Remote Power Side-Channel Attacks on BNN Accelerators in FPGAs

To lower cost and increase the utilization of Cloud FPGAs, researchers have recently been exploring the concept of multi-tenant FPGAs, where multiple independent users simultaneously share the same FPGA. Despite its benefits, multitenancy opens up the possibility of malicious users co-locating on the same FPGA as a victim user, and extracting sensitive information. This issue becomes especially serious when the user is running a machine learning algorithm that is processing sensitive or private information. To demonstrate the dangers, this paper presents the first remote, power-based side-channel attack on a deep neural network accelerator running in a variety of Xilinx FPGAs and also on Cloud FPGAs using Amazon Web Services (AWS) F1 instances. This work in particular shows how to remotely obtain voltage estimates as a deep neural network inference circuit executes, and how the information can be used to recover the inputs to the neural network. The attack is demonstrated with a binarized convolutional neural network used to recognize handwriting images from the MNIST handwritten digit database. With the use of precise time-to-digital converters for remote voltage estimation, the MNIST inputs can be successfully recovered with a maximum normalized cross-correlation of 84% between the input image and the recovered image on local FPGA boards and 77% on AWS F1 instances. The attack requires no physical access nor modifications to the FPGA hardware.

[1]  Mehdi Baradaran Tahoori,et al.  An inside job: Remote power analysis attacks on FPGAs , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[2]  Ken Eguro,et al.  Leakier Wires , 2019, ACM Trans. Reconfigurable Technol. Syst..

[3]  Andreas Herkersdorf,et al.  Enabling FPGAs in Hyperscale Data Centers , 2015, 2015 IEEE 12th Intl Conf on Ubiquitous Intelligence and Computing and 2015 IEEE 12th Intl Conf on Autonomic and Trusted Computing and 2015 IEEE 15th Intl Conf on Scalable Computing and Communications and Its Associated Workshops (UIC-ATC-ScalCom).

[4]  Aydin Aysu,et al.  MaskedNet: The First Hardware Inference Engine Aiming Power Side-Channel Protection , 2020, 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[5]  Ken Eguro,et al.  Leaky Wires: Information Leakage and Covert Communication Between FPGA Long Wires , 2016, AsiaCCS.

[6]  Mehdi B. Tahoori,et al.  Voltage-based Covert Channels in Multi-Tenant FPGAs , 2019, IACR Cryptol. ePrint Arch..

[7]  Daniel E. Holcomb,et al.  Understanding and Comparing the Capabilities of On-Chip Voltage Sensors against Remote Power Attacks on FPGAs , 2020, 2020 IEEE 63rd International Midwest Symposium on Circuits and Systems (MWSCAS).

[8]  G. Edward Suh,et al.  FPGA-Based Remote Power Side-Channel Attacks , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[9]  Kota Yoshida,et al.  Model-Extraction Attack Against FPGA-DNN Accelerator Utilizing Correlation Electromagnetic Analysis , 2019, 2019 IEEE 27th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM).

[10]  Ran El-Yaniv,et al.  Binarized Neural Networks , 2016, ArXiv.

[11]  Rosario Cammarota,et al.  MaskedNet: A Pathway for Secure Inference against Power Side-Channel Attacks , 2019, ArXiv.

[12]  T. El-Ghazawi,et al.  Virtualizing and sharing reconfigurable resources in High-Performance Reconfigurable Computing systems , 2008, 2008 Second International Workshop on High-Performance Reconfigurable Computing Technology and Applications.

[13]  Meeta Srivastav,et al.  Sensing nanosecond-scale voltage attacks and natural transients in FPGAs , 2013, FPGA '13.

[14]  L. Rudin,et al.  Nonlinear total variation based noise removal algorithms , 1992 .

[15]  Zhiru Zhang,et al.  Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[16]  Yao Chen,et al.  Cloud-DNN: An Open Framework for Mapping DNN Models to Cloud FPGAs , 2019, FPGA.

[17]  Jakub Szefer,et al.  Measuring Long Wire Leakage with Ring Oscillators in Cloud FPGAs , 2019, 2019 29th International Conference on Field Programmable Logic and Applications (FPL).

[18]  Yu Wang,et al.  Enabling Efficient and Flexible FPGA Virtualization for Deep Learning in the Cloud , 2020, 2020 IEEE 28th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM).

[19]  Rajesh Gupta,et al.  Accelerating Binarized Convolutional Neural Networks with Software-Programmable FPGAs , 2017, FPGA.

[20]  Daniel E. Holcomb,et al.  FPGA Side Channel Attacks without Physical Access , 2018, 2018 IEEE 26th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM).

[21]  Daniel E. Holcomb,et al.  Characterization of Long Wire Data Leakage in Deep Submicron FPGAs , 2019, FPGA.

[22]  Eric Schkufza,et al.  Sharing, Protection, and Compatibility for Reconfigurable Fabric with AmorphOS , 2018, OSDI.

[23]  Yu Zhang,et al.  Enabling FPGAs in the cloud , 2014, Conf. Computing Frontiers.

[24]  Vivienne Sze,et al.  Efficient Processing of Deep Neural Networks: A Tutorial and Survey , 2017, Proceedings of the IEEE.

[25]  Francesco Regazzoni,et al.  Are Cloud FPGAs Really Vulnerable to Power Analysis Attacks? , 2020, 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[26]  Reza Ebrahimpour,et al.  A Resource-Limited Hardware Accelerator for Convolutional Neural Networks in Embedded Vision Applications , 2017, IEEE Transactions on Circuits and Systems II: Express Briefs.

[27]  Dirk Koch,et al.  A Survey on FPGA Virtualization , 2018, 2018 28th International Conference on Field Programmable Logic and Applications (FPL).

[28]  Bo Luo,et al.  I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators , 2018, ACSAC.

[29]  Zhizhang Chen,et al.  ChipWhisperer: An Open-Source Platform for Hardware Embedded Security Research , 2014, COSADE.

[30]  Paul Chow,et al.  FPGAs in the Cloud: Booting Virtualized Hardware Accelerators with OpenStack , 2014, FCCM 2014.