The Early Bird Catches the Leak: Unveiling Timing Side Channels in LLM Serving Systems*
早起的鸟儿捉到漏洞：揭示LLM服务系统中的时序侧信道*

1 Introduction  1 引言

• Leakage from the KV cache. For each inference request, the LLM maintains an in-memory state called the KV cache, which is reused in every iteration throughout the request’s entire service time. Due to the causal attention mask in LLMs, each token’s activations are influenced only by preceding tokens in the sequence. Thus, if multiple requests share a
  来自 KV 缓存的泄漏。对于每个推理请求，LLM维护一个称为 KV 缓存的内存状态，该状态在请求的整个服务时间内在每次迭代中重复使用。由于LLMs中的因果注意力掩码，每个标记的激活仅受序列中前面的标记的影响。因此，如果多个请求共享一个
  common prefix, the key and value embeddings for those prefix tokens are identical across sequences. To optimize the KV cache’s memory usage, the system identifies matching prompt prefixes across multiple requests and shares their key and value embeddings in memory at runtime [53, 93]. This sharing occurs when prompts include a common prefix, which frequently happens with few-shot examples [67], chatbot system prompts [45], or prompt templates [29]. For example, it has been noted that Claude’s prompt caching feature can reduce costs by up to $90\mathrm{\%}$$90\mathrm{\%}$90%90 \% and decrease latency by up to $85\mathrm{\%}$$85\mathrm{\%}$85%85 \% for long prompts [28].
  公共前缀，对于这些前缀标记的键和值嵌入在序列中是相同的。为了优化 KV 缓存的内存使用，系统识别多个请求中匹配的提示前缀，并在运行时共享它们的键和值嵌入。这种共享发生在提示包含公共前缀时，这在少量示例、聊天机器人系统提示或提示模板中经常发生。例如，有人指出 Claude 的提示缓存功能可以将成本降低多达 $90\mathrm{\%}$$90\mathrm{\%}$90%90 \% ，并将长提示的延迟降低多达 $85\mathrm{\%}$$85\mathrm{\%}$85%85 \% 。
• Leakage from the semantic cache. The semantic cache boosts LLM performance by caching responses based on the semantic content of the requests. For example, for the prompts “give me suggestions for a comedy movie” and “recommend a comedy movie”, the LLM system can detect their semantic similarity and return similar responses without querying the LLM backend. Experiments show that when GPTCache is integrated with OpenAI’s service, response speed can be improved by a factor of 2 to 10 upon a cache hit [38].
  语义缓存的泄漏。语义缓存通过基于请求的语义内容缓存响应来提升 LLM 的性能。例如，对于提示“给我一些喜剧电影的建议”和“推荐一部喜剧电影”，LLM 系统可以检测它们的语义相似性，并在不查询 LLM 后端的情况下返回相似的响应。实验表明，当 GPTCache 与 OpenAI 的服务集成时，缓存命中时响应速度可以提高 2 到 10 倍 [38]。
  Challenges and solutions. A straightforward way to exploit these vulnerable caches is to directly search the prompt space for one that triggers a cache hit. However, this method faces multiple hurdles. First, the time difference resulting from hitting a single cache block is often minimal and can blend with GPU system noise and fluctuations in voltage and power, making it difficult to detect and exploit. Second, the KV cache only works when prompts share a common prefix, limiting attack opportunities. Additionally, the vastness of the prompt space makes it infeasible to systematically test every potential prompt to find a cached one. Complicating matters further, the attacker’s own requests might be cached during the process, introducing additional noise and potentially causing the victim’s cached data to be evicted.
  挑战与解决方案。利用这些脆弱缓存的一个简单方法是直接在提示空间中搜索一个能够触发缓存命中的提示。然而，这种方法面临多个障碍。首先，由于命中单个缓存块所产生的时间差通常很小，且可能与 GPU 系统噪声以及电压和功率的波动混合在一起，使得检测和利用变得困难。其次，KV 缓存仅在提示共享公共前缀时有效，限制了攻击机会。此外，提示空间的广阔使得系统地测试每个潜在提示以找到一个缓存的提示变得不可行。更复杂的是，攻击者自己的请求可能在此过程中被缓存，导致额外的噪声，并可能导致受害者的缓存数据被驱逐。

