{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,5]],"date-time":"2026-03-05T15:45:38Z","timestamp":1772725538263,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":142,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765121","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:33:16Z","timestamp":1763854396000},"page":"4454-4468","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["<scp>IOValve:<\/scp>\n                    Leakage-Free I\/O Sandbox for Large-Scale Untrusted Data Processing"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0412-7768","authenticated-orcid":false,"given":"Sangho","family":"Lee","sequence":"first","affiliation":[{"name":"Microsoft Research, Redmond, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7804-3498","authenticated-orcid":false,"given":"Jules","family":"Drean","sequence":"additional","affiliation":[{"name":"Massachusetts Institute of Technology, Cambridge, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-5298-419X","authenticated-orcid":false,"given":"Yue","family":"Tan","sequence":"additional","affiliation":[{"name":"Princeton University, Princeton, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-4711-0675","authenticated-orcid":false,"given":"Marcus","family":"Peinado","sequence":"additional","affiliation":[{"name":"Microsoft Research, Redmond, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Advanced Micro Devices Inc. 2024. AMD Pensando Networking. https:\/\/www.amd.com\/en\/products\/accelerators\/pensando.html."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/3563766.3564110"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24057"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/SEED55351.2022.00018"},{"key":"e_1_3_2_1_5_1","volume-title":"Solar Winds Hack: In-Depth Analysis and Countermeasures. In 2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT).","author":"Alkhadra Rahaf","year":"2021","unstructured":"Rahaf Alkhadra, Joud Abuzaid, Mariam AlShammari, and Nazeeruddin Mohammad. 2021. Solar Winds Hack: In-Depth Analysis and Countermeasures. In 2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT)."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3276488"},{"key":"e_1_3_2_1_7_1","unstructured":"Amazon Web Services Inc. 2024. The Security Design of the AWS Nitro System. https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/security-design-of-aws-nitro-system\/security-design-of-aws-nitro-system.html."},{"key":"e_1_3_2_1_8_1","unstructured":"AMD. 2021. AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More. https:\/\/www.amd.com\/content\/dam\/amd\/en\/documents\/epyc-business-docs\/white-papers\/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf."},{"key":"e_1_3_2_1_9_1","unstructured":"Anyiscale Inc. 2024. Productionizing and scaling Python ML workloads simply - Ray. https:\/\/www.ray.io."},{"key":"e_1_3_2_1_10_1","unstructured":"Argilla. 2023. Dataset Card for sharegpt-text-descriptives. https:\/\/huggingface.co\/datasets\/argilla\/sharegpt-text-descriptives."},{"key":"e_1_3_2_1_11_1","volume-title":"Proceedings of the 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI)","author":"Arumugam Manikandan","year":"2022","unstructured":"Manikandan Arumugam, Deepak Bansal, Navdeep Bhatia, James Boerner, Simon Capper, Changhoon Kim, Sarah McClure, Neeraj Motwani, Ranga Narasimhan, Urvish Panchal, Tommaso Pimpo, Ariff Premji, Pranjal Shrivastava, and Rishabh Tewari. 2022. Bluebird: High-performance SDN for Bare-metal Cloud Services. In Proceedings of the 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI). Renton, WA."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3564637"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/2685048.2685070"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"crossref","unstructured":"David E. Bell and Leonard La Padula. 1976. