Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
167 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

BarraCUDA: Edge GPUs do Leak DNN Weights (2312.07783v3)

Published 12 Dec 2023 in cs.CR

Abstract: Over the last decade, applications of neural networks (NNs) have spread to various aspects of our lives. A large number of companies base their businesses on building products that use neural networks for tasks such as face recognition, machine translation, and self-driving cars. Much of the intellectual property underpinning these products is encoded in the exact parameters of the neural networks. Consequently, protecting these is of utmost priority to businesses. At the same time, many of these products need to operate under a strong threat model, in which the adversary has unfettered physical control of the product. In this work, we present BarraCUDA, a novel attack on general purpose Graphic Processing Units (GPUs) that can extract parameters of neural networks running on the popular Nvidia Jetson Nano device. BarraCUDA uses correlation electromagnetic analysis to recover parameters of real-world convolutional neural networks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (56)
  1. “Cuda compute capabilities,” https://docs.nvidia.com/cuda/cuda-c-programming-guide/index.html#compute-capabilities, accessed: 2022-09-30.
  2. “Cuda context,” https://docs.nvidia.com/cuda/cuda-c-programming-guide/index.html#context, accessed: 2022-09-30.
  3. https://developer.download.nvidia.com/CUDA/training/StreamsAndConcurrencyWebinar.pdf, accessed: 2022-11-30.
  4. “cuobjdump,” https://docs.nvidia.com/cuda/cuda-binary-utilities/#usage, accessed: 2022-09-30.
  5. “Cuda programming model,” https://docs.nvidia.com/cuda/cuda-c-programming-guide/index.html#programming-model, accessed: 2022-09-30.
  6. “Cuda half2 data type,” https://docs.nvidia.com/cuda/cuda-math-api/struct____half2.html#struct____half2, accessed: 2022-09-30.
  7. https://www.langer-emv.de/en/product/mfa-active-1mhz-up-to-6-ghz/32/mfa-r-0-2-75-near-field-micro-probe-1-mhz-up-to-1-ghz/854, accessed: 2022-01-25.
  8. “Tensorrt model inspection,” https://docs.nvidia.com/deeplearning/tensorrt/archives/tensorrt-821/api/c_api/classnvinfer1_1_1_i_engine_inspector.html, accessed: 2022-09-30.
  9. “Nvidia jetson nano,” https://developer.nvidia.com/embedded/jetson-nano-developer-kit, accessed: 2022-09-30.
  10. “Nvidia tensorrt,” https://developer.nvidia.com/tensorrt, accessed: 2022-09-30.
  11. “Tegra x1 system-on-chip,” http://international.download.nvidia.com/pdf/tegra/Tegra-X1-whitepaper-v1.0.pdf, accessed: 2022-09-30.
  12. M. Abadi, A. Agarwal, P. Barham, E. Brevdo, Z. Chen, C. Citro, G. S. Corrado, A. Davis, J. Dean, M. Devin, S. Ghemawat, I. Goodfellow, A. Harp, G. Irving, M. Isard, Y. Jia, R. Jozefowicz, L. Kaiser, M. Kudlur, J. Levenberg, D. Mané, R. Monga, S. Moore, D. Murray, C. Olah, M. Schuster, J. Shlens, B. Steiner, I. Sutskever, K. Talwar, P. Tucker, V. Vanhoucke, V. Vasudevan, F. Viégas, O. Vinyals, P. Warden, M. Wattenberg, M. Wicke, Y. Yu, and X. Zheng, “TensorFlow: Large-scale machine learning on heterogeneous systems,” 2015, software available from tensorflow.org. [Online]. Available: https://www.tensorflow.org/
  13. L. Batina, S. Bhasin, D. Jap, and S. Picek, “CSI–NN: Reverse engineering of neural network architectures through electromagnetic side channel,” in 28th USENIX Security Symposium USENIX Security 19), 2019, pp. 515–532.
  14. E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with a leakage model,” in International workshop on cryptographic hardware and embedded systems.   Springer, 2004, pp. 16–29.
  15. C. Canovas and J. Clédière, “What do s-boxes say in differential side channel attacks?” Cryptology ePrint Archive, 2005.
  16. Ł. Chmielewski and L. Weissbart, “On reverse engineering neural network implementation on GPU,” in International Conference on Applied Cryptography and Network Security.   Springer, 2021, pp. 96–113.
  17. F. Chollet, “Xception: Deep learning with depthwise separable convolutions,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp. 1251–1258.
  18. J.-S. Coron and L. Goubin, “On boolean and arithmetic masking against differential power analysis,” in Cryptographic Hardware and Embedded Systems—CHES 2000: Second International Workshop Worcester, MA, USA, August 17–18, 2000 Proceedings 2.   Springer, 2000, pp. 231–237.
