A Sound Mind in a Vulnerable Body: Practical Hardware Attacks on Deep Learning

The widespread adoption of machine learning (ML) incentivizes potential adversaries who wish to manipulate systems that include ML components. In consequence, research in the field of adversarial machine learning studies attack surfaces such as training data with bad samples (data poisoning) and predictions manipulated by imperceptible perturbations (adversarial examples). However, most of the prior work focuses on the "soundness of mind" by looking at ML as a mathematical concept, and it overlooks the security threats caused by practical hardware attacks such as fault injection or side-channel attacks.

In this talk, we will propose a new perspective: we view ML as a computational tool running on hardware, a potentially "vulnerable body". We will introduce the emerging research on the vulnerabilities of ML models to practical hardware attacks. These attacks can cause unexpected damage, and ultimately, they shed new light on the dangers of hardware-based attack vectors.

First, we review the impact of fault-injection attacks. We show that, by flipping a single bit in the memory representation of a deep neural network (DNN), we can degrade the prediction accuracy by 90% or more. Contrary to the conventional wisdom in the ML community---that DNNs are resilient to parameter perturbations---we find that this vulnerability is widespread in modern DNNs. An adversary can exploit the vulnerability in practice with a software-induced fault attack, Rowhammer; we demonstrate that, even if the attacker randomly flips bits in memory, the attacker inflicted the accuracy drop more than 10% within a minute.

Second, we review the impact of side-channel attacks. We show that a typical cache side-channel attacker can reverse-engineer the architecture details of a DNN model. To this end, the attacker exploits the computational regularities in ML frameworks: DNN layers are processed sequentially, and the time it takes to process them depends on the architecture configurations. In practice, our attacker was able to steal two essential components of deep learning systems: a data preprocessing pipeline and a custom DNN architecture. They are potentially proprietary, as their development requires substantial resources. Nevertheless, the leakage from a cache side-channel, while the victim processes a single input, is sufficient for reconstructing them with 0% error.

Finally, we conclude by emphasizing the vulnerability of ML to hardware attacks is as yet an under-studied topic; thus, we encourage the community to re-examine security properties guaranteed by previous works with a new angle. Separately, some properties of ML particularly make the exploitation of hardware attacks easy; therefore, we need to consider additional ML-level defenses that account for robust properties. We believe this is the best moment to pursue the ancient wisdom: "a sound mind in a sound body"

Note: we have our website that outlines our research: http://hardwarefail.ml