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report MTR-2997 Rev. 1. MITRE Corporation.","DOI":"10.21236\/ADA023588"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/1341312.1341321"},{"key":"e_1_3_2_1_16_1","volume-title":"Kolmogorov-Smirnov test: Overview","author":"Berger Vance W","year":"2014","unstructured":"Vance W Berger and YanYan Zhou. 2014. Kolmogorov-Smirnov test: Overview. Wiley statsref: Statistics reference online (2014)."},{"key":"e_1_3_2_1_17_1","volume-title":"Proceedings of the 11th USENIX Workshop on Offensive Technologies (WOOT).","author":"Brasser Ferdinand","year":"2017","unstructured":"Ferdinand Brasser, Urs M\u00fcller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. 2017. Software Grand Exposure: SGX Cache Attacks Are Practical. In Proceedings of the 11th USENIX Workshop on Offensive Technologies (WOOT)."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484779"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660362"},{"key":"e_1_3_2_1_20_1","volume-title":"Proceedings of the 28th USENIX Security Symposium (Security)","author":"Canella Claudio","year":"2019","unstructured":"Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A Systematic Evaluation of Transient Execution Attacks and Defenses. In Proceedings of the 28th USENIX Security Symposium (Security). Santa Clara, CA."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3622781.3674190"},{"key":"e_1_3_2_1_22_1","volume-title":"Proceedings of the 4th IEEE European Symposium on Security and Privacy (Euro S&P).","author":"Chen Guoxing","unstructured":"Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H. Lai. 2019. SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution. In Proceedings of the 4th IEEE European Symposium on Security and Privacy (Euro S&P)."},{"key":"e_1_3_2_1_23_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (Security). Virtual.","author":"Chen Zitai","year":"2021","unstructured":"Zitai Chen, Georgios Vasilakis, Kit Murdock, Edward Dean, David Oswald, and Flavio D Garcia. 2021. VoltPillager: Hardware-based fault injection attacks against Intel SGX Enclaves using the SVID voltage scaling interface. In Proceedings of the 30th USENIX Security Symposium (Security). Virtual."},{"key":"e_1_3_2_1_24_1","unstructured":"Lucian Constantin. 2022. Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind. https:\/\/www.csoonline.com\/article\/573925\/supply-chain-attacks-increased-over-600-this-year-and-companies-are-\/falling-behind.html."},{"key":"e_1_3_2_1_25_1","unstructured":"Intel Corporation. 2021. Intel\u00ae Trust Domain Extensions White Paper. https:\/\/www.intel.com\/content\/dam\/develop\/external\/us\/en\/documents\/tdx-whitepaper-final9-17.pdf."},{"key":"e_1_3_2_1_26_1","volume-title":"Reverse Engineering Flash EEPROM Memories Using Scanning Electron Microscopy. In International Conference on Smart Card Research and Advanced Applications. 57-72","author":"Courbon Franck","year":"2016","unstructured":"Franck Courbon, Sergei Skorobogatov, and Christopher Woods. 2016. Reverse Engineering Flash EEPROM Memories Using Scanning Electron Microscopy. In International Conference on Smart Card Research and Advanced Applications. 57-72."},{"key":"e_1_3_2_1_27_1","unstructured":"Cybersecurity and Infrastructure Security Agency. 2025. Defining Insider Threats. https:\/\/www.cisa.gov\/topics\/physical-security\/insider-threat-mitigation\/defining-insider-threats."},{"key":"e_1_3_2_1_28_1","unstructured":"Datanyze. 2025. Google Cloud Company Profile. https:\/\/www.datanyze.com\/companies\/google-cloud\/356413659."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380173"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pone.0274628"},{"key":"e_1_3_2_1_31_1","first-page":"7","article-title":"Certification of Programs for Secure Information","volume":"20","author":"Denning Dorothy E.","year":"1977","unstructured":"Dorothy E. Denning and Peter J. Denning. 1977. Certification of Programs for Secure Information Flow. Commun. ACM, Vol. 20, 7 (July 1977), 504-513.","journal-title":"Flow. Commun. ACM"},{"key":"e_1_3_2_1_32_1","unstructured":"Tim Dettmers Artidoro Pagnoni Ari Holtzman and Luke Zettlemoyer. 2023. QLoRA: Efficient Finetuning of Quantized LLMs. In Advances in Neural Information Processing Systems (NeurIPS)."