• New discovery. We identified new timing side channels in both open-source and online LLM serving systems, arising from the sharing of KV caches and semantic caches to lower inference costs.
  新发现。我们在开源和在线 LLM 服务系统中识别出了新的时序侧信道，这些信道源于共享 KV 缓存和语义缓存以降低推理成本。
• Novel exploit strategies. We introduced new attack strategies to leverage the inherent side channels in LLM inference optimizations, enabling two distinctive attacks: prompt stealing attack and peeping neighbor attack.
  新型利用策略。我们引入了新的攻击策略，以利用LLM推理优化中的固有侧信道，从而实现两种独特的攻击：提示窃取攻击和窥视邻居攻击。
• Experimental validations, real-world measurements and mitigations. We validated the side-channel leakages locally on prominent LLM systems and conducted a black-box measurement study of popular online LLM services. We also presented preliminary mitigation measures for these risks.
  实验验证、实际测量和缓解措施。我们在显著的 LLM 系统上局部验证了侧信道泄漏，并对流行的在线 LLM 服务进行了黑箱测量研究。我们还提出了这些风险的初步缓解措施。

2 Background  2 背景

2.1 LLM Serving Systems
2.1 LLM 服务系统

2.2 Serving Frontend  2.2 服务前端

2.3 Serving Backend  2.3 服务后端

2.4 Threat Model  2.4 威胁模型

3 Attacks  3 次攻击

3.1 Overview  3.1 概述

3.2 Prompt Stealing Attacks (PSA)
3.2 提示窃取攻击 (PSA)

3.3 Peeping neighbor Attacks (PNA)
3.3 窥视邻居攻击 (PNA)

4 Side-channel Analysis and Evaluation
4 边信道分析与评估

4.1 Analysis on PSA
4.1 PSA 分析

We consider that the victim’s chatbot employs a proprietary system prompt for the “system” role in the synthesized mode, while the user’s inputs fall under the “user” role. In the synthesized mode, this system prompt is prepended at every conversational turn to form the complete prompt sent to the SGLang backend. Notably, BloombergGPT [80] serves as a real-world example of a purposely built LLM for financial use, deployed for internal use at Bloomberg. It leverages 3-shot prompting to handle domain-specific tasks more effectively, safeguarding sensitive data and maintaining control over proprietary financial processes. As illustrated in Figure 2, an attacker can masquerade as a chatbot user, submitting either a direct request or a synthesized request that includes the static system prompt. When the LLM processes these synthesized prompts, it retains the separator and system prompt in the KV cache used by the SGLang backend, expediting subsequent requests that share partial prefixes of the system prompt. In
我们认为受害者的聊天机器人在合成模式下使用了一个专有的系统提示作为“系统”角色，而用户的输入则属于“用户”角色。在合成模式中，这个系统提示在每个对话轮次前添加，以形成发送到 SGLang 后端的完整提示。值得注意的是，BloombergGPT [80] 是一个专门为金融用途构建的真实案例，已在 Bloomberg 内部使用。它利用 3-shot 提示更有效地处理特定领域的任务，保护敏感数据并保持对专有金融流程的控制。如图 2 所示，攻击者可以伪装成聊天机器人用户，提交直接请求或包含静态系统提示的合成请求。当LLM处理这些合成提示时，它在 SGLang 后端使用的 KV 缓存中保留分隔符和系统提示，加快了后续请求的处理，这些请求共享系统提示的部分前缀。

To illustrate the classifier’s effectiveness, consider an example using the LLaMA-2-70B-GPTQ model under our evaluation settings. We build a classifier to determine whether the 10 -th token hits the KV cache. Using the profiled timing distribution, we start with an initial threshold of 0.07971 seconds
为了说明分类器的有效性，考虑一个在我们的评估设置下使用 LLaMA-2-70B-GPTQ 模型的例子。我们构建了一个分类器来判断第 10 个标记是否命中 KV 缓存。使用分析后的时间分布，我们从初始阈值 0.07971 秒开始。

Figure 2: Overview of prompt stealing attacks.
图 2：提示窃取攻击概述。

To streamline the search process, as illustrated in Figure 4, we propose an incremental token-by-token approach to recover the target prompt. This approach relies on multiple components: a series of token classifiers for validation, a nexttoken predictor to estimate token probabilities, and a sampler that selects candidate tokens based on the predictor’s temperature setting. The next-token predictor is fine-tuned on the public system prompt dataset available to the attacker, allowing it to forecast the next token given the already retrieved
为了简化搜索过程，如图 4 所示，我们提出了一种增量逐个标记的方法来恢复目标提示。该方法依赖于多个组件：一系列用于验证的标记分类器、一个用于估计标记概率的下一个标记预测器，以及一个根据预测器的温度设置选择候选标记的采样器。下一个标记预测器在攻击者可用的公共系统提示数据集上进行了微调，使其能够在给定已检索的内容的情况下预测下一个标记。

