AI models are known (e.g., Cache Telepathy [144]), they typically target static model artifacts (recovering weights or architecture). GateBleed introduces a novel attack surface: leaking private, input-dependent dynamic decisions (e.g., early-exit paths, expert routing) by observing the side effects of accelerator power management. This is a new conceptual link between hardware power optimization and AI privacy that has not been explored before.

Weaknesses

My critique is not that the work lacks novelty, but that its novelty could be framed with greater precision and its implications explored more broadly.

1. Positioning: A Potent Instance or a New Class? The paper convincingly presents a new vulnerability. However, it is an instance of a broader, known principle: power state transitions incur latency penalties. The exceptional novelty here stems from the undocumented, multi-stage, and high-latency nature specific to AMX. The authors should more clearly position their contribution: is this a one-off implementation flaw in AMX, or is it the first documented example of a new class of vulnerabilities we should expect in future tightly-integrated, aggressively power-managed accelerators?

2. Limited Generalizability of the Primitive: The discovered primitive is, by definition, specific to a particular microarchitecture (Intel AMX on Sapphire Rapids and newer). While the applications are more general, the root cause is narrow. The paper would be strengthened by a discussion on the architectural trends that led to this design choice and whether similar vulnerabilities are likely to exist in other on-core accelerators (e.g., NPUs in consumer SoCs, GPU Tensor Cores) that also employ aggressive power gating. Without this, the novelty risks being perceived as narrow, even if it is deep.

Questions to Address In Rebuttal

1. The authors cite Thor [29] as a related work that also finds a timing channel in AMX. Could the authors dedicate a paragraph to explicitly contrasting the root cause of GateBleed (reuse-distance-dependent staging) with that of Thor (operand-dependent leakage)? This would further solidify the novelty of the discovered primitive.

2. In Section 6.7 (page 12), the authors claim GateBleed evades state-of-the-art detectors. Is this evasion simply because current detectors are not instrumented to monitor AMX-specific performance counters, or is there a more fundamental reason why this primitive is inherently difficult to detect? For example, does a single AMX instruction after a long, passive wait period fall below the anomaly detection threshold of any conceivable event-based detector?

3. The core mechanism is tied to AMX. Could the authors speculate on the likelihood of finding similar multi-stage, high-latency power gating channels in other classes of on-core accelerators? What architectural pressures (e.g., thermal density, power budget sharing) would incentivize designers to create such leaky optimizations? This would help frame the work's conceptual contribution beyond a single-vendor implementation.