  19. A. Dubey, R. Cammarota, and A. Aysu, “Maskednet: The first hardware inference engine aiming power side-channel protection,” in IEEE International Symposium on Hardware Oriented Security and Trust, 2020, pp. 197–208.
  20. F. Elibol, U. Sarac, and I. Erer, “Realistic eavesdropping attacks on computer displays with low-cost and mobile receiver system,” in 2012 Proceedings of the 20th European Signal Processing Conference (EUSIPCO).   IEEE, 2012, pp. 1767–1771.
  21. B. J. Gilbert Goodwill, J. Jaffe, P. Rohatgi et al., “A testing methodology for side-channel resistance validation,” in NIST non-invasive attack testing workshop, vol. 7, 2011, pp. 115–136.
  22. C. Gongye, Y. Luo, X. Xu, and Y. Fei, “Side-channel-assisted reverse-engineering of encrypted dnn hardware accelerator ip and attack surface exploration,” in IEEE Symposium on Security and Privacy, 2024.
  23. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 770–778.
  24. Z. Hongxin, H. Yuewang, W. Jianxin, L. Yinghua, and Z. Jinling, “Recognition of electro-magnetic leakage information from computer radiation with SVM,” Computers & Security, vol. 28, no. 1-2, pp. 72–76, 2009.
  25. A. G. Howard, M. Zhu, B. Chen, D. Kalenichenko, W. Wang, T. Weyand, M. Andreetto, and H. Adam, “Mobilenets: Efficient convolutional neural networks for mobile vision applications,” arXiv preprint arXiv:1704.04861, 2017.
  26. R. Joud, P.-A. Moëllic, S. Pontié, and J.-B. Rigaud, “A practical introduction to side-channel extraction of deep neural network parameters,” in International Conference on Smart Card Research and Advanced Applications.   Springer, 2022, pp. 45–65.
  27. P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Annual international cryptology conference.   Springer, 1999, pp. 388–397.
  28. P. C. Kocher, “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems,” in Annual International Cryptology Conference.   Springer, 1996, pp. 104–113.
  29. A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” Advances in neural information processing systems, vol. 25, pp. 1097–1105, 2012.
  30. M. G. Kuhn and R. J. Anderson, “Soft tempest: Hidden data transmission using electromagnetic emanations,” in International Workshop on Information Hiding.   Springer, 1998, pp. 124–142.
  31. N. Laptev, J. Yosinski, L. E. Li, and S. Smyl, “Time-series extreme event forecasting with neural networks at uber,” in International conference on machine learning, vol. 34.   sn, 2017, pp. 1–5.
  32. G. Li, M. Tiwari, and M. Orshansky, “Power-based attacks on spatial DNN accelerators,” ACM J. Emerg. Technol. Comput. Syst., vol. 18, no. 3, pp. 58:1–58:18, 2022. [Online]. Available: https://doi.org/10.1145/3491219
  33. ——, “Power-based attacks on spatial dnn accelerators,” ACM Journal on Emerging Technologies in Computing Systems, vol. 18, no. 3, pp. 1–18, 2022.
  34. M. Lin, Q. Chen, and S. Yan, “Network in network,” arXiv preprint arXiv:1312.4400, 2013.
  35. L. Liu, W. Ouyang, X. Wang, P. Fieguth, J. Chen, X. Liu, and M. Pietikäinen, “Deep learning for generic object detection: A survey,” International journal of computer vision, vol. 128, no. 2, pp. 261–318, 2020.
  36. Z. Liu, N. Samwel, L. Weissbart, Z. Zhao, D. Lauret, L. Batina, and M. Larson, “Screen gleaning: A screen reading tempest attack on mobile devices exploiting an electromagnetic side channel,” arXiv preprint arXiv:2011.09877, 2020.
  37. H. T. Maia, C. Xiao, D. Li, E. Grinspun, and C. Zheng, “Can one hear the shape of a neural network?: Snooping the GPU via magnetic side channel,” in 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, K. R. B. Butler and K. Thomas, Eds.   USENIX Association, 2022, pp. 4383–4400. [Online]. Available: https://www.usenix.org/conference/usenixsecurity22/presentation/maia
  38. A. Moradi, B. Richter, T. Schneider, and F.-X. Standaert, “Leakage detection with the x2-test,” IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 209–237, 2018.
  39. D. W. Otter, J. R. Medina, and J. K. Kalita, “A survey of the usages of deep learning for natural language processing,” IEEE transactions on neural networks and learning systems, vol. 32, no. 2, pp. 604–624, 2020.