},{"key":"e_1_3_2_1_33_1","volume-title":"Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI)","author":"Dragojevi\u0107 Aleksandar","year":"2014","unstructured":"Aleksandar Dragojevi\u0107, Dushyanth Narayanan, Miguel Castro, and Orion Hodson. 2014. FaRM: Fast Remote Memory. In Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI). Seattle, WA."},{"key":"e_1_3_2_1_34_1","unstructured":"Abhimanyu Dubey Abhinav Jauhri Abhinav Pandey Abhishek Kadian Ahmad Al-Dahle Aiesha Letman Akhil Mathur Alan Schelten Amy Yang Angela Fan et al. 2024. The Llama 3 herd of models. arXiv:2407.21783"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.28"},{"key":"e_1_3_2_1_36_1","unstructured":"Envoy Project Authors. 2024. Envoy proxy. https:\/\/www.envoyproxy.io."},{"key":"e_1_3_2_1_37_1","volume-title":"Proceedings of the Eighth Annual Conference on Machine Learning and Systems (MLSys).","author":"Gao Yue","year":"2025","unstructured":"Yue Gao, Ilia Shumailov, and Kassem Fawaz. 2025. Supply-Chain Attacks in Machine Learning Frameworks. In Proceedings of the Eighth Annual Conference on Machine Learning and Systems (MLSys)."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560592"},{"key":"e_1_3_2_1_39_1","unstructured":"Johann George. [n.d.]. qperf - Measure RDMA and IP performance. https:\/\/linux.die.net\/man\/1\/qperf."},{"key":"e_1_3_2_1_40_1","volume-title":"Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI)","author":"Giffin Daniel B.","year":"2012","unstructured":"Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, David Mazi\u00e8res, John C. Mitchell, and Alejandro Russo. 2012. Hails: Protecting Data Privacy in Untrusted Web Applications. In Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI). Hollywood, CA."},{"key":"e_1_3_2_1_41_1","volume-title":"What we know about the xz Utils backdoor that almost infected the world. Ars Technica (March","author":"Goodin Dan","year":"2024","unstructured":"Dan Goodin. 2024. What we know about the xz Utils backdoor that almost infected the world. Ars Technica (March 2024). https:\/\/arstechnica.com\/security\/2024\/04\/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world\/"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3065913.3065915"},{"key":"e_1_3_2_1_43_1","volume-title":"Proceedings of the 20th USENIX Security Symposium (Security)","author":"Haeberlen Andreas","year":"2011","unstructured":"Andreas Haeberlen, Benjamin C. Pierce, and Arjun Narayan. 2011. Differential Privacy Under Fire. In Proceedings of the 20th USENIX Security Symposium (Security). San Francisco, CA."},{"key":"e_1_3_2_1_44_1","volume-title":"International Symposium for Testing and Failure Analysis.","author":"Herschbein Steven","year":"2022","unstructured":"Steven Herschbein, Shida Tan, Richard Livengood, and Michael Wong. 2022. An Introduction to the FIB as a Microchip Circuit Edit Tool. In International Symposium for Testing and Failure Analysis."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3050748.3050763"},{"key":"e_1_3_2_1_46_1","unstructured":"Hugging Face. [n.d.]. Transformers. https:\/\/huggingface.co\/docs\/transformers\/en\/index."},{"key":"e_1_3_2_1_47_1","volume-title":"Chiron: Privacy-preserving Machine Learning as a Service. arXiv:1803.05961","author":"Hunt Tyler","year":"2018","unstructured":"Tyler Hunt, Congzheng Song, Reza Shokri, Vitaly Shmatikov, and Emmett Witchel. 2018. Chiron: Privacy-preserving Machine Learning as a Service. arXiv:1803.05961"},{"key":"e_1_3_2_1_48_1","volume-title":"Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI)","author":"Hunt Tyler","year":"2016","unstructured":"Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel. 2016. Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI). Savannah, GA."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.243001"},{"key":"e_1_3_2_1_50_1","unstructured":"IBM. 2024. PyTorch communication benchmarks. https:\/\/github.com\/IBM\/pytorch-communication-benchmarks."},{"key":"e_1_3_2_1_51_1","volume-title":"Privacy Amid Shift to the Cloud. TDWI","year":"2021","unstructured":"Immuta. 