Physical Side-Channel Attacks on Embedded Neural Networks: A Survey

TL;DR

This survey reviews physical side-channel attacks on embedded neural networks, highlighting vulnerabilities in IoT devices and FPGAs, and discusses current mitigation techniques and future research directions.

Contribution

It provides the first comprehensive taxonomy and classification of physical SCA attacks targeting embedded DNN implementations on micro-controllers and FPGAs.

Findings

SCA can recover neural network architectures and parameters.

Embedded DNNs are vulnerable to timing, electromagnetic, and power analysis attacks.

Mitigation techniques are discussed and future research directions are identified.

Abstract

During the last decade, Deep Neural Networks (DNN) have progressively been integrated on all types of platforms, from data centers to embedded systems including low-power processors and, recently, FPGAs. Neural Networks (NN) are expected to become ubiquitous in IoT systems by transforming all sorts of real-world applications, including applications in the safety-critical and security-sensitive domains. However, the underlying hardware security vulnerabilities of embedded NN implementations remain unaddressed. In particular, embedded DNN implementations are vulnerable to Side-Channel Analysis (SCA) attacks, which are especially important in the IoT and edge computing contexts where an attacker can usually gain physical access to the targeted device. A research field has therefore emerged and is rapidly growing in terms of the use of SCA including timing, electromagnetic attacks and power attacks to target NN embedded implementations. Since 2018, research papers have shown that SCA enables an attacker to recover inference models architectures and parameters, to expose industrial IP and endangers data confidentiality and privacy. Without a complete review of this emerging field in the literature so far, this paper surveys state-of-the-art physical SCA attacks relative to the implementation of embedded DNNs on micro-controllers and FPGAs in order to provide a thorough analysis on the current landscape. It provides a taxonomy and a detailed classification of current attacks. It first discusses mitigation techniques and then provides insights for future research leads.