Power Side-Channel Attacks on BNN Accelerators in Remote FPGAs

Shayan Moini; Shanquan Tian; Daniel Holcomb; Jakub Szefer; Russell Tessier

doi:10.1109/JETCAS.2021.3074608

Power Side-Channel Attacks on BNN Accelerators in Remote FPGAs

Shayan Moini, Shanquan Tian, Daniel Holcomb, Jakub Szefer, Russell Tessier

Electrical and Computer Engineering

Research output: Contribution to journal › Article › peer-review

34 Scopus citations

Abstract

To lower cost and increase the utilization of Cloud Field-Programmable Gate Arrays (FPGAs), researchers have recently been exploring the concept of multi-tenant FPGAs, where multiple independent users simultaneously share the same remote FPGA. Despite its benefits, multi-tenancy opens up the possibility of malicious users co-locating on the same FPGA as a victim user, and extracting sensitive information. This issue becomes especially serious when the user is running a machine learning algorithm that is processing sensitive or private information. To demonstrate the dangers, this paper presents a remote, power-based side-channel attack on a deep neural network accelerator running in a variety of Xilinx FPGAs and also on Cloud FPGAs using Amazon Web Services (AWS) F1 instances. This work in particular shows how to remotely obtain voltage estimates as a deep neural network inference circuit executes, and how the information can be used to recover the inputs to the neural network. The attack is demonstrated with a binarized convolutional neural network used to recognize handwriting images from the MNIST handwritten digit database. With the use of precise time-to-digital converters for remote voltage estimation, the MNIST inputs can be successfully recovered with a maximum normalized cross-correlation of 79% between the input image and the recovered image on local FPGA boards and 72% on AWS F1 instances. The attack requires no physical access nor modifications to the FPGA hardware.

Original language	English (US)
Article number	9409116
Pages (from-to)	357-370
Number of pages	14
Journal	IEEE Journal on Emerging and Selected Topics in Circuits and Systems
Volume	11
Issue number	2
DOIs	https://doi.org/10.1109/JETCAS.2021.3074608
State	Published - Jun 2021

Funding

Manuscript received December 10, 2020; revised February 18, 2021; accepted April 16, 2021. Date of publication April 20, 2021; date of current version June 14, 2021. This work was supported in part by NSF under Grant CNS-1901901 and Grant CNS-1902532. This article was recommended by Guest Editor K. Basu. (Corresponding author: Shayan Moini.) Shayan Moini, Daniel Holcomb, and Russell Tessier are with the Department of Electrical and Computer Engineering, University of Massachusetts at Amherst, Amherst, MA 01003 USA (e-mail: [email protected]; [email protected]; [email protected]).

Keywords

convolutional neural networks
deep neural networks
power attacks
Remote attacks
side-channel attacks
time-to-digital converters (TDCs)

ASJC Scopus subject areas

Electrical and Electronic Engineering

Access to Document

10.1109/JETCAS.2021.3074608

Cite this

@article{9dc665d2176a44939c722972460ebbe4,

title = "Power Side-Channel Attacks on BNN Accelerators in Remote FPGAs",

abstract = "To lower cost and increase the utilization of Cloud Field-Programmable Gate Arrays (FPGAs), researchers have recently been exploring the concept of multi-tenant FPGAs, where multiple independent users simultaneously share the same remote FPGA. Despite its benefits, multi-tenancy opens up the possibility of malicious users co-locating on the same FPGA as a victim user, and extracting sensitive information. This issue becomes especially serious when the user is running a machine learning algorithm that is processing sensitive or private information. To demonstrate the dangers, this paper presents a remote, power-based side-channel attack on a deep neural network accelerator running in a variety of Xilinx FPGAs and also on Cloud FPGAs using Amazon Web Services (AWS) F1 instances. This work in particular shows how to remotely obtain voltage estimates as a deep neural network inference circuit executes, and how the information can be used to recover the inputs to the neural network. The attack is demonstrated with a binarized convolutional neural network used to recognize handwriting images from the MNIST handwritten digit database. With the use of precise time-to-digital converters for remote voltage estimation, the MNIST inputs can be successfully recovered with a maximum normalized cross-correlation of 79% between the input image and the recovered image on local FPGA boards and 72% on AWS F1 instances. The attack requires no physical access nor modifications to the FPGA hardware.",

