Security Evaluation of AI-Based Hardware Accelerator Units

Thanks to the advance of emerging technologies, it is now possible to deploy machine-learning and other AI-based applications directly to hardware-software devices, by using edge computing frameworks. In particular, these devices are able to perform very fast neural network inferences with limited costs, allowing latency and energy reduction as well as a better privacy in comparison to cloud-based architectures [1]. For example, Google's Edge TPU Coral Dev Board [2] is capable of achieving 4 TOPS using only 0.5 watts per TOPs. Their programmability is also made easier and accessible to everyone through well-adopted frameworks e.g TensorFlow lite.

Considering a deployment of these devices for many applications at the edge, including smart cities, quality control in manufacturing, automotive, agriculture or healthcare, they could be the target of malicious attacks [3], compromising either a single device or the full system.

In this thesis, we will investigate a new attack model for Deep-neural network hardware accelerator. More particularly, we explore the communication interfaces of the core to develop new attacks in order to modify the model’s output without damaging the device or being detected. By this way, we hope to be able to modify the computational model by poisoning data, stealing models or metaparameters, and then study the robustness of the model and countermeasures.

In particular, PCIe is one of the current technologies for interfacing Google's Edge TPU and it was already demonstrated that this communication interface could be attacked [4,5]. However, from the best of our knowledge, there is no similar work targeting the communication interface of such devices.

[1] K. Guo, W. Li, K. Zhong, Z. Zhu, S. Zeng, S. Han, Y. Xie, P. Debacker, M. Verhelst, Y. Wang. "Neural Network Accelerator Comparison" [Online]. Available: https://nicsefc.ee.tsinghua.edu.cn/project.html
[2]Coral AI, https://coral.ai/products/#production-products
[3]M. Isakov, V. Gadepally, K. M. Gettings and M. A. Kinsy, "Survey of Attacks and Defenses on Edge-Deployed Neural Networks," 2019 IEEE High Performance Extreme Computing Conference (HPEC), Waltham, MA, USA, 2019, pp. 1-8, doi: 10.1109/HPEC.2019.8916519.

[4]M. A. Khelif, J. Lorandel, O. Romain, M. Regnery, D. Baheux, Guillaume Barbu, Toward a hardware man-in-the-middle attack on PCIe bus, Microprocessors and Microsystems, Volume 77, 2020, 103198, ISSN 0141-9331, https://doi.org/10.1016/j.micpro.2020.103198.
[5]M. A. Khelif, J. Lorandel, O. Romain, M. Regnery, and D. Baheux. 2019. A Versatile Emulator of MitM for the identification of vulnerabilities of IoT devices, a case of study: smartphones. In Proceedings of the 3rd International Conference on Future Networks and Distributed Systems (ICFNDS '19). Association for Computing Machinery, New York, NY, USA, Article 28, 1–6. https://doi.org/10.1145/3341325.3342019

Supervisors:
Pr. Christophe MOY, Director, Université de Rennes - IETR 
Dr. Jordane LORANDEL, Supervisor, Université de Rennes - IETR 
Pr. Olivier ROMAIN, Co-director, ETIS-CY Cergy Paris Université 

Laboratory and location: IETR - Institut d’Electronique et des Technologies du numéRiques (IETR) – batiment 11C/D, Campus de Beaulieu, Rennes -
The Phd will be supervised by researchers from Rennes (IETR) and Cergy-Pontoise (ETIS), benefiting from both expertises acquired during previous studies on related subjects as well as PCIe MITM demonstrator. The PhD Student will be a member of the ASIC team at IETR.

Funding category: Sans financement dédié
Financement
PHD Country: France