2021. Survey Reveals Emerging Challenges with Data Security, Privacy Amid Shift to the Cloud. TDWI (2021). https:\/\/tdwi.org\/articles\/2021\/11\/02\/immuta-survey-news.aspx"},{"key":"e_1_3_2_1_52_1","unstructured":"Infiniband Trade Association. 2014. RoCEv2. https:\/\/cw.infinibandta.org\/document\/dl\/7781."},{"key":"e_1_3_2_1_53_1","unstructured":"Intel Corporation. 2024. Intel Infrastructure Processing Unit (Intel IPU). https:\/\/www.intel.com\/content\/www\/us\/en\/products\/details\/network-io\/ipu.html."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.5555\/3620237.3620466"},{"key":"e_1_3_2_1_55_1","volume-title":"Insider Threat: Impact Studies. https:\/\/cloud.google.com\/blog\/products\/identity-security\/insider-threat-impact-studies\/.","author":"Kathuria JJ.","year":"2022","unstructured":"JJ. Kathuria and Arjun Bhardwaj. 2022. Insider Threat: Impact Studies. https:\/\/cloud.google.com\/blog\/products\/identity-security\/insider-threat-impact-studies\/."},{"key":"e_1_3_2_1_56_1","volume-title":"Insider Threat: The Dangers Within. https:\/\/cloud.google.com\/blog\/products\/identity-security\/insider-threat-dangers-within\/.","author":"Kathuria JJ","year":"2022","unstructured":"JJ Kathuria and Arjun Bhardwaj. 2022. Insider Threat: The Dangers Within. https:\/\/cloud.google.com\/blog\/products\/identity-security\/insider-threat-dangers-within\/."},{"key":"e_1_3_2_1_57_1","unstructured":"Keller Jordan. 2024. 94% on CIFAR-10 in 3.29 Seconds on a Single GPU. showeprint2404.00498"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.106971"},{"key":"e_1_3_2_1_59_1","unstructured":"Uri Katz Guy Kaplan and Avi Lumelsky. 2024. Shelltorch Explained: Multiple Vulnerabilities in PyTorch Model Server (Torchserve) (CVSS 9.9 CVSS 9.8) Walkthrough. https:\/\/www.oligo.security\/blog\/shelltorch-explained-multiple-vulnerabilities-in-pytorch-model-server."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/3546068"},{"key":"e_1_3_2_1_61_1","volume-title":"Proceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation (NSDI)","author":"Kim Daehyeok","year":"2019","unstructured":"Daehyeok Kim, Tianlong Yu, Hongqiang Harry Liu, Yibo Zhu, Jitu Padhye, Shachar Raindel, Chuanxiong Guo, Vyas Sekar, and Srinivasan Seshan. 2019. FreeFlow: Software-based Virtual RDMA Networking for Containerized Clouds. In Proceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation (NSDI). Boston, MA."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/1294261.1294293"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3600006.3613165"},{"key":"e_1_3_2_1_64_1","unstructured":"Kevin Lee Adi Gangidi and Mathew Oldham. 2024. Building Meta's GenAI Infrastructure. https:\/\/engineering.fb.com\/2024\/03\/12\/data-center-engineering\/building-metas-genai-infrastructure\/."},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.5555\/3241189.3241233"},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3593856.3595913"},{"key":"e_1_3_2_1_67_1","unstructured":"Daniel Lemire. 2024. Estimating your memory bandwidth. https:\/\/lemire.me\/blog\/2024\/01\/13\/estimating-your-memory-bandwidth\/."},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833768"},{"key":"e_1_3_2_1_69_1","volume-title":"Proceedings of the 28th USENIX Security Symposium (Security)","author":"Li Mengyuan","year":"2019","unstructured":"Mengyuan Li, Yinqian Zhang, Zhiqiang Lin, and Yan Solihin. 2019. Exploiting Unprotected I\/O Operations in AMD's Secure Encrypted Virtualization. In Proceedings of the 28th USENIX Security Symposium (Security). Santa Clara, CA."},{"key":"e_1_3_2_1_70_1","unstructured":"Shen Li. 2019. Getting Started with Distributed Data Parallel. https:\/\/docs.pytorch.org\/tutorials\/intermediate\/ddp_tutorial.html."},{"key":"e_1_3_2_1_71_1","volume-title":"Enabling Realms with the Arm Confidential Compute Architecture. ;login: The USENIX Magazine (July","author":"Li Xupeng","year":"2023","unstructured":"Xupeng Li, Xuheng Li, Christoffer Dall, Ronghui Gu, Jason Nieh, Yousuf Sait, and Gareth Stockwell. 