short-paper

WaC: First Results on Practical Side-Channel Attacks on Commercial Machine Learning Accelerator

Authors:

Shivam BhasinAuthors Info & Claims

ASHES '21: Proceedings of the 5th Workshop on Attacks and Solutions in Hardware Security

Pages 111 - 114

https://doi.org/10.1145/3474376.3487284

Published: 15 November 2021 Publication History

Get Access

Abstract

Commercial machine learning accelerators like Intel neural Compute Stick 2 (NCS2) enable efficient inference on otherwise low resource edge devices. However, these accelerators are also exposed to new threats leveraging physical access. In this paper, we present the first results demonstrating practical electromagnetic side-channel attack on NCS2, allowing secret weight recovery from executed models.

References

[1]

Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. {CSI}{NN}: Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channel. In 28th {USENIX}Security Symposium ({USENIX}Security 19). 515--532.

Digital Library

Google Scholar

[2]

Eric Brier, Christophe Clavier, and Francis Olivier. 2004. Correlation Power Analysis with a Leakage Model. In Cryptographic Hardware and Embedded Systems - CHES 2004: 6th International Workshop Cambridge, MA, USA, August 11--13, 2004. Proceedings (Lecture Notes in Computer Science, Vol. 3156), Marc Joye and Jean- Jacques Quisquater (Eds.). Springer, 16--29. https://doi.org/10.1007/978-3-540-28632-5_2

Crossref

Google Scholar

[3]

Nicholas Carlini, Matthew Jagielski, and Ilya Mironov. 2020. Cryptanalytic Extraction of Neural Network Models. In Advances in Cryptology - CRYPTO 2020 - 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17-21, 2020, Proceedings, Part III (Lecture Notes in Computer Science, Vol. 12172), Daniele Micciancio and Thomas Ristenpart (Eds.). Springer, 189--218. https://doi.org/10.1007/978-3-030-56877-1_7

Crossref

Google Scholar

[4]

Lukasz Chmielewski and Léo Weissbart. [n.d.]. On Reverse Engineering Neural Network Implementation on GPU. ([n. d.]).

Google Scholar

[5]

Christian Doerr. 2018. Side-Channel Based Intrusion Detection for Industrial Control Systems. In Critical Information Infrastructures Security: 12th International Conference, CRITIS 2017, Lucca, Italy, October 8-13, 2017, Revised Selected Papers, Vol. 10707. Springer, 207.

Google Scholar

[6]

Anuj Dubey, Rosario Cammarota, and Aydin Aysu. 2020. Maskednet: The first hardware inference engine aiming power side-channel protection. In 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE, 197--208.

Crossref

Google Scholar

[7]

Vasisht Duddu, Debasis Samanta, D. Vijay Rao, and Valentina E. Balas. 2018. Stealing Neural Networks via Timing Side Channels. CoRR abs/1812.11720 (2018). arXiv:1812.11720 http://arxiv.org/abs/1812.11720

Google Scholar

[8]

Itay Hubara, Matthieu Courbariaux, Daniel Soudry, Ran El-Yaniv, and Yoshua Bengio. 2016. Binarized Neural Networks. In Advances in Neural Information Processing Systems 29: Annual Conference on Neural Information Processing Systems 2016, December 5-10, 2016, Barcelona, Spain, Daniel D. Lee, Masashi Sugiyama, Ulrike von Luxburg, Isabelle Guyon, and Roman Garnett (Eds.). 4107--4115. https://proceedings.neurips.cc/paper/2016/hash/ d8330f857a17c53d217014ee776bfd50-Abstract.html

Digital Library

Google Scholar

[9]

Intel. 2018. Neural Compute Stick 2. https://software.intel.com/content/www/ us/en/develop/hardware/neural-compute-stick.html.

Google Scholar

[10]

Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. 1999. Differential Power Analysis. In Advances in Cryptology - CRYPTO '99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999, Proceedings (Lecture Notes in Computer Science, Vol. 1666), Michael J. Wiener (Ed.). Springer, 388--397. https://doi.org/10.1007/3-540-48405-1_25

Digital Library

Google Scholar

[11]

Lingxiao Wei, Bo Luo, Yu Li, Yannan Liu, and Qiang Xu. 2018. I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, December 03-07, 2018. ACM, 393--406. https: //doi.org/10.1145/3274694.3274696

Digital Library

Google Scholar

[12]

Yoo-Seung Won, Soham Chatterjee, Dirmanto Jap, Shivam Bhasin, and Arindam Basu. 2021. Time to Leak: Cross-Device Timing Attack On Edge Deep Learning Accelerator. In International Conference on Electronics, Information, and Communication, ICEIC 2021, Jeju, South Korea, January 31 - February 3, 2021. IEEE, 1--4. https://doi.org/10.1109/ICEIC51217.2021.9369754

Crossref

Google Scholar

[13]

Ville Yli-Mäyry, Akira Ito, Naofumi Homma, Shivam Bhasin, and Dirmanto Jap. 2021. Extraction of Binarized Neural Network Architecture and Secret Parameters Using Side-Channel Information. In 2021 IEEE International Symposium on Circuits and Systems (ISCAS). IEEE, 1--5.

