[ezoe]

If you let third party stranger to offer GPU resource, how do you deal with:

1. Privacy. An attacker can set up a GPU honey pot and and sell the data they got.

2. Fake GPU computation. An attacker can fake GPU and send back dummy data sometimes to reduce the computation.

3. Corrupt GPU. Practically same with 2. But not malicious intent. It's just the faulty GPU.

[p4bl0]

Regarding 2 and 3: depending on the type of computations you need to do there are ways to verify the integrity of a delegated computation with very high confidence for very low cost. Typically if you're computations happens in a modular structure it's quite easy. See for example my THC (trustable homomorphic computation) project and the accompanying paper: https://pablo.rauzy.name/software.html#thc There is also a video presentation because the conference where the paper was published took place during a COVID induced lockdown: https://www.youtube.com/watch?v=6DByVlqpH0s

[p4bl0]

Can someone explain why a relevant peer-reviewed paper reference got downvoted?

[zorgmonkey]

Technically something like this is relevant, but most people would assume that in practice it is going to be way too much work to get it implemented on GPUs and in such a way that it doesn't add too much overhead.

[evilduck]

Two and three are really the same problem and are solved by periodically running the same workload in duplicate on other systems and comparing results to detect unreliable sellers. Same as all the captcha systems. It's an overhead required to have trust built into a system. In the event of a faulty GPU, the owner would likely want to know anyways.

The first issue could be addressed by just never giving a seller enough data from a buyer to abuse, but that does require a critical mass of both buyers and sellers before you could distribute and dilute a single customer's workload enough. The company could bootstrap this with renting their own GPUs and subsidizing sellers at first though.

[TazeTSchnitzel]

There's a privacy issue in both directions too: the tenant will be afraid their workload will be stolen, and the host will be afraid other data in their system will be stolen (if the sandboxing is imperfect).

[larodi]

Wait a year and see how kids get on blockchain to sell and buy GPU resources for rendering ‘trans furries’, or better analyse classmates’ stolen chats.

I can vividly remember we were by no means disclosing private info back in ‘94 only to see a world of influencers in 2024 sharing their very personal guts for profits.

[Foobar8568]

It's only an extension of big brother from the late 90s, to not say real world from MTV in the early 90s.

At the end of the days, everyone wants and hopes to be an idol or famous.

[larodi]

...but also at no point in known history has it ever happened to find millions of people doing so in very mean and aggressive way, and worldwide scene to exploit.

agreed it IS a Big Brother of a sorts, where everyone participates to certain degree. but then written forums have been a thing before BigBrother and perhaps don't have this voyeurism added in the equation.

[mnahkies]

I know Azure has a confidential computing offering for GPUs, which I'm hoping will get broader uptake soon. It seems like the best way to address these concerns to me.

https://azure.microsoft.com/en-us/blog/azure-confidential-co...

[aliljet]

how would you propose this might work?

[mnahkies]

I'm not an expert on the area, but I've attended some conference talks on the subject at fosdem so I'll give it a go.

Essentially you're trying to provide a way to prove that the code running on the machine is what you instructed. This is achieved by a series of hardware attestations that measure and check the code to make sure it's what you requested. Generally this means encrypted ram at a minimum, and checks/balances that give you confidence this is the case (you have to trust someone, eg: Intel)

Is it perfect, probably not, but it's a lot better than just running VMs with unencrypted memory that any operator can jump into.

To my understanding most GPU workloads are not run in this way currently, and the operator can see/manipulate everything executed

[courseofaction]

Reputation