{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:7JEZBO5X5SPQ5T6PP2VZECFCH2","short_pith_number":"pith:7JEZBO5X","canonical_record":{"source":{"id":"2606.18400","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.OS","submitted_at":"2026-06-16T18:47:47Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"31046be542ffeaddc24e60a6175b03ff3efa475f6686d9a965d55203858ef3fb","abstract_canon_sha256":"de33d015502c443d0df805b9257662f7becd7ff47f3d44c1a0cc71ca5f9a1a31"},"schema_version":"1.0"},"canonical_sha256":"fa4990bbb7ec9f0ecfcf7eab9208a23ea4018086a727dfd3da288494a1f1ea0c","source":{"kind":"arxiv","id":"2606.18400","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2606.18400","created_at":"2026-06-19T16:11:00Z"},{"alias_kind":"arxiv_version","alias_value":"2606.18400v1","created_at":"2026-06-19T16:11:00Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2606.18400","created_at":"2026-06-19T16:11:00Z"},{"alias_kind":"pith_short_12","alias_value":"7JEZBO5X5SPQ","created_at":"2026-06-19T16:11:00Z"},{"alias_kind":"pith_short_16","alias_value":"7JEZBO5X5SPQ5T6P","created_at":"2026-06-19T16:11:00Z"},{"alias_kind":"pith_short_8","alias_value":"7JEZBO5X","created_at":"2026-06-19T16:11:00Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:7JEZBO5X5SPQ5T6PP2VZECFCH2","target":"record","payload":{"canonical_record":{"source":{"id":"2606.18400","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.OS","submitted_at":"2026-06-16T18:47:47Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"31046be542ffeaddc24e60a6175b03ff3efa475f6686d9a965d55203858ef3fb","abstract_canon_sha256":"de33d015502c443d0df805b9257662f7becd7ff47f3d44c1a0cc71ca5f9a1a31"},"schema_version":"1.0"},"canonical_sha256":"fa4990bbb7ec9f0ecfcf7eab9208a23ea4018086a727dfd3da288494a1f1ea0c","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-06-19T16:11:00.431221Z","signature_b64":"LhVrPCDy/f12ltPeml5bOG9EZchMhLMeNtsW5P8MgfM+//tkMmATH1rxIQgpMogXvjECneZMJDqk1BvczKSVCg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"fa4990bbb7ec9f0ecfcf7eab9208a23ea4018086a727dfd3da288494a1f1ea0c","last_reissued_at":"2026-06-19T16:11:00.430872Z","signature_status":"signed_v1","first_computed_at":"2026-06-19T16:11:00.430872Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2606.18400","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-06-19T16:11:00Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"mC432rV2dKW/IlrP4D9zYnwEKKCK2Zt5sbnDMNjYSYlGjbnFNs364/xe8IsY5rA/y1fNzlr/9q33fFwi+c1sDQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-29T02:00:29.683029Z"},"content_sha256":"2d6e9e69e20f57ab82923fb696928809f52143f016f777cbfc2eefafa688ec0c","schema_version":"1.0","event_id":"sha256:2d6e9e69e20f57ab82923fb696928809f52143f016f777cbfc2eefafa688ec0c"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:7JEZBO5X5SPQ5T6PP2VZECFCH2","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"CloakLM: Obfuscating GPU Memory Layout to Mitigate Model Ex-filtration for Serving","license":"http://creativecommons.org/licenses/by-sa/4.0/","headline":"","cross_cats":["cs.CR"],"primary_cat":"cs.OS","authors_text":"Divya Mahajan, Kunal Jain, Seokjin Go","submitted_at":"2026-06-16T18:47:47Z","abstract_excerpt":"Large foundation models deployed on third-party and shared accelerator infrastructure face a practical risk of model exfiltration that existing defenses do not fully address. In common serving deployments, model providers control the VM or bare-metal serving stack but not the surrounding hardware substrate. The host to GPU interconnect, accelerator fabric, and neighboring infrastructure components remain outside the tenant's trust boundary and have been shown to be exploitable. Hermes demonstrates lossless DNN reconstruction from passive PCIe observation, while TunnelS exfiltrates HBM contents"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2606.18400","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2606.18400/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-06-19T16:11:00Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"rCa8M3z9x8M/osiUXcVrQhrOnSYv3WY/+WRXEmhWZW89Jy8wBi+61TFFUqSylZ81aORQhJjvm4wEvgFaT0+rBw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-29T02:00:29.683420Z"},"content_sha256":"1fc5912d131c8bb41f39472f9d20ea4f9e9eb4ef7e020cd6f27e7424f646bc54","schema_version":"1.0","event_id":"sha256:1fc5912d131c8bb41f39472f9d20ea4f9e9eb4ef7e020cd6f27e7424f646bc54"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/7JEZBO5X5SPQ5T6PP2VZECFCH2/bundle.json","state_url":"https://pith.science/pith/7JEZBO5X5SPQ5T6PP2VZECFCH2/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/7JEZBO5X5SPQ5T6PP2VZECFCH2/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-29T02:00:29Z","links":{"resolver":"https://pith.science/pith/7JEZBO5X5SPQ5T6PP2VZECFCH2","bundle":"https://pith.science/pith/7JEZBO5X5SPQ5T6PP2VZECFCH2/bundle.json","state":"https://pith.science/pith/7JEZBO5X5SPQ5T6PP2VZECFCH2/state.json","well_known_bundle":"https://pith.science/.well-known/pith/7JEZBO5X5SPQ5T6PP2VZECFCH2/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:7JEZBO5X5SPQ5T6PP2VZECFCH2","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"de33d015502c443d0df805b9257662f7becd7ff47f3d44c1a0cc71ca5f9a1a31","cross_cats_sorted":["cs.CR"],"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.OS","submitted_at":"2026-06-16T18:47:47Z","title_canon_sha256":"31046be542ffeaddc24e60a6175b03ff3efa475f6686d9a965d55203858ef3fb"},"schema_version":"1.0","source":{"id":"2606.18400","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2606.18400","created_at":"2026-06-19T16:11:00Z"},{"alias_kind":"arxiv_version","alias_value":"2606.18400v1","created_at":"2026-06-19T16:11:00Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2606.18400","created_at":"2026-06-19T16:11:00Z"},{"alias_kind":"pith_short_12","alias_value":"7JEZBO5X5SPQ","created_at":"2026-06-19T16:11:00Z"},{"alias_kind":"pith_short_16","alias_value":"7JEZBO5X5SPQ5T6P","created_at":"2026-06-19T16:11:00Z"},{"alias_kind":"pith_short_8","alias_value":"7JEZBO5X","created_at":"2026-06-19T16:11:00Z"}],"graph_snapshots":[{"event_id":"sha256:1fc5912d131c8bb41f39472f9d20ea4f9e9eb4ef7e020cd6f27e7424f646bc54","target":"graph","created_at":"2026-06-19T16:11:00Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2606.18400/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Large foundation models deployed on third-party and shared accelerator infrastructure face a practical risk of model exfiltration that existing defenses do not fully address. In common serving deployments, model providers control the VM or bare-metal serving stack but not the surrounding hardware substrate. The host to GPU interconnect, accelerator fabric, and neighboring infrastructure components remain outside the tenant's trust boundary and have been shown to be exploitable. Hermes demonstrates lossless DNN reconstruction from passive PCIe observation, while TunnelS exfiltrates HBM contents","authors_text":"Divya Mahajan, Kunal Jain, Seokjin Go","cross_cats":["cs.CR"],"headline":"","license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.OS","submitted_at":"2026-06-16T18:47:47Z","title":"CloakLM: Obfuscating GPU Memory Layout to Mitigate Model Ex-filtration for Serving"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2606.18400","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:2d6e9e69e20f57ab82923fb696928809f52143f016f777cbfc2eefafa688ec0c","target":"record","created_at":"2026-06-19T16:11:00Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"de33d015502c443d0df805b9257662f7becd7ff47f3d44c1a0cc71ca5f9a1a31","cross_cats_sorted":["cs.CR"],"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.OS","submitted_at":"2026-06-16T18:47:47Z","title_canon_sha256":"31046be542ffeaddc24e60a6175b03ff3efa475f6686d9a965d55203858ef3fb"},"schema_version":"1.0","source":{"id":"2606.18400","kind":"arxiv","version":1}},"canonical_sha256":"fa4990bbb7ec9f0ecfcf7eab9208a23ea4018086a727dfd3da288494a1f1ea0c","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"fa4990bbb7ec9f0ecfcf7eab9208a23ea4018086a727dfd3da288494a1f1ea0c","first_computed_at":"2026-06-19T16:11:00.430872Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-06-19T16:11:00.430872Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"LhVrPCDy/f12ltPeml5bOG9EZchMhLMeNtsW5P8MgfM+//tkMmATH1rxIQgpMogXvjECneZMJDqk1BvczKSVCg==","signature_status":"signed_v1","signed_at":"2026-06-19T16:11:00.431221Z","signed_message":"canonical_sha256_bytes"},"source_id":"2606.18400","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:2d6e9e69e20f57ab82923fb696928809f52143f016f777cbfc2eefafa688ec0c","sha256:1fc5912d131c8bb41f39472f9d20ea4f9e9eb4ef7e020cd6f27e7424f646bc54"],"state_sha256":"9e4d26990919f574d2baeb58d540b1446b73044e56bd9f40f470ac41440c253e"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"c6hqoI/JBAFYaPhSkaiIdZXIJvEjRz/JrNpnnQAKRKwho5DEn0gSwq2B8zXKpPm6E3ezHA7TdzbDLxNVuCetDg==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-29T02:00:29.685400Z","bundle_sha256":"2a9a0119da0860dfe5beccc07d7a95d4a590f0a34c3e928a6d6e5ebc6380c3ca"}}