FeSHI: Feature Map Based Stealthy Hardware Intrinsic Attack

TL;DR

This paper introduces FeSHI, a stealthy hardware Trojan attack exploiting CNN feature map distributions in AIoT systems, highlighting new vulnerabilities in outsourced CNN hardware accelerators.

Contribution

It presents a novel HT attack leveraging CNN feature map statistics and proposes three stealthy trigger designs for secure hardware testing.

Findings

FeSHI can effectively trigger HTs with low probability

The attack exploits Gaussian distribution of CNN feature maps

Three novel trigger designs enhance stealthiness

Abstract

To reduce the time-to-market and access to state-of-the-art techniques, CNN hardware mapping and deployment on embedded accelerators are often outsourced to untrusted third parties, which is going to be more prevalent in futuristic artificial intelligence of things (AIoT) systems. These AIoT systems anticipate horizontal collaboration among different resource-constrained AIoT node devices, where CNN layers are partitioned and these devices collaboratively compute complex CNN tasks. This horizontal collaboration opens another attack surface to the CNN-based application, like inserting the hardware Trojans (HT) into the embedded accelerators designed for the CNN. Therefore, there is a dire need to explore this attack surface for designing secure embedded hardware accelerators for CNNs. Towards this goal, in this paper, we exploited this attack surface to propose an HT-based attack called FeSHI. Since in horizontal collaboration of RC AIoT devices different sections of CNN architectures are outsourced to different untrusted third parties, the attacker may not know the input image, but it has access to the layer-by-layer output feature maps information for the assigned sections of the CNN architecture. This attack exploits the statistical distribution, i.e., Gaussian distribution, of the layer-by-layer feature maps of the CNN to design two triggers for stealthy HT with a very low probability of triggering. Also, three different novel, stealthy and effective trigger designs are proposed.