Hardware/Software Obfuscation against Timing Side-channel Attack on a GPU

Karimi, Elmira; Fei, Yunsi; Kaeli, David

doi:10.1109/host45689.2020.9300259

Cited by 11 publications

(8 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The researchers also proposed a defense approach that restricts the possible coalescing levels to conceal the deterministic behaviors of the memory coalescing [14]. Karimi et al proposed a hardware-based obfuscating mechanism that changes memory coalescing width and a software-based approach that permutes mapping table structures [40]. Lin et al presented a software-based modification that changes the compositions of T-tables make AES generates a fixed number of memory requests [41].…”

Section: B Defenses Against Gpu Security Attacksmentioning

confidence: 99%

GhostLeg: Selective Memory Coalescing for Secure GPU Architecture

et al. 2022

View full text Add to dashboard Cite

Architectural considerations for secure executions are getting more critical for GPU since popular security applications and libraries have been ported to a GPU domain to rely on GPU's massively parallel computations. Recent studies disclosed the security attack models that exploit GPU's architectural vulnerabilities to leak the secret keys of AES. The attack models exploit the high correlations between the execution time of a kernel and the number of memory requests generated from memory coalescing. Thus the prior architectural defenses provide secure executions by randomizing or restricting the memory coalescing from load warps. However, those defense approaches result in significant performance overhead since memory coalescing is an essential feature for improving the performance of GPU. In this paper, we propose GhostLeg, an efficient architectural defense approach against correlation-based GPU security attacks. GhostLeg selectively applies secure executions for load warps to minimize performance overhead induced by concealing memory coalescing behavior. Our analysis of AES reveals that only the load warps whose index addresses are influenced by secret keys are vulnerable to security attacks. In order to minimize the performance overhead by secure executions, GhostLeg pinpoints the load warps that require secure executions based on the class of a source register. The secure flag assigned to each register can be set by propagation from non-deterministic user data (GhostLeg-ND) or a specific directive marked by programmers (GhostLeg-Key). Our evaluation shows that GhostLeg guarantees secure executions against the correlation-based attacks and GhostLeg-ND exhibits 54.7% higher performance compared to the stateof-the-art GPU defense solution.INDEX TERMS GPU, secure architecture, security attack, memory coalescing.

show abstract

Section: B Defenses Against Gpu Security Attacksmentioning

confidence: 99%

GhostLeg: Selective Memory Coalescing for Secure GPU Architecture

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Resilience to NeuroUnlock Attack Hardware-based Solutions [6]- [8] Memory Traffic Noise [5] NeurObfuscator [9] Proposed ReDLock characteristics of a DNN model include (i) the architecture (i.e., the number, type, dimension, and connection topology of the layers), (ii) the parameters (i.e., the weights, biases, etc. ), and (iii) the hyper-parameters used during training.…”

Section: Low Performance Overheadmentioning

confidence: 99%

“…This work demonstrated that incorporating the architecture information almost triples the success rate of an adversarial attack. 3 To thwart SCAS attacks that exploit memory access information, prior works have proposed different methodologies, such as (i) preventing memory access leakage via hardware-based modifications [6]- [8], (ii) introducing noise via fake memory traffic [5], and (iii) hiding the DNN 2 Adversarial attacks manipulate input samples to force the DNN to perform poorly on well-recognized outputs [4]. 3 SCAS attacks require physical and system privilege access to the victim's hardware platform.…”