2023. Enabling Realms with the Arm Confidential Compute Architecture. ;login: The USENIX Magazine (July 2023)."},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.5555\/647054.715771"},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/3456629"},{"key":"e_1_3_2_1_74_1","unstructured":"Laura Martinez. 2024. Advancing Security for Large Language Models with NVIDIA GPUs and Edgeless Systems. textcolorACMDarkBluehttps:\/\/developer.nvidia.com\/blog\/advancing-security-for-large-language-models-with-nvidia-gpus-and-edgeless-systems\/."},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.47"},{"key":"e_1_3_2_1_76_1","volume-title":"Proceedings of the 31st USENIX Security Symposium (Security)","author":"Mehta Aastha","year":"2022","unstructured":"Aastha Mehta, Mohamed Alzayat, Roberta De Viti, Bj\u00f6rn B Brandenburg, Peter Druschel, and Deepak Garg. 2022. Pacer: Comprehensive Network Side-Channel Mitigation in the Cloud. In Proceedings of the 31st USENIX Security Symposium (Security). Boston, MA."},{"key":"e_1_3_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.24056"},{"key":"e_1_3_2_1_78_1","unstructured":"Microsoft. 2024. Overview of Azure Boost. https:\/\/learn.microsoft.com\/en-us\/azure\/azure-boost\/overview."},{"key":"e_1_3_2_1_79_1","doi-asserted-by":"crossref","unstructured":"Ahmad Moghimi Gorka Irazoqui and Thomas Eisenbarth. 2017. CacheZoom: How SGX Amplifies the Power of Cache Attacks. In Cryptographic Hardware and Embedded Systems (CHES).","DOI":"10.1007\/978-3-319-66787-4_4"},{"key":"e_1_3_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.1109\/CLOUD62652.2024.00028"},{"key":"e_1_3_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.5555\/3358807.3358856"},{"key":"e_1_3_2_1_82_1","unstructured":"National Insider Threat Special Interest Group. 2024. 2024 Insider Threat Incidents Report for the Department of Defense. https:\/\/cloud.google.com\/blog\/products\/identity-security\/insider-threat-dangers-within\/."},{"key":"e_1_3_2_1_83_1","unstructured":"NVIDIA Corporation. 2023. NVIDIA Device Attestation and CoRIM-based Reference Measurement Sharing. https:\/\/docs.nvidia.com\/networking\/display\/ndacrmsv10\/introduction."},{"key":"e_1_3_2_1_84_1","unstructured":"NVIDIA Corporation. 2024a. CUDA Toolkit. https:\/\/developer.nvidia.com\/cuda-toolkit."},{"key":"e_1_3_2_1_85_1","unstructured":"NVIDIA Corporation. 2024b. IPSec Full Offload. https:\/\/docs.nvidia.com\/networking\/display\/mlnxofedv24010331\/ipsecfulloffload."},{"key":"e_1_3_2_1_86_1","unstructured":"NVIDIA Corporation. 2024c. NCCL Net Plugin Documentation. https:\/\/github.com\/NVIDIA\/nccl\/blob\/master\/ext-net\/README.md."},{"key":"e_1_3_2_1_87_1","unstructured":"NVIDIA Corporation. 2024d. NVIDIA BlueField Modes of Operation. https:\/\/docs.nvidia.com\/doca\/sdk\/nvidiabluefieldmodesofoperation\/index.html."},{"key":"e_1_3_2_1_88_1","unstructured":"NVIDIA Corporation. 2024 e. NVIDIA BlueField Networking Platform. https:\/\/www.nvidia.com\/en-us\/networking\/products\/data-processing-unit\/."},{"key":"e_1_3_2_1_89_1","volume-title":"2024 f","author":"NVIDIA Corporation","unstructured":"NVIDIA Corporation. 2024 f. NVIDIA Collective Communications Library (NCCL). https:\/\/developer.nvidia.com\/nccl."},{"key":"e_1_3_2_1_90_1","unstructured":"NVIDIA Corporation. 2024 g. NVIDIA DOCA Software Framework. https:\/\/developer.nvidia.com\/networking\/doca."},{"key":"e_1_3_2_1_91_1","unstructured":"NVIDIA Corporation. 2025. The NVIDIA Grace Blackwell Superchip. https:\/\/docs.nvidia.com\/multi-node-nvlink-systems\/multi-node-tuning-guide\/."},{"key":"e_1_3_2_1_92_1","unstructured":"Department of Defense. 1985. Trusted Computer System Evaluation Criteria (Orange Book). Technical Report DoD 5200.28-STD."},{"key":"e_1_3_2_1_93_1","unstructured":"OpenAI. 2024. Batch API - OpenAI API. https:\/\/platform.openai.com\/docs\/guides\/batch."},{"key":"e_1_3_2_1_94_1","unstructured":"Optrium. 2025. How Many People Are Needed to Run a Data Centre? https:\/\/optrium.co.uk\/how-many-people-are-needed-to-run-a-data-centre\/."