HAMLOCK: HArdware-Model LOgically Combined attacK

TL;DR

HAMLOCK is a novel hardware-software combined attack on DNNs that is highly stealthy, bypasses existing defenses, and manipulates model outputs via hardware Trojans without altering the model's apparent benign nature.

Contribution

This paper introduces HAMLOCK, a new attack method that distributes malicious logic across hardware and software, making it undetectable by conventional defenses and minimally impacting model performance.

Findings

Achieves near-perfect attack success rate on multiple benchmarks.

Circumvents state-of-the-art model-level defenses without adaptive optimization.

Hardware Trojan incurs negligible area and power overheads.

Abstract

The growing use of third-party hardware accelerators (e.g., FPGAs, ASICs) for deep neural networks (DNNs) introduces new security vulnerabilities. Conventional model-level backdoor attacks, which only poison a model's weights to misclassify inputs with a specific trigger, are often detectable because the entire attack logic is embedded within the model (i.e., software), creating a traceable layer-by-layer activation path. This paper introduces the HArdware-Model Logically Combined Attack (HAMLOCK), a far stealthier threat that distributes the attack logic across the hardware-software boundary. The software (model) is now only minimally altered by tuning the activations of few neurons to produce uniquely high activation values when a trigger is present. A malicious hardware Trojan detects those unique activations by monitoring the corresponding neurons' most significant bit or the 8-bit exponents and triggers another hardware Trojan to directly manipulate the final output logits for misclassification. This decoupled design is highly stealthy, as the model itself contains no complete backdoor activation path as in conventional attacks and hence, appears fully benign. Empirically, across benchmarks like MNIST, CIFAR10, GTSRB, and ImageNet, HAMLOCK achieves a near-perfect attack success rate with a negligible clean accuracy drop. More importantly, HAMLOCK circumvents the state-of-the-art model-level defenses without any adaptive optimization. The hardware Trojan is also undetectable, incurring area and power overheads as low as 0.01%, which is easily masked by process and environmental noise. Our findings expose a critical vulnerability at the hardware-software interface, demanding new cross-layer defenses against this emerging threat.