Section: Low Performance Overheadmentioning

confidence: 99%

See 1 more Smart Citation

NeuroUnlock: Unlocking the Architecture of Obfuscated Deep Neural Networks

Morid¹,

Alrahis²,

Colucci³

et al. 2022

Preprint

View full text Add to dashboard Cite

The advancements of deep neural networks (DNNs) have led to their deployment in diverse settings, including safety and security-critical applications. As a result, the characteristics of these models (e.g., the architecture of layers and weight values/distributions) have become sensitive intellectual properties that require protection from malicious users. Extracting the architecture of a DNN through leaky side-channels (e.g., memory access) allows adversaries to (i) clone the model (i.e., build proxy models with similar accuracy profiles), and (ii) craft adversarial attacks. DNN obfuscation thwarts side-channel-based architecture stealing (SCAS) attacks by altering the run-time traces of a given DNN while preserving its functionality.In this work, we expose the vulnerability of state-of-the-art DNN obfuscation methods (based on predictable and reversible modifications employed in a given DNN architecture) to these attacks. We present NeuroUnlock, a novel SCAS attack against obfuscated DNNs. Our NeuroUnlock employs a sequence-tosequence model that learns the obfuscation procedure and automatically reverts it, thereby recovering the original DNN architecture. We demonstrate the effectiveness of NeuroUnlock by recovering the architecture of 200 randomly generated and obfuscated DNNs running on the Nvidia RTX 2080 TI graphics processing unit (GPU). Moreover, NeuroUnlock recovers the architecture of various other obfuscated (and publicly available) DNNs, such as the VGG-11, VGG-13, ResNet-20, and ResNet-32 networks. After recovering the architecture, NeuroUnlock automatically builds a near-equivalent DNN with only a 1.4% drop in the testing accuracy. We further show that launching a subsequent adversarial attack on the recovered DNNs boosts the success rate of the adversarial attack by 51.7% in average compared to launching it on the obfuscated versions. Additionally, we propose a novel methodology for DNN obfuscation, ReDLock, which eradicates the deterministic nature of the obfuscation and achieves 2.16× more resilience to the NeuroUnlock attack. We release the NeuroUnlock and the ReDLock as open-source frameworks 1 .

show abstract

“…Fake memory accesses can also be created in the TIE for obfuscating the real footprints [202]. Memory timing side-channel attack on GPU can be mitigated by randomizing the width of the coalescing unit and merging transactions across different warps [211]. Besides, GPUGuard [212] prevents side-channel leakage on GPU platform by detecting the spy programs with a decision tree method.…”

Section: Defenses and Countermeasuresmentioning

confidence: 99%

Two Sides of the Same Coin: Boons and Banes of Machine Learning in Hardware Security

Liu

Chang

Wang

et al. 2021

IEEE J. Emerg. Sel. Topics Circuits Syst.

View full text Add to dashboard Cite

The last decade has witnessed remarkable research advances at the intersection of machine learning (ML) and hardware security. The confluence of the two technologies has created many interesting and unique opportunities, but also left some issues in their wake. ML schemes have been extensively used to enhance the security and trust of embedded systems like hardware Trojans and malware detection. On the other hand, ML-based approaches have also been adopted by adversaries to assist side-channel attacks, reverse engineer integrated circuits and break hardware security primitives like Physically Unclonable Functions (PUFs). Deep learning is a subfield of ML. It can continuously learn from a large amount of labeled data with a layered structure. Despite the impressive outcomes demonstrated by deep learning in many application scenarios, the dark side of it has not been fully exposed yet. The inability to fully understand and explain what has been done within the super-intelligence can turn an inherently benevolent system into malevolent. Recent research has revealed that the outputs of Deep Neural Networks (DNNs) can be easily corrupted by imperceptibly small input perturbations. As computations are brought nearer to the source of data creation, the attack surface of DNN has also been extended from the input data to the edge devices. Accordingly, due to the opportunities of MLassisted security and the vulnerabilities of ML implementation, in this paper, we will survey the applications, vulnerabilities and fortification of ML from the perspective of hardware security. We will discuss the possible future research directions, and thereby, sharing a roadmap for the hardware security community in general.

show abstract

Hardware/Software Obfuscation against Timing Side-channel Attack on a GPU

Cited by 11 publications

References 20 publications

GhostLeg: Selective Memory Coalescing for Secure GPU Architecture

GhostLeg: Selective Memory Coalescing for Secure GPU Architecture

NeuroUnlock: Unlocking the Architecture of Obfuscated Deep Neural Networks

Two Sides of the Same Coin: Boons and Banes of Machine Learning in Hardware Security

Contact Info

Product

Resources

About