A Practical Introduction to Side-Channel Extraction of Deep Neural Network Parameters

TL;DR

This paper explores the extraction of deep neural network parameters via side-channel analysis on a high-end 32-bit microcontroller, proposing an iterative method for precise floating-point value recovery and discussing remaining challenges.

Contribution

It introduces the first side-channel extraction approach targeting a high-end 32-bit microcontroller and details an iterative process for floating-point parameter extraction.

Findings

Successful parameter extraction from simulated and real traces

Identification of challenges in extracting biases and other parameters

Demonstration of the method's effectiveness on Cortex-M7

Abstract

Model extraction is a major threat for embedded deep neural network models that leverages an extended attack surface. Indeed, by physically accessing a device, an adversary may exploit side-channel leakages to extract critical information of a model (i.e., its architecture or internal parameters). Different adversarial objectives are possible including a fidelity-based scenario where the architecture and parameters are precisely extracted (model cloning). We focus this work on software implementation of deep neural networks embedded in a high-end 32-bit microcontroller (Cortex-M7) and expose several challenges related to fidelity-based parameters extraction through side-channel analysis, from the basic multiplication operation to the feed-forward connection through the layers. To precisely extract the value of parameters represented in the single-precision floating point IEEE-754 standard, we propose an iterative process that is evaluated with both simulations and traces from a Cortex-M7 target. To our knowledge, this work is the first to target such an high-end 32-bit platform. Importantly, we raise and discuss the remaining challenges for the complete extraction of a deep neural network model, more particularly the critical case of biases.