},{"key":"e_1_3_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1145\/3676641.3716266"},{"key":"e_1_3_2_1_96_1","unstructured":"PCI-SIG. 2022. TEE Device Interface Security Protocol (TDISP). https:\/\/pcisig.com\/tee-device-interface-security-protocol-tdisp."},{"key":"e_1_3_2_1_97_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (Security). Virtual.","author":"Puddu Ivan","year":"2021","unstructured":"Ivan Puddu, Moritz Schneider, Miro Haller, and Srdjan Capkun. 2021. Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend. In Proceedings of the 30th USENIX Security Symposium (Security). Virtual."},{"key":"e_1_3_2_1_98_1","unstructured":"PyTorch Contributors. 2023. torchrun (Elastic Launch). https:\/\/pytorch.org\/docs\/stable\/elastic\/run.html."},{"key":"e_1_3_2_1_99_1","unstructured":"Nazneen Rajani Lewis Tunstall Edward Beeching Nathan Lambert Alexander M. Rush and Thomas Wolf. 2023. No Robots. https:\/\/huggingface.co\/datasets\/HuggingFaceH4\/no_robots."},{"key":"e_1_3_2_1_100_1","unstructured":"Rhonda Ascierto and Todd Traver. 2021. Data center security: Reassessing physical human and digital risks. Technical Report."},{"key":"e_1_3_2_1_101_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (Security). Virtual.","author":"Rothenberger Benjamin","year":"2021","unstructured":"Benjamin Rothenberger, Konstantin Taranov, Adrian Perrig, and Torsten Hoefler. 2021. ReDMArk: Bypassing RDMA Security Mechanisms. In Proceedings of the 30th USENIX Security Symposium (Security). Virtual."},{"key":"e_1_3_2_1_102_1","volume-title":"Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI)","author":"Roy Indrajit","year":"2010","unstructured":"Indrajit Roy, Srinath T.V. Setty, Ann Kilzer, Vitaly Shmatikov, and Emmett Witchel. 2010. Airavat: Security and Privacy for MapReduce. In Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI). San Jose, CA."},{"key":"e_1_3_2_1_103_1","volume-title":"Proceedings of the 33rd USENIX Security Symposium (Security)","author":"Sabzi Amir","year":"2024","unstructured":"Amir Sabzi, Rut Vora, Swati Goswami, Margo Seltzer, Mathias L\u00e9cuyer, and Aastha Mehta. 2024. NetShaper: A Differentially Private Network Side-Channel Mitigation System. In Proceedings of the 33rd USENIX Security Symposium (Security). Philadelphia, PA."},{"key":"e_1_3_2_1_104_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.13"},{"key":"e_1_3_2_1_105_1","unstructured":"Philipp Schmid. 2024. Efficiently fine-tune Llama 3 with PyTorch FSDP and Q-Lora. https:\/\/www.philschmid.de\/fsdp-qlora-llama3."},{"key":"e_1_3_2_1_106_1","unstructured":"Philipp Schmid Omar Sanseviero Alvaro Bartolome Leandro von Werra Daniel Vila Vaibhav Srivastav Marc Sun and Pedro Cuenca. 2024. Llama 3.1 - 405B 70B & 8B with multilinguality and long context. https:\/\/huggingface.co\/blog\/llama31."},{"key":"e_1_3_2_1_107_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.10"},{"key":"e_1_3_2_1_108_1","volume-title":"Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI)","author":"Sigurbjarnarson Helgi","year":"2018","unstructured":"Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang. 2018. Nickel: A Framework for Design and Verification of Information Flow Control Systems. In Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI). Carlsbad, CA."},{"key":"e_1_3_2_1_109_1","volume-title":"Proceedings of the 46th Annual International Symposium on Computer Architecture (ISCA).","author":"Skarlatos Dimitrios","unstructured":"Dimitrios Skarlatos, Mengjia Yan, Bhargava Gopireddy, Read Sprabery, Josep Torrellas, and Christopher W. Fletcher. 2019. MicroScope: Enabling Microarchitectural Replay Attacks. In Proceedings of the 46th Annual International Symposium on Computer Architecture (ISCA)."},{"key":"e_1_3_2_1_110_1","unstructured":"John Stawinski. 2024. Playing with Fire - How We Executed a Critical Supply Chain Attack on PyTorch. https:\/\/johnstawinski.com\/2024\/01\/11\/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch\/."