Collaborative Research: SaTC: CORE: Small: Understanding and Taming Deterministic Model Bit Flip attacks in Deep Neural Networks

协作研究：SaTC：核心：小型：理解和驯服深度神经网络中的确定性模型位翻转攻击

• 批准号: 2019536
• 负责人: Fan Yao
• 金额: $ 25万
• 依托单位: The University of Central Florida Board of Trustees
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2019536&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Small

Deep neural network (DNN) is widely deployed for a variety of decision-making tasks such as access control, medical diagnostics, and autonomous driving. Compromise of DNN models can severely disrupt inference behavior, leading to catastrophic outcomes for security and safety-sensitive applications. While a tremendous amount of efforts have been made to secure DNNs against external adversaries (e.g., adversarial examples), internal adversaries that tamper DNN model integrity through exploiting hardware threats (i.e., fault injection attacks) can raise unprecedented concerns. This project aims to offer insights into DNN security issues due to hardware-based fault attacks, and explore ways to promote the robustness and security of future deep learning system against such internal adversaries. This project targets one critical research topic, namely securing deep learning systems against hardware-based model tampering. Recent advances in hardware fault attacks (e.g., rowhammer) can deterministically inject faults to DNN models, causing bit flips in key DNN parameters including model weights. Such threats can be extremely dangerous as they could potentially enable malicious manipulation of prediction outcomes in the inference stage by the adversary. The project seeks to systematically understand the practicality and severity of DNN model bit flip attacks in real systems and investigate software/architecture level protection techniques to secure DNNs against internal tampering. The study focuses on quantized DNNs which exhibit higher robustness against model tampering. This project will incorporate the following research efforts: (1) Investigate the vulnerability of quantized DNNs to deterministic bit flipping of model weights concerning various attack objectives; (2) Explore algorithmic approaches to enhance the intrinsic robustness of quantized DNN models; (3) Design effective and efficient system and architecture level defense mechanisms to comprehensively defeat DNN model bit flip attacks. This project will result in the dissemination of shared data, attack artifacts, algorithms and tools to the broader hardware security and AI security community.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

深度神经网络（DNN）广泛应用于访问控制、医疗诊断和自动驾驶等各种决策任务。 DNN 模型的妥协可能会严重扰乱推理行为，从而导致安全和安全敏感应用程序的灾难性后果。虽然为了保护 DNN 免受外部对手（例如对抗性示例）的攻击付出了巨大的努力，但通过利用硬件威胁（即故障注入攻击）来篡改 DNN 模型完整性的内部对手可能会引起前所未有的担忧。该项目旨在深入了解由于基于硬件的故障攻击而导致的 DNN 安全问题，并探索提高未来深度学习系统针对此类内部对手的鲁棒性和安全性的方法。 该项目针对一个关键研究主题，即保护深度学习系统免受基于硬件的模型篡改。硬件故障攻击（例如 rowhammer）的最新进展可以确定性地将故障注入 DNN 模型，导致包括模型权重在内的关键 DNN 参数发生位翻转。此类威胁可能极其危险，因为它们可能会导致对手在推理阶段恶意操纵预测结果。该项目旨在系统地了解实际系统中 DNN 模型位翻转攻击的实用性和严重性，并研究软件/架构级保护技术以确保 DNN 免受内部篡改。该研究重点关注量化 DNN，它对模型篡改表现出更高的鲁棒性。该项目将包括以下研究工作：（1）研究量化DNN对涉及各种攻击目标的模型权重的确定性位翻转的脆弱性； (2) 探索增强量化DNN模型内在鲁棒性的算法方法； （3）设计有效、高效的系统和架构级防御机制，全面抵御DNN模型比特翻转攻击。该项目将导致共享数据、攻击工件、算法和工具向更广泛的硬件安全和人工智能安全社区传播。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优势和更广泛的影响进行评估，被认为值得支持审查标准。

项目成果

LADDER: Architecting Content and Location-aware Writes for Crossbar Resistive Memories

LADDER：为 Crossbar 电阻式存储器设计内容和位置感知写入

• DOI: 10.1145/3466752.3480054
• 发表时间: 2021-10
• 期刊: MICRO '21: MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture
• 作者: Chowdhuryy, Md Hafizul;Rashed, Muhammad Rashedul;Awad, Amro;Ewetz, Rickard;Yao, Fan
• 通讯作者: Yao, Fan

Clairvoyance: Exploiting Far-field EM Emanations of GPU to "See" Your DNN Models through Obstacles at a Distance

千里眼：利用 GPU 的远场电磁发射来透过远处的障碍物“看到”您的 DNN 模型

• DOI: 10.1109/spw54247.2022.9833894
• 发表时间: 2022-05-01
• 期刊: 2022 IEEE Security and Privacy Workshops (SPW)
• 作者: Sisheng Liang;Zihao Zhan;Fan Yao;Long Cheng;Zhenkai Zhang
• 通讯作者: Zhenkai Zhang

Seeds of SEED: NMT-Stroke: Diverting Neural Machine Translation through Hardware-based Faults

SEED 的种子：NMT-Stroke：通过基于硬件的故障转移神经机器翻译

• DOI: 10.1109/seed51797.2021.00019
• 发表时间: 2021-09-01
• 期刊: 2021 International Symposium on Secure and Private Execution Environment Design (SEED)
• 作者: Kunbei Cai;Md Hafizul Islam Chowdhuryy;Zhenkai Zhang;Fan Yao
• 通讯作者: Fan Yao

LockedDown: Exploiting Contention on Host-GPU PCIe Bus for Fun and Profit

LockedDown：利用主机 GPU PCIe 总线上的争用获取乐趣和利润

• DOI: 10.1109/eurosp53844.2022.00025
• 发表时间: 2022-06-01
• 期刊: 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)
• 作者: Mert Side;F. Yao;Zhenkai Zhang
• 通讯作者: Zhenkai Zhang

Graphics Peeping Unit: Exploiting EM Side-Channel Information of GPUs to Eavesdrop on Your Neighbors

图形偷窥单元：利用 GPU 的 EM 侧通道信息窃听邻居

• DOI: 10.1109/sp46214.2022.9833773
• 发表时间: 2022-05
• 期刊: IEEE Symposium on Security and Privacy (SP
• 作者: Zhan, Zihao;Zhang, Zhenkai;Liang, Sisheng;Yao, Fan;Koutsoukos, Xenofon
• 通讯作者: Koutsoukos, Xenofon