• Timing measurement. As shown in Figure 5, the attacker begins by issuing a synthesized request containing the targeted system prompt. Once the end-of-sequence token is received
  时间测量。如图 5 所示，攻击者首先发出一个包含目标系统提示的合成请求。一旦接收到序列结束标记

def get_ttft(text):
    start_time = time.perf_counter()
    # In stream mode, max_tokens = 1
    response = requests.post(
        {..., max_tokens=1,},
        stream = True
    )
    for line in response.iter_lines():
        if line:
            end_time = time.perf_counter()
            break
        ttft = end_time - start_time
        return ttft
def complete(text):
    # Trigger the system prompt first
    response = client.chat.completions.create(...)
    for line in response.iter_lines():
        if line:
        data = json.loads(line)
        if data.get("end_of_sequence", False):
            break
    Wait for complete
    omplete(triggering_prompt)
    Short delay to ensure KV cache is updated
    ime.sleep(0.2)
    tft = get_ttft(predicted_prompt)

• Flushing the caches through eviction. We observed SGLang provides a flush_cache API [47] that efficiently clears the cache. However, for our end-to-end attack scenario, we chose not to use this API, as it is unlikely to be accessible to attackers in real-world environments. Instead, we employed a more robust method of evicting the KV cache by issuing batches of irrelevant requests. Under default SGLang settings, sending 15 such requests (each containing about 300 tokens) was sufficient to trigger eviction in about 5 seconds. This approach proved successful in $100\mathrm{\%}$$100\mathrm{\%}$100%100 \% of our 1,000 tests.
  通过驱逐清空缓存。我们观察到 SGLang 提供了一个 flush_cache API [47]，可以有效地清除缓存。然而，对于我们的端到端攻击场景，我们选择不使用这个 API，因为在现实环境中攻击者不太可能访问它。相反，我们采用了一种更强大的驱逐 KV 缓存的方法，通过发出一批无关请求。在默认的 SGLang 设置下，发送 15 个此类请求（每个请求包含大约 300 个标记）足以在大约 5 秒内触发驱逐。这种方法在我们 1,000 次测试中的 $100\mathrm{\%}$$100\mathrm{\%}$100%100 \% 次中证明是成功的。

4.2 Analysis on PNA
4.2 PNA 分析

Following these steps, we created two sample sets: (1) Positive Group: Sentences that are semantically similar to $T_0$$T_0$T_(0)T_{0}, all containing $Name{}_0$$Name{}_0$Name_(0)N a m e ~_{0} and Medcond ${}_0$${}_0$_(0){ }_{0}. Formally, $\{(T_i$$\left\{\left(T_i\right.\right.${(T_(i):}\left\{\left(T_{i}\right.\right., Name ${}_0$${}_0$_(0)_{0}, Medcond ${}_0)\mid i=1,\dots ,n\}$$\left.\left.{}_0\right)\mid i=1,\dots ,n\right\}${:_(0))∣i=1,dots,n}\left.\left._{0}\right) \mid i=1, \ldots, n\right\}. (2) Negative Group: The original template $T_0$$T_0$T_(0)T_{0} populated with other names or medical conditions. Formally, $\{(T_0$$\left\{\left(T_0\right.\right.${(T_(0):}\left\{\left(T_{0}\right.\right., Name ${}_i$${}_i$_(i)_{i},
按照这些步骤，我们创建了两个样本集：(1) 正面组：与 $T_0$$T_0$T_(0)T_{0} 在语义上相似的句子，均包含 $Name{}_0$$Name{}_0$Name_(0)N a m e ~_{0} 和 Medcond ${}_0$${}_0$_(0){ }_{0} 。正式来说， $\{(T_i$$\left\{\left(T_i\right.\right.${(T_(i):}\left\{\left(T_{i}\right.\right. ，名称 ${}_0$${}_0$_(0)_{0} ，Medcond ${}_0)\mid i=1,\dots ,n\}$$\left.\left.{}_0\right)\mid i=1,\dots ,n\right\}${:_(0))∣i=1,dots,n}\left.\left._{0}\right) \mid i=1, \ldots, n\right\} 。(2) 负面组：用其他名称或医疗条件填充的原始模板 $T_0$$T_0$T_(0)T_{0} 。正式来说， $\{(T_0$$\left\{\left(T_0\right.\right.${(T_(0):}\left\{\left(T_{0}\right.\right. ，名称 ${}_i$${}_i$_(i)_{i} ，
Medcond ${}_j)\mid i\ne 0$$\left.{}_j\right)\mid i\ne 0${:_(j))∣i!=0\left._{j}\right) \mid i \neq 0 or $j\ne 0\}$$\left.j\ne 0\right\}${:j!=0}\left.j \neq 0\right\}.
Step 3. We split the positive group into two subsets. The
步骤 3。我们将正组分成两个子集。

