Remote Power Side-Channel Attacks on CNN Accelerators in FPGAs

by   Shayan Moini, et al.

To lower cost and increase the utilization of Cloud FPGAs, researchers have recently been exploring the concept of multi-tenant FPGAs, where multiple independent users simultaneously share the same FPGA. Despite its benefits, multitenancy opens up the possibility of malicious users co-locating on the same FPGA as a victim user, and extracting sensitive information. This issue becomes especially serious when the user is running a machine learning algorithm that is processing sensitive or private information. To demonstrate the dangers, this paper presents the first remote, power-based side-channel attack on a deep neural network accelerator running in a variety of Xilinx FPGAs and also on Cloud FPGAs using Amazon Web Services (AWS) F1 instances. This work in particular shows how to remotely obtain voltage estimates as a deep neural network inference circuit executes, and how the information can be used to recover the inputs to the neural network. The attack is demonstrated with a binarized convolutional neural network used to recognize handwriting images from the MNIST handwritten digit database. With the use of precise time-to-digital converters for remote voltage estimation, the MNIST inputs can be successfully recovered with a maximum normalized cross-correlation of 84 between the input image and the recovered image on local FPGA boards and 77 AWS F1 instances. The attack requires no physical access nor modifications to the FPGA hardware.


page 1

page 2

page 3

page 4

page 5

page 6

page 7

page 11


I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators

Deep learning has become the de-facto computational paradigm for various...

ShEF: Shielded Enclaves for Cloud FPGAs

FPGAs are now used in public clouds to accelerate a wide range of applic...

Gotcha! I Know What You are Doing on the FPGA Cloud: Fingerprinting Co-Located Cloud FPGA Accelerators via Measuring Communication Links

In recent decades, due to the emerging requirements of computation accel...

Security Evaluation of Thermal Covert-channels on SmartSSDs

Continued expansion of cloud computing offerings now includes SmartSSDs....

Deep-Dup: An Adversarial Weight Duplication Attack Framework to Crush Deep Neural Network in Multi-Tenant FPGA

The wide deployment of Deep Neural Networks (DNN) in high-performance cl...

Pentimento: Data Remanence in Cloud FPGAs

Cloud FPGAs strike an alluring balance between computational efficiency,...

FPGA-Patch: Mitigating Remote Side-Channel Attacks on FPGAs using Dynamic Patch Generation

We propose FPGA-Patch, the first-of-its-kind defense that leverages auto...

Please sign up or login with your details

Forgot password? Click here to reset