},{"key":"e_1_3_2_1_111_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00059"},{"key":"e_1_3_2_1_112_1","volume-title":"Proceedings of the 2020 USENIX Annual Technical Conference (ATC).","author":"Taranov Konstantin","year":"2020","unstructured":"Konstantin Taranov, Benjamin Rothenberger, Adrian Perrig, and Torsten Hoefler. 2020. sRDMA: Efficient NIC-based Authentication and Encryption for Remote Direct Memory Access. In Proceedings of the 2020 USENIX Annual Technical Conference (ATC)."},{"key":"e_1_3_2_1_113_1","volume-title":"Alpa: Training and Serving Large-Scale Neural Networks with Auto Parallelization. https:\/\/github.com\/alpa-projects\/alpa.","author":"Team Alpa","year":"2024","unstructured":"Alpa Team. 2024a. Alpa: Training and Serving Large-Scale Neural Networks with Auto Parallelization. https:\/\/github.com\/alpa-projects\/alpa."},{"key":"e_1_3_2_1_114_1","unstructured":"Google Brain Team. 2024b. TensorFlow: An Open Source Machine Learning Framework. https:\/\/www.tensorflow.org\/"},{"key":"e_1_3_2_1_115_1","volume-title":"Horovod: Distributed Deep Learning Training Framework for TensorFlow, Keras, PyTorch, and Apache MXNet. https:\/\/github.com\/horovod\/horovod","author":"Team Uber Engineering","year":"2024","unstructured":"Uber Engineering Team. 2024c. Horovod: Distributed Deep Learning Training Framework for TensorFlow, Keras, PyTorch, and Apache MXNet. https:\/\/github.com\/horovod\/horovod"},{"key":"e_1_3_2_1_116_1","unstructured":"The kernel development community. [n.d.]. Sequence counters and sequential locks. https:\/\/docs.kernel.org\/locking\/seqlock.html."},{"key":"e_1_3_2_1_117_1","unstructured":"The PyTorch Foundation. 2024. PyTorch. https:\/\/pytorch.org."},{"key":"e_1_3_2_1_118_1","volume-title":"IFIP International Conference on Information Security Theory and Practice.","author":"Trouchkine Thomas","year":"2019","unstructured":"Thomas Trouchkine, Guillaume Bouffard, and Jessy Cl\u00e9di\u00e8re. 2019. Fault Injection Characterization on Modern CPUs: From the ISA to the Micro-architecture. In IFIP International Conference on Information Security Theory and Practice."},{"key":"e_1_3_2_1_119_1","volume-title":"Eastern District of California","author":"United States Attorney's Office","year":"2023","unstructured":"United States Attorney's Office, Eastern District of California. 2023. Former Navy IT Manager Sentenced to Over 5 Years in Prison for Hacking Computer Database. textcolorACMDarkBluehttps:\/\/www.justice.gov\/usao-edca\/pr\/former-navy-it-manager-sentenced-over-5-years-prison-hacking-computer-database."},{"key":"e_1_3_2_1_120_1","volume-title":"Proceedings of the 45th IEEE Symposium on Security and Privacy (Oakland)","author":"Schaik Stephan Van","year":"2024","unstructured":"Stephan Van Schaik, Alex Seto, Thomas Yurek, Adam Batori, Bader AlBassam, Daniel Genkin, Andrew Miller, Eyal Ronen, Yuval Yarom, and Christina Garman. 2024. SoK: SGX.Fail: How Stuff Gets eXposed. In Proceedings of the 45th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA."},{"key":"e_1_3_2_1_121_1","doi-asserted-by":"publisher","DOI":"10.1145\/1314299.1314302"},{"key":"e_1_3_2_1_122_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690183"},{"key":"e_1_3_2_1_123_1","doi-asserted-by":"publisher","DOI":"10.1145\/173668.168635"},{"key":"e_1_3_2_1_124_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cpc.2018.03.016"},{"key":"e_1_3_2_1_125_1","volume-title":"Proceedings of the 2003 USENIX Annual Technical Conference.","author":"Watson Robert","year":"2003","unstructured":"Robert Watson, Wayne Morrison, Chris Vance, and Brian Feldman. 2003. The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0. In Proceedings of the 2003 USENIX Annual Technical Conference."},{"key":"e_1_3_2_1_126_1","doi-asserted-by":"publisher","DOI":"10.5555\/3698900.3699089"},{"key":"e_1_3_2_1_127_1","volume-title":"Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS)","author":"Wright Charles V","year":"2009","unstructured":"Charles V Wright, Scott E Coull, and Fabian Monrose. 2009. Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA."},{"key":"e_1_3_2_1_128_1","volume-title":"Proceedings of the 31st USENIX Security Symposium (Security)","author":"Xing Jiarong","year":"2022","unstructured":"Jiarong Xing, Kuo-Feng Hsu, Yiming Qiu, Ziyang Yang, Hongyi Liu, and Ang Chen. 2022. Bedrock: Programmable Network Support for Secure RDMA Systems. In Proceedings of the 31st USENIX Security Symposium (Security). Boston, MA."},{"key":"e_1_3_2_1_129_1","volume-title":"Proceedings of the 29th USENIX Security Symposium (Security)","author":"Xing Jiarong","year":"2020","unstructured":"Jiarong Xing, Qiao Kang, and Ang Chen. 2020. NetWarden: Mitigating Network Covert Channels while Preserving Performance. In Proceedings of the 29th USENIX Security Symposium (Security). Boston, MA."},{"key":"e_1_3_2_1_130_1","first-page":"3","article-title":"Survey of Transient Execution Attacks and Their Mitigations","volume":"54","author":"Xiong Wenjie","year":"2021","unstructured":"Wenjie Xiong and Jakub Szefer. 2021. Survey of Transient Execution Attacks and Their Mitigations. ACM Computing Surveys (CSUR), Vol. 54, 3 (May 2021), 1-36.","journal-title":"ACM Computing Surveys (CSUR)"},{"key":"e_1_3_2_1_131_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.25"},{"key":"e_1_3_2_1_132_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPDS.2010.97"},{"key":"e_1_3_2_1_133_1","volume-title":"Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI)","author":"Zeldovich Nickolai","year":"2006","unstructured":"Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazi\u00e8res. 2006. Making Information Flow Explicit in HiStar. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI). Seattle, WA."},{"key":"e_1_3_2_1_134_1","doi-asserted-by":"publisher","DOI":"10.5555\/1387589.1387610"},{"key":"e_1_3_2_1_135_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987550.2987558"},{"key":"e_1_3_2_1_136_1","doi-asserted-by":"publisher","DOI":"10.1145\/3689031.3717464"},{"key":"e_1_3_2_1_137_1","doi-asserted-by":"crossref","unstructured":"Duo Zhang Xinzijian Liu Xiangyu Zhang Chengqian Zhang Chun Cai Hangrui Bi Yiming Du Xuejian Qin Anyang Peng Jiameng Huang et al. 2024. DPA-2: a large atomic model as a multi-task learner. npj Computational Materials Vol. 10 1 (2024) 293.","DOI":"10.1038\/s41524-024-01493-2"},{"key":"e_1_3_2_1_138_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23210"},{"key":"e_1_3_2_1_139_1","unstructured":"Yanli Zhao Rohan Varma Chien-Chin Huang Shen Li Min Xu and Alban Desmaison. 2022. Introducing PyTorch Fully Sharded Data Parallel (FSDP) API. https:\/\/pytorch.org\/blog\/introducing-pytorch-fully-sharded-data-parallel-api\/."},{"key":"e_1_3_2_1_140_1","volume-title":"Proceedings of the 17th USENIX Symposium on Operating Systems Design and Implementation (OSDI)","author":"Zhou Ziqiao","year":"2023","unstructured":"Ziqiao Zhou, Yizhou Shan, Weidong Cui, Xinyang Ge, Marcus Peinado, and Andrew Baumann. 2023. Core slicing: closing the gap between leaky confidential VMs and bare-metal cloud. In Proceedings of the 17th USENIX Symposium on Operating Systems Design and Implementation (OSDI). Boston, MA."},{"key":"e_1_3_2_1_141_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00054"},{"key":"e_1_3_2_1_142_1","volume-title":"Proceedings of the 19th USENIX Workshop on Offensive Technologies (WOOT).","author":"Zonenberg Andrew D","year":"2025","unstructured":"Andrew D Zonenberg, Antony Moor, Daniel Slone, Lain Agan, and Mario Cop. 2025. Extraction of Secrets from 40nm CMOS Gate Dielectric Breakdown Antifuses by FIB Passive Voltage Contrast. In Proceedings of the 19th USENIX Workshop on Offensive Technologies (WOOT)."}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","location":"Taipei Taiwan","acronym":"CCS '25","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765121","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:20:46Z","timestamp":1766442046000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765121"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":142,"alternative-id":["10.1145\/3719027.3765121","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765121","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}