Figure 7: Evaluating semantic leakage of private attributes.
图 7：评估私有属性的语义泄漏。

• Type-1 (true samples): Queries with the specific name (e.g., “Alice”) and the specific medical condition (e.g., “heart
  Type-1（真实样本）：带有特定名称（例如，“Alice”）和特定医疗状况（例如，“心脏”）的查询
  disease”).  疾病”).
• Type-2 (false samples): Queries that use the same name as the true samples (e.g., “Alice”) but feature different medical conditions, such as “diabetes”, “hypertension”, or “asthma”.
  类型 2（假样本）：使用与真实样本相同名称的查询（例如，“Alice”），但具有不同的医疗状况，如“糖尿病”、“高血压”或“哮喘”。
• Type-3 (false samples): Queries with the same medical condition as the true samples (e.g., “heart disease”) but with different names.
  类型 3（虚假样本）：与真实样本具有相同医疗状况的查询（例如，“心脏病”），但名称不同。
• Type-4 (false samples): Queries unrelated to the target scenario.
  类型 4（虚假样本）：与目标场景无关的查询。

Representative requests are those that most closely approximate the rest of the request space. To identify them, we use the distilbert-base-uncased model to generate embeddings and then compute the L2 distance between these embeddings. We then sort the requests by their L2 distances; those with the smallest distances are deemed the most representative and se-
代表性请求是最接近其余请求空间的请求。为了识别它们，我们使用 distilbert-base-uncased 模型生成嵌入，然后计算这些嵌入之间的 L2 距离。接着，我们按 L2 距离对请求进行排序；距离最小的请求被认为是最具代表性的。

In the evaluation, each of the 4 victim request types was tested 500 times. In each iteration, a random pair of private attributes in the Type- 1 request was selected. We set $\sigma =0.06$$\sigma =0.06$sigma=0.06\sigma=0.06 and identified 5 orthogonal attack requests using the proposed greedy search strategy. Table 3 summarizes the TPR for true samples, and the separate FPRs for each false sample type when increasing the number of attack requests from 1 to 5 . Specifically, we successfully recovered 407 victim requests out of the 500 true samples with a single attack request, achieving a recovery accuracy of $81.4\mathrm{\%}$$81.4\mathrm{\%}$81.4%81.4 \% with an average FPR of 0.045 . With 5 attack requests, 477 victim requests are recovered, demonstrating a recovery accuracy of $95.4\mathrm{\%}$$95.4\mathrm{\%}$95.4%95.4 \% with an average FPR of 0.056 . We provide a demo for this attack in our website [37].
在评估中，每种受害者请求类型被测试了 500 次。在每次迭代中，随机选择了 Type-1 请求中的一对私有属性。我们设置了 $\sigma =0.06$$\sigma =0.06$sigma=0.06\sigma=0.06 并使用提出的贪婪搜索策略识别了 5 个正交攻击请求。表 3 总结了真实样本的 TPR，以及在将攻击请求数量从 1 增加到 5 时每种假样本类型的单独 FPR。具体而言，我们成功恢复了 500 个真实样本中的 407 个受害者请求，单个攻击请求的恢复准确率为 $81.4\mathrm{\%}$$81.4\mathrm{\%}$81.4%81.4 \% ，平均 FPR 为 0.045。使用 5 个攻击请求，恢复了 477 个受害者请求，显示出恢复准确率为 $95.4\mathrm{\%}$$95.4\mathrm{\%}$95.4%95.4 \% ，平均 FPR 为 0.056。我们在网站[37]上提供了此攻击的演示。

4.3 Inferring Documents on Commodity LLM
4.3 推断商品文档 LLM

4.4 Measurement Study on Commodity LLMs
4.4 商品 LLMs 的测量研究

5 Mitigations  5 缓解措施

5.1 Mitigating KV Cache Leakages
5.1 减轻 KV 缓存泄漏

5.2 Mitigating Semantic Cache Leakages
5.2 缓解语义缓存泄漏

6 Discussions  6 讨论

7 Related Works  7 相关工作