- The paper introduces DEPUTYHUNT, a novel method combining static instrumentation, dynamic logging, and LLM-assisted code analysis to identify CDA vulnerabilities in edge AI accelerators.
- The paper shows that six out of seven evaluated AIAs are vulnerable, enabling arbitrary or limited host memory access through flawed zero-copy memory and SMID validation.
- The paper proposes an on-demand validation mechanism that restores memory isolation with only ~15% runtime overhead, offering a practical defense for embedded systems.
Confused Deputy Attacks Enabled by Edge AI Accelerators
Introduction and Motivation
Edge AI accelerators (AIAs)—specialized hardware such as TPUs, NPUs, and Matrix Multiply Accelerators—are now a fundamental component of embedded systems, IoT, and edge devices due to their energy-efficient, high-performance execution of AI workloads. However, their integration introduces architectural security risks not sufficiently addressed by traditional OS-based isolation mechanisms. Unlike conventional applications, AIAs are typically peripheral to host memory protection features like kernel-user separation or process isolation. To support the stringent low-latency and high-throughput demands of edge AI, these accelerators typically rely on zero-copy memory transfer and direct shared memory access, bypassing effective isolation mechanisms such as IOMMU in practice. This work provides the first thorough exploration of Confused Deputy Attacks (CDAs) using AIAs, where unprivileged user-space applications can manipulate AIA to perform privileged memory accesses.
Threat Model and Attack Vector
The core threat model assumes a user-space attacker controlling a standard application that communicates with the AIA through vendor libraries and the kernel driver. The attack exploits the semantic gap between the accelerator’s memory management (DMA, custom pagetables) and the OS’s process/memory isolation, particularly when the AIA validates references to shared memory ineffectively. By exploiting zero-copy mechanisms and deficiencies in SMID (Shared Memory Identifier) validation, an attacker can coerce the AIA into operating on memory to which the application is not otherwise entitled: other user process memory and kernel memory, depending on the accelerator’s mapping model.
Methodology: The DEPUTYHUNT Framework
The paper introduces DEPUTYHUNT, a methodology for identifying CDA vulnerabilities in black-box AIA firmware/software stacks. Recognizing the challenge posed by proprietary firmware and closed-source vendor libraries, DEPUTYHUNT combines source-level static instrumentation (mostly in the open-source kernel drivers), dynamic syscall and kernel logging, and selective LLM-assisted code analysis to efficiently narrow down candidate functions and data structures critical to memory sharing and SMID assignment. The approach was applied to seven representative edge AIAs encompassing major vendors and multiple hardware architectures.
Key phases include:
- Memory Region Identification: Extraction of address ranges of device and shared memory regions via device tree and direct OS instrumentation.
- Instrumentation and Logging: Kernel driver code augmented to emit detailed logs on DMA activity, memory mapping, and ioctl handling.
- LLM-assisted Code Summarization: LLMs (e.g., GPT-4o-mini, configured with custom agentic prompts and code context) used to analyze instrumented code, outputting candidate functions involved in memory sharing, ioctl entry points, and message semantics containing SMIDs.
- Manual Exploit Generation: Once message structures and mapping mechanisms were reverse-engineered, targeted exploits validated the ability to effectuate CDAs.
Analyst Effort Reduction
Empirically, DEPUTYHUNT achieved approximately 97% analyst effort reduction compared to baseline manual source review, with correct identification of CDA-relevant functions rapidly attainable in fewer than 5 manual verifications in most cases.
Findings: Widespread Feasibility of Confused Deputy Attacks
DEPUTYHUNT was deployed on AIAs from Google, NVIDIA, NXP, Texas Instruments, HAILO, AWS, and Rockchip, covering both integrated and discrete accelerators.
- CDA feasibility was demonstrated on six out of seven evaluated AIAs; the exception, Rockchip NPU, avoids zero-copy and instead uses message-based transfer over USB.
- Arbitrary read/write access (R.Af W.Af.Vf) was possible on the NXP NPU and HAILO NPU, permitting attackers to fully control both the target address and written value in host memory, including kernel memory and other user applications.
