Side-Channel-Assisted Reverse-Engineering of Encrypted DNN Hardware Accelerator IP and Attack Surface Exploration
Cheng Gongye, Yukui Luo, Xiaolin Xu, Yunsi Fei
IEEE Symposium on Security and Privacy 2024 · Day 3 · Continental Ballroom 5
This talk, presented by Cheng Gongye, delves into the critical and often overlooked realm of hardware security, specifically focusing on **physical side-channel attacks** against **Deep Neural Network (DNN) hardware accelerators**. The research challenges the prevailing assumption that modern, high-performance accelerators, with their inherent complexity and low signal-to-noise ratio (SNR), are impervious to such attacks. The core objective was to determine if state-of-the-art commercial DNN accelerators could be compromised to reveal their sensitive intellectual property (IP), such as model parameters (weights and biases), despite sophisticated encryption and black-box designs.
AI review
This research shatters the myth that advanced DNN accelerators are too complex for side-channel attacks. By meticulously reverse-engineering the AMD-Xilinx DPU, the team demonstrated full model parameter recovery, proving that physical IP protection demands a complete re-evaluation. This is critical work for anyone building or deploying AI hardware.