{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2026:JNPW5ZCVLQFBMNE23LTTCL7OVL","short_pith_number":"pith:JNPW5ZCV","schema_version":"1.0","canonical_sha256":"4b5f6ee4555c0a16349adae7312feeaafcd340145d157f7bee39cb65a28613c2","source":{"kind":"arxiv","id":"2605.17707","version":1},"attestation_state":"computed","paper":{"title":"Speed Kills: Exploring Confused Deputy Attacks Through Edge AI Accelerators","license":"http://creativecommons.org/licenses/by-nc-sa/4.0/","headline":"AI accelerators on edge devices can be tricked by apps into performing privileged operations outside OS control.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Aravind Kumar Machiry, Datta Manikanta Sri Hari Danduri","submitted_at":"2026-05-18T00:04:51Z","abstract_excerpt":"AI Accelerator (AIA) are specialized hardware e.g., Tensor Processing Unit (TPU), that enable optimal and efficient execution of AI applications and on-device inference. The growing demand for AI applications has led to the widespread adoption of AIAs on Edge or embedded devices on Edge or embedded devices. Unlike applications, AIAs are not bound by Operating System (OS) restrictions and have limited visibility into Application Processor (AP) security mechanisms (e.g., kernel vs. application memory, process isolation). This semantic gap can lead to confused deputy vulnerabilities, i.e., AIA ca"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":true},"canonical_record":{"source":{"id":"2605.17707","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by-nc-sa/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-18T00:04:51Z","cross_cats_sorted":[],"title_canon_sha256":"c4488fc7622779240b0c058d932caf06560075262822089783a00b8a2d905b77","abstract_canon_sha256":"4fbc471209c6cad64cd6bbf3bf0cb2d3ac814263fdcd8371fec90506f6be1c66"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-20T00:04:53.770615Z","signature_b64":"WuW2Z6Yytf9br04tAblPCOV2+FJZcjycy/MX8XyrtND6CDVe5iBFKCDlmPl5VVyMbBaCh7tn14hYfwkg3PkFAg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"4b5f6ee4555c0a16349adae7312feeaafcd340145d157f7bee39cb65a28613c2","last_reissued_at":"2026-05-20T00:04:53.769666Z","signature_status":"signed_v1","first_computed_at":"2026-05-20T00:04:53.769666Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Speed Kills: Exploring Confused Deputy Attacks Through Edge AI Accelerators","license":"http://creativecommons.org/licenses/by-nc-sa/4.0/","headline":"AI accelerators on edge devices can be tricked by apps into performing privileged operations outside OS control.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Aravind Kumar Machiry, Datta Manikanta Sri Hari Danduri","submitted_at":"2026-05-18T00:04:51Z","abstract_excerpt":"AI Accelerator (AIA) are specialized hardware e.g., Tensor Processing Unit (TPU), that enable optimal and efficient execution of AI applications and on-device inference. The growing demand for AI applications has led to the widespread adoption of AIAs on Edge or embedded devices on Edge or embedded devices. Unlike applications, AIAs are not bound by Operating System (OS) restrictions and have limited visibility into Application Processor (AP) security mechanisms (e.g., kernel vs. application memory, process isolation). This semantic gap can lead to confused deputy vulnerabilities, i.e., AIA ca"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"CDA is feasible on six out of the seven AIAs, impacting over 128 System On Chips (SOCs) and over 100 million devices.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The DeputyHunt framework, combining LLM-assisted dynamic and static analysis, correctly identifies exploitable confused deputy paths without substantial false positives or missed cases on the tested accelerators.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"An empirical security study shows confused deputy attacks are practical on most edge AI accelerators via a new LLM-assisted analysis framework, with vendor-confirmed impact on over 100 million devices.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"AI accelerators on edge devices can be tricked by apps into performing privileged operations outside OS control.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"0020eb98252bec0ca607e58bbe24fde433d05b086d38c7ce08b8f8f05f699553"},"source":{"id":"2605.17707","kind":"arxiv","version":1},"verdict":{"id":"b0b150a7-4e0c-45b0-8b12-a8e670161907","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-19T23:05:18.343291Z","strongest_claim":"CDA is feasible on six out of the seven AIAs, impacting over 128 System On Chips (SOCs) and over 100 million devices.","one_line_summary":"An empirical security study shows confused deputy attacks are practical on most edge AI accelerators via a new LLM-assisted analysis framework, with vendor-confirmed impact on over 100 million devices.