Neighbors From Hell: Voltage Attacks Against Deep Learning Accelerators on Multi-Tenant FPGAs

TL;DR

This paper investigates voltage-based security attacks on multi-tenant FPGA-based deep learning accelerators, demonstrating attack feasibility, resilience of models, and potential performance gains through over-clocking.

Contribution

It is the first to evaluate voltage attacks on multi-tenant FPGA DL accelerators, revealing security vulnerabilities and showing that over-clocking can improve performance without accuracy loss.

Findings

Voltage attacks are feasible on multi-tenant FPGAs.

DL models show resilience against timing faults induced by voltage attacks.

Over-clocking can enhance inference performance by 1.18-1.31x without accuracy loss.

Abstract

Field-programmable gate arrays (FPGAs) are becoming widely used accelerators for a myriad of datacenter applications due to their flexibility and energy efficiency. Among these applications, FPGAs have shown promising results in accelerating low-latency real-time deep learning (DL) inference, which is becoming an indispensable component of many end-user applications. With the emerging research direction towards virtualized cloud FPGAs that can be shared by multiple users, the security aspect of FPGA-based DL accelerators requires careful consideration. In this work, we evaluate the security of DL accelerators against voltage-based integrity attacks in a multitenant FPGA scenario. We first demonstrate the feasibility of such attacks on a state-of-the-art Stratix 10 card using different attacker circuits that are logically and physically isolated in a separate attacker role, and cannot be flagged as malicious circuits by conventional bitstream checkers. We show that aggressive clock gating, an effective power-saving technique, can also be a potential security threat in modern FPGAs. Then, we carry out the attack on a DL accelerator running ImageNet classification in the victim role to evaluate the inherent resilience of DL models against timing faults induced by the adversary. We find that even when using the strongest attacker circuit, the prediction accuracy of the DL accelerator is not compromised when running at its safe operating frequency. Furthermore, we can achieve 1.18-1.31x higher inference performance by over-clocking the DL accelerator without affecting its prediction accuracy.