Shape and Substance: Dual-Layer Side-Channel Attacks on Local Vision-Language Models
arXiv:2603.25403v2 Announce Type: replace-cross Abstract: On-device Vision-Language Models (VLMs) promise data privacy via local execution. However, we show that the architectural shift toward Dynamic High-Resolution preprocessing (e.g., AnyRes) introduces an inherent algorithmic side-channel. Unlike static models, dynamic preprocessing decomposes images into a variable number of patches based on their aspect ratio, creating workload-dependent inputs. We demonstrate a dual-layer attack framework against local VLMs. In Tier 1, an unprivileged attacker can exploit significant execution-time vari — Eyal Hadad, Mordechai Guri
View PDF HTML (experimental)
Abstract:On-device Vision-Language Models (VLMs) promise data privacy via local execution. However, we show that the architectural shift toward Dynamic High-Resolution preprocessing (e.g., AnyRes) introduces an inherent algorithmic side-channel. Unlike static models, dynamic preprocessing decomposes images into a variable number of patches based on their aspect ratio, creating workload-dependent inputs. We demonstrate a dual-layer attack framework against local VLMs. In Tier 1, an unprivileged attacker can exploit significant execution-time variations using standard unprivileged OS metrics to reliably fingerprint the input's geometry. In Tier 2, by profiling Last-Level Cache (LLC) contention, the attacker can resolve semantic ambiguity within identical geometries, distinguishing between visually dense (e.g., medical X-rays) and sparse (e.g., text documents) content. By evaluating state-of-the-art models such as LLaVA-NeXT and Qwen2-VL, we show that combining these signals enables reliable inference of privacy-sensitive contexts. Finally, we analyze the security engineering trade-offs of mitigating this vulnerability, reveal substantial performance overhead with constant-work padding, and propose practical design recommendations for secure Edge AI deployments.
Comments: 13 pages, 8 figures
Subjects:
Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI); Machine Learning (cs.LG)
Cite as: arXiv:2603.25403 [cs.CR]
(or arXiv:2603.25403v2 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2603.25403
arXiv-issued DOI via DataCite
Submission history
From: Eyal Hadad [view email] [v1] Thu, 26 Mar 2026 12:53:49 UTC (5,693 KB) [v2] Fri, 27 Mar 2026 15:01:28 UTC (5,694 KB)
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
researchpaperarxiv
Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models - wsj.com
<a href="https://news.google.com/rss/articles/CBMiuANBVV95cUxPTU4tZnRTaG1rUGQ4a3l6RXdVczBjYkhlVkFTaU9BREZmY3MxMkFtcXJGckJfTDB0dndpSHVYR1JqeEdfV3VwRGRQcGtZQk5fbF9PVkhxS1pDX0wtSXdYOGVOOWZ4cEhkNTJxSFdhQ3FRdjJrSlppOFJrRHd2bUFyZDdCd193U1Q3cmFFMkNWUFh6Wmx1ZjhnRmRDaE1QVFZQeVJCb3JyYWVCbDlJY1QwcG42NS1leXRnamZGd1dXRUlUV2RybGZScGtBc1I2TDFHY0FXeW9ORV9lVzE3cWpvemlNcE0wVjVSRVd4SkJEUnlPc3VWNjB2Y2pnaGFEOGl4V28zamNEVEtsRDROMGhEbGpzc2djelJVZ2lGUjNRNGprZ0p2SWhRTnE2UVRHSW8yX3k3Zm1BcWg4NjJheGw0S0U3ZmNKeXFaRmYwSGtERFRnYzU2QUJhUElCcHFicWV5YlRGRGtHbzB6ZURRdnpaTHFDOHYtbkNQS3NTZzNwNXNJQkk5SS05N3g0bWVaN2hnVi1KLTFtMVZnZUZlN05NMTY5dGZBdmxaSVdXUXg5NEhmT0ZUYkdmcQ?oc=5" target="_blank">Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models</a> <font color="#6f6f6f">wsj.com</font>
Former Baidu President on AI Tokenization in China
The former President of Baidu says AI tokenization is exploding in China, far beyond what OpenClaw illustrated earlier this year. Zhang Yaqin, who runs China's Institute of AI Industry Research at Beijing's Tsinghua University speaks to Bloomberg's Chief North Asia Correspondent Stephen Engle in Beijing. (Source: Bloomberg)
Uganda To Host Climate Change, Artificial Intelligence Summit, Sept 5-6 - Independent Newspaper Nigeria
<a href="https://news.google.com/rss/articles/CBMimAFBVV95cUxNcnBtdldJUERlX0dzOTJEY2sybEc2ZjZSbUtiLWIzUUhJbkQ1N3BwUWlCcV95YmZNSmFGbFQ1enE5VWJlY0JBWDhlSENlNEFNMmM5Q0hrM080V3Q2eUF3cmpkeFBXRS01YXBpRUI4Uk5KOVY5bjFaRm1GNmVudGUtNTFmVDlBMDIyNGVGaF9WTkdHTDMxY1BZcw?oc=5" target="_blank">Uganda To Host Climate Change, Artificial Intelligence Summit, Sept 5-6</a> <font color="#6f6f6f">Independent Newspaper Nigeria</font>
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Research Papers
AI could transform research assessment — and some academics are worried - Nature
<a href="https://news.google.com/rss/articles/CBMiX0FVX3lxTE12VmJ3THU1WmwzcENmWFJqTVRfclJGVkhzTG9Kcm9mTm1VZnJsV2IyZGwtc21EWnZRSkRfSXM3SDRlOVZnUlhpVm9VUEMtRWRRYmNDVU1kdHg5NllvSERj?oc=5" target="_blank">AI could transform research assessment — and some academics are worried</a> <font color="#6f6f6f">Nature</font>
As AI-Generated Music Advances, Humans Still Lead in Creativity, CMU Research Finds
<p> <img loading="lazy" src="https://www.cmu.edu/news/sites/default/files/styles/listings_desktop_1x_/public/2026-01/251104A_WTM_AI-Creativity-Music102.jpg.webp?itok=uEc2ayOO" width="900" height="508" alt="A woman with long black hair is seated on the right opposite a computer screen with a small piano keyboard and computer keyboard in front of her on a desk, where a man next to her with glasses and wavy black hair operates the mouse and talks to her."> </p> AI can write songs, but still has a way to go before matching the creativity of tunes made by people, according to Carnegie Mellon University research.
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!