Google Scholar

Cited By

View all

Yu QLi JShen J(2023)ID-Based Ring Signature against Continual Side Channel AttackSymmetry10.3390/sym1501017915:1(179)Online publication date: 7-Jan-2023
https://doi.org/10.3390/sym15010179
Nešković AMulhem STreff ABuchty REisenbarth TBerekovic M(2023)SystemC Model of Power Side-Channel Attacks Against AI Accelerators: Superstition or not?2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD)10.1109/ICCAD57390.2023.10323687(1-8)Online publication date: 28-Oct-2023
https://doi.org/10.1109/ICCAD57390.2023.10323687
Gao YMa HYan MHe JZhao YJin Y(2023)NNLeak: An AI-Oriented DNN Model Extraction Attack through Multi-Stage Side Channel Analysis2023 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)10.1109/AsianHOST59942.2023.10409396(1-6)Online publication date: 13-Dec-2023
https://doi.org/10.1109/AsianHOST59942.2023.10409396
Show More Cited By

Index Terms

WaC: First Results on Practical Side-Channel Attacks on Commercial Machine Learning Accelerator
1. Security and privacy
  1. Security in hardware
    1. Embedded systems security
    2. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures

Recommendations

Informer: Protecting Intel SGX from Cross-Core Side Channel Threats
Information and Communications Security
Abstract
As one of the major threats facing Intel SGX, side-channel attacks have been widely researched and disclosed as actual vulnerabilities in recent years, which can severely harm the integrity and confidentiality of programs protected by SGX. Most ...
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
Abstract
Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
E-SGX: Effective Cache Side-Channel Protection for Intel SGX on Untrusted OS
Information Security and Cryptology
Abstract
Cache side-channels are among the major weaknesses of Intel SGX. We mitigate this weakness with E-SGX, an effective defensive approach against all known access-driven/trace-driven cache side-channel attacks from privileged code. The core idea of E-...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ASHES '21: Proceedings of the 5th Workshop on Attacks and Solutions in Hardware Security

November 2021

123 pages

ISBN:9781450386623

DOI:10.1145/3474376

General Chairs:
Chip Hong Chang
NTU Singapore
,
Ulrich Rührmair
LMU Munich and University of Connecticut
,
Program Chairs:
Stefan Katzenbeisser
University of Passau
,
Debdeep Mukhopadhyay
IIT Kharagpur

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 6 of 20 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
267
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)1

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Yu QLi JShen J(2023)ID-Based Ring Signature against Continual Side Channel AttackSymmetry10.3390/sym1501017915:1(179)Online publication date: 7-Jan-2023
https://doi.org/10.3390/sym15010179
Nešković AMulhem STreff ABuchty REisenbarth TBerekovic M(2023)SystemC Model of Power Side-Channel Attacks Against AI Accelerators: Superstition or not?2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD)10.1109/ICCAD57390.2023.10323687(1-8)Online publication date: 28-Oct-2023
https://doi.org/10.1109/ICCAD57390.2023.10323687
Gao YMa HYan MHe JZhao YJin Y(2023)NNLeak: An AI-Oriented DNN Model Extraction Attack through Multi-Stage Side Channel Analysis2023 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)10.1109/AsianHOST59942.2023.10409396(1-6)Online publication date: 13-Dec-2023
https://doi.org/10.1109/AsianHOST59942.2023.10409396
Yu QLi JJi S(2022)Anonymous Identity Based Broadcast Encryption against Continual Side Channel Attacks in the State Partition ModelApplied Sciences10.3390/app1218939512:18(9395)Online publication date: 19-Sep-2022
https://doi.org/10.3390/app12189395
Bhasin SJap DPicek S(2022)On (in)Security of Edge-based Machine Learning Against Electromagnetic Side-channels2022 IEEE International Symposium on Electromagnetic Compatibility & Signal/Power Integrity (EMCSI)10.1109/EMCSI39492.2022.9889639(262-267)Online publication date: 1-Aug-2022
https://doi.org/10.1109/EMCSI39492.2022.9889639
Dubey AKarabulut EAwad AAysu A(2022)High-Fidelity Model Extraction Attacks via Remote Power Monitors2022 IEEE 4th International Conference on Artificial Intelligence Circuits and Systems (AICAS)10.1109/AICAS54282.2022.9869973(328-331)Online publication date: 13-Jun-2022
https://doi.org/10.1109/AICAS54282.2022.9869973

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Informer: Protecting Intel SGX from Cross-Core Side Channel Threats

Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures

E-SGX: Effective Cache Side-Channel Protection for Intel SGX on Untrusted OS