  40. A. Paszke, S. Gross, F. Massa, A. Lerer, J. Bradbury, G. Chanan, T. Killeen, Z. Lin, N. Gimelshein, L. Antiga, A. Desmaison, A. Kopf, E. Yang, Z. DeVito, M. Raison, A. Tejani, S. Chilamkurthy, B. Steiner, L. Fang, J. Bai, and S. Chintala, “Pytorch: An imperative style, high-performance deep learning library,” in Advances in Neural Information Processing Systems 32.   Curran Associates, Inc., 2019, pp. 8024–8035. [Online]. Available: http://papers.neurips.cc/paper/9015-pytorch-an-imperative-style-high-performance-deep-learning-library.pdf
  41. E. Prouff and M. Rivain, “Masking against side-channel attacks: A formal security proof,” in Advances in Cryptology–EUROCRYPT 2013: 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings 32.   Springer, 2013, pp. 142–159.
  42. H. Purwins, B. Li, T. Virtanen, J. Schlüter, S.-Y. Chang, and T. Sainath, “Deep learning for audio signal processing,” IEEE Journal of Selected Topics in Signal Processing, vol. 13, no. 2, pp. 206–219, 2019.
  43. J.-J. Quisquater and D. Samyde, “ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smard Cards,” in Smart Card Programming and Security (E-smart 2001), ser. Lecture Notes in Computer Science, I. Attali and T. P. Jensen, Eds., vol. 2140.   Springer-Verlag, 2001, pp. 200–210.
  44. S. S. Rangapuram, M. W. Seeger, J. Gasthaus, L. Stella, Y. Wang, and T. Januschowski, “Deep state space models for time series forecasting,” Advances in neural information processing systems, vol. 31, 2018.
  45. F. Regazzoni, S. Bhasin, A. A. Pour, I. Alshaer, F. Aydin, A. Aysu, V. Beroulle, G. Di Natale, P. Franzon, D. Hely et al., “Machine learning and hardware security: Challenges and opportunities,” in International Conference on Computer-Aided Design, 2020, pp. 1–6.
  46. A. Sagheer and M. Kotb, “Time series forecasting of petroleum production using deep lstm recurrent networks,” Neurocomputing, vol. 323, pp. 203–213, 2019.
  47. D. Salinas, V. Flunkert, J. Gasthaus, and T. Januschowski, “Deepar: Probabilistic forecasting with autoregressive recurrent networks,” International Journal of Forecasting, vol. 36, no. 3, pp. 1181–1191, 2020.
  48. T. Schneider and A. Moradi, “Leakage assessment methodology,” in International Workshop on Cryptographic Hardware and Embedded Systems.   Springer, 2015, pp. 495–513.
  49. D. Silver, T. Hubert, J. Schrittwieser, I. Antonoglou, M. Lai, A. Guez, M. Lanctot, L. Sifre, D. Kumaran, T. Graepel et al., “Mastering chess and shogi by self-play with a general reinforcement learning algorithm,” arXiv preprint arXiv:1712.01815, 2017.
  50. K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” arXiv preprint arXiv:1409.1556, 2014.
  51. J. G. van Woudenberg, M. F. Witteman, and B. Bakker, “Improving differential power analysis by elastic alignment,” in Topics in Cryptology–CT-RSA 2011: The Cryptographers’ Track at the RSA Conference 2011, San Francisco, CA, USA, February 14-18, 2011. Proceedings.   Springer, 2011, pp. 104–119.
  52. N. Veyrat-Charvillon, M. Medwed, S. Kerckhof, and F.-X. Standaert, “Shuffling against side-channel attacks: A comprehensive study with cautionary note,” in Advances in Cryptology–ASIACRYPT 2012: 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2-6, 2012. Proceedings 18.   Springer, 2012, pp. 740–757.
  53. M. Yan, C. W. Fletcher, and J. Torrellas, “Cache telepathy: Leveraging shared resource attacks to learn DNN architectures,” in USENIX Security, 2020, pp. 2003–2020.
  54. V. Yli-Mäyry, A. Ito, N. Homma, S. Bhasin, and D. Jap, “Extraction of binarized neural network architecture and secret parameters using side-channel information,” in IEEE International Symposium on Circuits and Systems, ISCAS 2021, Daegu, South Korea, May 22-28, 2021.   IEEE, 2021, pp. 1–5. [Online]. Available: https://doi.org/10.1109/ISCAS51556.2021.9401626
  55. V. Yli-Mäyry, A. Ito, N. Homma, S. Bhasin, and D. Jap, “Extraction of binarized neural network architecture and secret parameters using side-channel information,” in IEEE International Symposium on Circuits and Systems (ISCAS), 2021, pp. 1–5.
  56. K. Yoshida, T. Kubota, S. Okura, M. Shiozaki, and T. Fujino, “Model reverse-engineering attack using correlation power analysis against systolic array based neural network accelerator,” in IEEE International Symposium on Circuits and Systems (ISCAS), 2020, pp. 1–5.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Reddit Logo Streamline Icon: https://streamlinehq.com

Reddit

  1. NVIDIA GPUs leak electromagnetic information about the weights of neural networks according to new research (26 points, 5 comments)