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The DeputyHunt framework, combining LLM-assisted dynamic and static analysis, correctly identifies exploitable confused deputy paths without substantial false positives or missed cases on the tested accelerators.","pith_extraction_headline":"AI accelerators on edge devices can be tricked by apps into performing privileged operations outside OS control."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2605.17707/integrity.json","findings":[],"available":true,"detectors_run":[{"name":"doi_title_agreement","ran_at":"2026-05-19T23:31:19.813939Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"doi_compliance","ran_at":"2026-05-19T23:11:21.586675Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"shingle_duplication","ran_at":"2026-05-19T21:49:43.477681Z","status":"skipped","version":"0.1.0","findings_count":0},{"name":"citation_quote_validity","ran_at":"2026-05-19T21:49:43.307289Z","status":"skipped","version":"0.1.0","findings_count":0},{"name":"ai_meta_artifact","ran_at":"2026-05-19T21:33:23.510887Z","status":"skipped","version":"1.0.0","findings_count":0},{"name":"cited_work_retraction","ran_at":"2026-05-19T21:21:58.863370Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"claim_evidence","ran_at":"2026-05-19T21:21:57.417337Z","status":"completed","version":"1.0.0","findings_count":0}],"snapshot_sha256":"f7f4d3c9c9c8763ac2c3986f46dccb93a665d40cb88a7c94ab45df5e2263ca82"},"references":{"count":152,"sample":[{"doi":"","year":2023,"title":"Ai-powered mobile applications: Revolutionizing user inter- action through intelligent features and context-aware services,","work_id":"c7f970b3-3d94-4f95-94d1-b41527e6ad3c","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Ai-powered laptop companions: Bridging the human-machine gap,","work_id":"a90dff28-ee0e-4864-a4fe-029e9fc8c65b","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2025,"title":"Empowering edge intelligence: A comprehensive survey on on-device ai models,","work_id":"29557c9a-7b88-46ad-a591-39c79942cc49","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2021,"title":"Ai- based autonomous driving assistance system,","work_id":"066b601b-eed9-4e51-aca6-2ea90a618b4b","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2021,"title":"A survey on the optimization of neural network accelerators for micro-ai on-device inference,","work_id":"63fcc797-dae9-4ab4-bbed-6272884c5e36","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":152,"snapshot_sha256":"5e697cbd30ab2647389e74bc7fdc0a0e7a0fcac8a8a907e7f98dcea36e11a31c","internal_anchors":0},"formal_canon":{"evidence_count":2,"snapshot_sha256":"e4e45d4812e2f3c516de53431464f1406d0512252ee7defb8bb1d6c38f5897f1"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2605.17707","created_at":"2026-05-20T00:04:53.769839+00:00"},{"alias_kind":"arxiv_version","alias_value":"2605.17707v1","created_at":"2026-05-20T00:04:53.769839+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.17707","created_at":"2026-05-20T00:04:53.769839+00:00"},{"alias_kind":"pith_short_12","alias_value":"JNPW5ZCVLQFB","created_at":"2026-05-20T00:04:53.769839+00:00"},{"alias_kind":"pith_short_16","alias_value":"JNPW5ZCVLQFBMNE2","created_at":"2026-05-20T00:04:53.769839+00:00"},{"alias_kind":"pith_short_8","alias_value":"JNPW5ZCV","created_at":"2026-05-20T00:04:53.769839+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":0,"internal_anchor_count":0,"sample":[]},"formal_canon":{"evidence_count":2,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/JNPW5ZCVLQFBMNE23LTTCL7OVL","json":"https://pith.science/pith/JNPW5ZCVLQFBMNE23LTTCL7OVL.json","graph_json":"https://pith.science/api/pith-number/JNPW5ZCVLQFBMNE23LTTCL7OVL/graph.json","events_json":"https://pith.science/api/pith-number/JNPW5ZCVLQFBMNE23LTTCL7OVL/events.json","paper":"https://pith.science/paper/JNPW5ZCV"},"agent_actions":{"view_html":"https://pith.science/pith/JNPW5ZCVLQFBMNE23LTTCL7OVL","download_json":"https://pith.science/pith/JNPW5ZCVLQFBMNE23LTTCL7OVL.json","view_paper":"https://pith.science/paper/JNPW5ZCV","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2605.17707&json=true","fetch_graph":"https://pith.science/api/pith-number/JNPW5ZCVLQFBMNE23LTTCL7OVL/graph.json","fetch_events":"https://pith.science/api/pith-number/JNPW5ZCVLQFBMNE23LTTCL7OVL/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/JNPW5ZCVLQFBMNE23LTTCL7OVL/action/timestamp_anchor","attest_storage":"https://pith.science/pith/JNPW5ZCVLQFBMNE23LTTCL7OVL/action/storage_attestation","attest_author":"https://pith.science/pith/JNPW5ZCVLQFBMNE23LTTCL7OVL/action/author_attestation","sign_citation":"https://pith.science/pith/JNPW5ZCVLQFBMNE23LTTCL7OVL/action/citation_signature","submit_replication":"https://pith.science/pith/JNPW5ZCVLQFBMNE23LTTCL7OVL/action/replication_record"}},"created_at":"2026-05-20T00:04:53.769839+00:00","updated_at":"2026-05-20T00:04:53.769839+00:00"}