{"title":"Bits to BNNs: Reconstructing FPGA ML-IP with Joint Bitstream and Side-Channel Analysis","authors":"Brooks Olney, Robert Karam","doi":"10.1109/HOST55118.2023.10133375","DOIUrl":null,"url":null,"abstract":"Energy-efficient hardware acceleration platforms for edge deployment of artificial intelligence (AI) and machine learning (ML) applications has been an ongoing research endeavor. Many efforts have focused on optimizing the algorithms and compute structures for use in resource-constrained hardware such as field-programmable gate arrays (FPGAs). Indeed, the difficult nature of crafting the best model makes the ML model itself a valuable intellectual property (IP) asset. This can be problematic, as the IP can now be exposed to an attacker through physical interfaces, enabling threats from side-channel analysis (SCA) attacks. One of the more devastating attacks is the model extraction attack, which threatens piracy and cloning of the valuable IP. While the problem of SCA-based model extraction on FPGA-deployed neural networks has been well-studied, it does not capture the full picture of what vulnerabilities may be present in those platforms. In this paper, we demonstrate how bitstream analysis can be used to obtain neural network parameters and connectivity information from block RAMs (BRAMs). We leverage the knowledge gleaned from the bitstream to mount a power SCA attack to further refine the network reconstruction effort. This is the first method that has approached the problem of ML-IP theft from the angle of FPGA bitstream analysis and suggests that further work is needed to improve security assurance for edge intelligence.","PeriodicalId":128125,"journal":{"name":"2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","volume":"276 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HOST55118.2023.10133375","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Energy-efficient hardware acceleration platforms for edge deployment of artificial intelligence (AI) and machine learning (ML) applications has been an ongoing research endeavor. Many efforts have focused on optimizing the algorithms and compute structures for use in resource-constrained hardware such as field-programmable gate arrays (FPGAs). Indeed, the difficult nature of crafting the best model makes the ML model itself a valuable intellectual property (IP) asset. This can be problematic, as the IP can now be exposed to an attacker through physical interfaces, enabling threats from side-channel analysis (SCA) attacks. One of the more devastating attacks is the model extraction attack, which threatens piracy and cloning of the valuable IP. While the problem of SCA-based model extraction on FPGA-deployed neural networks has been well-studied, it does not capture the full picture of what vulnerabilities may be present in those platforms. In this paper, we demonstrate how bitstream analysis can be used to obtain neural network parameters and connectivity information from block RAMs (BRAMs). We leverage the knowledge gleaned from the bitstream to mount a power SCA attack to further refine the network reconstruction effort. This is the first method that has approached the problem of ML-IP theft from the angle of FPGA bitstream analysis and suggests that further work is needed to improve security assurance for edge intelligence.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
