[Core] Prevent side-channel attacks via cache salting #17045
Conversation
Signed-off-by: Marko Rosenmueller <[email protected]>
dr75
requested review from
DarkLight1337,
robertgshaw2-redhat,
simon-mo,
WoosukKwon,
njhill,
ywang96,
comaniac and
alexm-redhat
as code owners
|
👋 Hi! Thank you for contributing to the vLLM project. 💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels. Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging. To run CI, PR reviewers can either: Add 🚀 |
dr75
changed the title
mergify
bot
added
documentation
Signed-off-by: Marko Rosenmueller <[email protected]>
|
I wonder how much this helps given that vLLM already initializes hashes with a random number that's different each time vLLM is executed. related: GHSA-rm76-4mrf-v9r8 |
sorry, I hadn't read the paper yet! |
|
This is related too: #15297 |
Thanks! I am in touch with @comaniac for taking a look. |
|
Both CI failures (both failing a bit differently) are in EntrypointsTest, in |
| cache_salt_keys: list[str] = [request.cache_salt] if ( | ||
| start_token_idx == 0 and request.cache_salt) else [] |
There was a problem hiding this comment.
IIUC, we only include cache salt in the first block of a prompt? Is any particular reason not to include it to all blocks?
There was a problem hiding this comment.
It is propagated to all blocks via the hash of the previous block. So adding it to all would not improve it.
|
One thing I just realized @comaniac: I added it only to the V1 engine but that's problematic for V0. In addition to a comment in the docs I guess there should be some error for requests with salt to the V0 engine, otherwise users of V0 will provide a salt but don't get feedback that it is not used. Any suggestion? Or do you consider V0 deprecated and its good enough to only have a comment in the docs? |
Yeah definitely we should error out when v0 engine receives the cache salt. |
Context
Prefix caching in vLLM improves inference performance by reusing KV blocks across requests. However, this reuse introduces a potential privacy risk in shared environments, where an attacker could infer prompt reuse via timing side channels as demonstrated in Leaking Secrets from Prefix Caches.
To address this, we propose to isolate caches as described in an RFC: #16016
Suggested change
This PR implements the single barrier approach from the RFC by adding support for an optional
cache_saltfield in the request schema. When present, the salt is injected into the hash of the first block, ensuring that only requests with the same salt can share cached blocks. This effectively segments cache reuse by salt and protects against timing-based attacks.{ "messages": [ {"role": "system", "content": "You are a helpful assistant."}, {"role": "user", "content": "Here is a document with details about the world series: ..."}, {"role": "user", "content": "Who won the world series in 2020?"} ], "cache_salt": "Z3V2bmV3aGxza3ZubGFoZ3Zud3V3ZWZ2bmd0b3V2bnZmc2xpZ3RoZ2x2aQ==" }The change is compatible with OpenAI requests as only an additional optional field is added. Users can still use the OpenAI client:
The scope of cache sharing can be configured per request as needed, e.g., full single user protection or cache sharing within a group of users.
The change is in line with cache protection applied by other providers such as OpenAI and provides a solution that allows for higher flexibility allowing for more fine-grained configuration.