Search for: All records

With the rising adoption of deep neural networks (DNNs) for commercial and high-stakes applications that process sensitive user data and make critical decisions, security concerns are paramount. An adversary can undermine the confidentiality of user input or a DNN model, mislead a DNN to make wrong predictions, or even render a machine learning application unavailable to valid requests. While security vulnerabilities that enable such exploits can exist across multiple levels of the technology stack that supports machine learning applications, the hardware-level vulnerabilities can be particularly problematic. In this article, we provide a comprehensive review of the hardware-level vulnerabilities affecting domain-specific DNN inference accelerators and recent progress in secure hardware design to address these. As domain-specific DNN accelerators have a number of differences compared to general-purpose processors and cryptographic accelerators where the hardware-level vulnerabilities have been thoroughly investigated, there are unique challenges and opportunities for secure machine learning hardware. We first categorize the hardware-level vulnerabilities into three scenarios based on an adversary’s capability: 1) an adversary can only attack the off-chip components, such as the off-chip DRAM and the data bus; 2) an adversary can directly attack the on-chip structures in a DNN accelerator; and 3) an adversary can insert hardware trojans during the manufacturing and design process. For each category, we survey recent studies on attacks that pose practical security challenges to DNN accelerators. Then, we present recent advances in the defense solutions for DNN accelerators, addressing those security challenges with circuit-, architecture-, and algorithm-level techniques. 

Microarchitectural side-channels enable an attacker to exfiltrate information via the observable side-effects of a victim’s execution. Obfuscating mitigation schemes have recently gained in popularity for their appealing performance characteristics. These schemes, including randomized caches and DRAM traffic shapers, limit, but do not completely eliminate, side-channel leakage. An important (yet under-explored) research challenge is the quantitative study of the security effectiveness of these schemes, identifying whether these obfuscating schemes help increase the security level of a system, and if so, by how much. In this paper, we address this research challenge by presenting Metior, a comprehensive model to quantitatively evaluate the effectiveness of obfuscating side-channel mitigations. Metior offers a way to reason about the flow of information through obfuscating schemes. Metior builds upon existing information theoretic approaches, allowing for the comprehensive side-channel leakage evaluation of active attackers, real victim applications, and state-ofthe-art microarchitectural obfuscation schemes. We demonstrate the use of Metior in the concrete leakage evaluation of three microarchitectural obfuscation schemes (fully-associative random replacement caches, CEASER-S, and Camouflage), identifying unintuitive leakage behaviours across all three schemes.