keywords = "convolutional neural networks, deep neural networks, power attacks, Remote attacks, side-channel attacks, time-to-digital converters (TDCs)",

author = "Shayan Moini and Shanquan Tian and Daniel Holcomb and Jakub Szefer and Russell Tessier",

note = "Publisher Copyright: {\textcopyright} 2011 IEEE.",

year = "2021",

month = jun,

doi = "10.1109/JETCAS.2021.3074608",

language = "English (US)",

volume = "11",

pages = "357--370",

journal = "IEEE Journal on Emerging and Selected Topics in Circuits and Systems",

issn = "2156-3357",

publisher = "IEEE Circuits and Systems Society",

number = "2",

}

TY - JOUR

T1 - Power Side-Channel Attacks on BNN Accelerators in Remote FPGAs

AU - Moini, Shayan

AU - Tian, Shanquan

AU - Holcomb, Daniel

AU - Szefer, Jakub

AU - Tessier, Russell

PY - 2021/6

Y1 - 2021/6

N2 - To lower cost and increase the utilization of Cloud Field-Programmable Gate Arrays (FPGAs), researchers have recently been exploring the concept of multi-tenant FPGAs, where multiple independent users simultaneously share the same remote FPGA. Despite its benefits, multi-tenancy opens up the possibility of malicious users co-locating on the same FPGA as a victim user, and extracting sensitive information. This issue becomes especially serious when the user is running a machine learning algorithm that is processing sensitive or private information. To demonstrate the dangers, this paper presents a remote, power-based side-channel attack on a deep neural network accelerator running in a variety of Xilinx FPGAs and also on Cloud FPGAs using Amazon Web Services (AWS) F1 instances. This work in particular shows how to remotely obtain voltage estimates as a deep neural network inference circuit executes, and how the information can be used to recover the inputs to the neural network. The attack is demonstrated with a binarized convolutional neural network used to recognize handwriting images from the MNIST handwritten digit database. With the use of precise time-to-digital converters for remote voltage estimation, the MNIST inputs can be successfully recovered with a maximum normalized cross-correlation of 79% between the input image and the recovered image on local FPGA boards and 72% on AWS F1 instances. The attack requires no physical access nor modifications to the FPGA hardware.

AB - To lower cost and increase the utilization of Cloud Field-Programmable Gate Arrays (FPGAs), researchers have recently been exploring the concept of multi-tenant FPGAs, where multiple independent users simultaneously share the same remote FPGA. Despite its benefits, multi-tenancy opens up the possibility of malicious users co-locating on the same FPGA as a victim user, and extracting sensitive information. This issue becomes especially serious when the user is running a machine learning algorithm that is processing sensitive or private information. To demonstrate the dangers, this paper presents a remote, power-based side-channel attack on a deep neural network accelerator running in a variety of Xilinx FPGAs and also on Cloud FPGAs using Amazon Web Services (AWS) F1 instances. This work in particular shows how to remotely obtain voltage estimates as a deep neural network inference circuit executes, and how the information can be used to recover the inputs to the neural network. The attack is demonstrated with a binarized convolutional neural network used to recognize handwriting images from the MNIST handwritten digit database. With the use of precise time-to-digital converters for remote voltage estimation, the MNIST inputs can be successfully recovered with a maximum normalized cross-correlation of 79% between the input image and the recovered image on local FPGA boards and 72% on AWS F1 instances. The attack requires no physical access nor modifications to the FPGA hardware.

KW - convolutional neural networks

KW - deep neural networks

KW - power attacks

KW - Remote attacks

KW - side-channel attacks

KW - time-to-digital converters (TDCs)

UR - http://www.scopus.com/inward/record.url?scp=85104673466&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85104673466&partnerID=8YFLogxK

U2 - 10.1109/JETCAS.2021.3074608

DO - 10.1109/JETCAS.2021.3074608

M3 - Article

AN - SCOPUS:85104673466

SN - 2156-3357

VL - 11

SP - 357

EP - 370

JO - IEEE Journal on Emerging and Selected Topics in Circuits and Systems

JF - IEEE Journal on Emerging and Selected Topics in Circuits and Systems

IS - 2

M1 - 9409116

ER -

Power Side-Channel Attacks on BNN Accelerators in Remote FPGAs

Abstract

Funding

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this