- Limited access (R,Al W,Al,Vf) was possible on Texas Instruments MMA and AWS Inferentia: attacker control is restricted to certain device memory regions, but not arbitrary host memory.
- Fixed/TOCTOU-based access (R,An W,An,Vf) was seen in Google Edge TPU and NVIDIA GPU; due to stale device pagetable mappings, attackers could utilize mappings left valid after a region was unmapped by the OS (time-of-check-to-time-of-use race), potentially operating on sensitive regions subsequently allocated to others.
Notably, the vulnerabilities affect over 128 SoC designs deployed in 100+ million devices, including edge servers, smart cameras, autonomous vehicles, and large-scale cloud inference platforms. The most critical vulnerabilities (arbitrary accesses) were confirmed, exploits developed, and all issues disclosed to vendors; at least one, NXP, has issued a CVE (CVE-2025-66425).
Root Causes and Vulnerability Analysis
Key architectural features enabling these attacks include:
- Zero-copy Data Transfer: To minimize latency and minimize bandwidth contention, AIAs often map host physical pages directly, giving them broader access than intended.
- Inadequate Per-process Validation: Many kernel drivers and accelerator firmware do not track which user process has access to which memory pages or fail to invalidate pagetable entries aggressively upon unmapping.
- Absence/Bypass of IOMMU: Although IOMMUs can in principle provide DMA isolation, significant overhead (up to 32x slowdown in AI inference workloads) leads to their deactivation or circumvention in almost all edge/embedded deployments surveyed.
- Multi-Application Concurrency: Lack of process-aware isolation at the accelerator level allows cross-user memory access across multiple inference jobs.
Proposed Defenses: On-Demand Validation
The paper proposes an on-demand validation mechanism where, for every AIA memory access, the accelerator consults the kernel driver to verify whether a given SMID is authorized for the requesting user process, possibly leveraging PID tagging and per-process SMID mapping caches. This aims to retrofit fine-grained, per-process access checks without hardware modification or major redesign of current application interfaces.
Strong numerical result: GEM5-SALAM simulator evaluation shows that this on-demand validation incurs a modest ~15% runtime overhead on average, with most workloads below 10%, substantially outperforming the strict IOMMU baseline (which can incur over 300% overhead). Caching and TLB size tuning further reduce validation latency in practice.
Implications and Future Directions
The demonstrated prevalence and practical exploitability of CDAs against deployed edge AI platforms indicate a critical mismatch between current accelerator integration practices and necessary system security invariants. Explicitly, the drive for high-throughput and low-latency AI inference comes at the expense of fundamental process and kernel memory isolation, even on devices shipping with hardware capabilities ostensibly designed to prevent such issues.
Theoretical implications include the need to model co-processor isolation in a first-class way in security architecture, especially for ML/AI workloads crossing process boundaries. Existing system call and memory isolation abstractions are inadequate when accelerators are treated as privileged bus masters.
Practical implications suggest that application-level mitigations (such as containerization, sandboxing, or privilege separation) are insufficient if the underlying device driver and hardware fail to enforce isolation at the memory transaction level. The on-demand validation solution exemplifies security mechanisms that can be adopted in the absence of hardware redesign.
Future research should focus on:
- Unified memory management architectures that harmonize kernel, user process, and co-processor/accelerator pagetables with minimal performance penalty.
- Hardware support for process-level isolation in accelerators (PASID, SVA, and beyond), with strong integration into accelerator firmware.
- Systematization of LLM-based and static program analysis methods for bug and vulnerability triage in the AI accelerator software stack, possibly advancing toward more automated exploit detection.
Conclusion
This paper provides the first large-scale, systematic study of Confused Deputy Attacks through Edge AI Accelerators, substantiating the critical risks arising from the current deployment practices centered around zero-copy and direct memory access. Using a hybrid static/dynamic/LLM-driven approach in DEPUTYHUNT, the authors expose and validate the feasibility of memory isolation violations in six major AIA designs and introduce a practical software-based defense with modest overhead. The work sets a new standard for accelerator-aware system security evaluation and remediation.