Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SystemC Model of Power Side-Channel Attacks Against AI Accelerators: Superstition or not?

Andrija Nešković, Saleh Mulhem, Alexander Treff, Rainer Buchty, Thomas Eisenbarth, Mladen Berekovic

TL;DR

This work tackles the risk that power side channels can reveal internal AI model parameters embedded in AI accelerators. It introduces a SystemC ESL model of a systolic-array AI accelerator with a dynamic power model and demonstrates both correlation power analysis and template attacks to extract secret weights, including an analysis of additive noise effects. The authors validate the ESL approach by comparing SystemC traces against gate-level netlist power estimates, showing similar trends and enabling early threat assessment in the design space. The results underscore the feasibility of pre-silicon security evaluation and motivate design-space exploration toward attack-resilient AI accelerators, with extensions to full-system models proposed for future work.

Abstract

As training artificial intelligence (AI) models is a lengthy and hence costly process, leakage of such a model's internal parameters is highly undesirable. In the case of AI accelerators, side-channel information leakage opens up the threat scenario of extracting the internal secrets of pre-trained models. Therefore, sufficiently elaborate methods for design verification as well as fault and security evaluation at the electronic system level are in demand. In this paper, we propose estimating information leakage from the early design steps of AI accelerators to aid in a more robust architectural design. We first introduce the threat scenario before diving into SystemC as a standard method for early design evaluation and how this can be applied to threat modeling. We present two successful side-channel attack methods executed via SystemC-based power modeling: correlation power analysis and template attack, both leading to total information leakage. The presented models are verified against an industry-standard netlist-level power estimation to prove general feasibility and determine accuracy. Consequently, we explore the impact of additive noise in our simulation to establish indicators for early threat evaluation. The presented approach is again validated via a model-vs-netlist comparison, showing high accuracy of the achieved results. This work hence is a solid step towards fast attack deployment and, subsequently, the design of attack-resilient AI accelerators.

SystemC Model of Power Side-Channel Attacks Against AI Accelerators: Superstition or not?

TL;DR

This work tackles the risk that power side channels can reveal internal AI model parameters embedded in AI accelerators. It introduces a SystemC ESL model of a systolic-array AI accelerator with a dynamic power model and demonstrates both correlation power analysis and template attacks to extract secret weights, including an analysis of additive noise effects. The authors validate the ESL approach by comparing SystemC traces against gate-level netlist power estimates, showing similar trends and enabling early threat assessment in the design space. The results underscore the feasibility of pre-silicon security evaluation and motivate design-space exploration toward attack-resilient AI accelerators, with extensions to full-system models proposed for future work.

Abstract

As training artificial intelligence (AI) models is a lengthy and hence costly process, leakage of such a model's internal parameters is highly undesirable. In the case of AI accelerators, side-channel information leakage opens up the threat scenario of extracting the internal secrets of pre-trained models. Therefore, sufficiently elaborate methods for design verification as well as fault and security evaluation at the electronic system level are in demand. In this paper, we propose estimating information leakage from the early design steps of AI accelerators to aid in a more robust architectural design. We first introduce the threat scenario before diving into SystemC as a standard method for early design evaluation and how this can be applied to threat modeling. We present two successful side-channel attack methods executed via SystemC-based power modeling: correlation power analysis and template attack, both leading to total information leakage. The presented models are verified against an industry-standard netlist-level power estimation to prove general feasibility and determine accuracy. Consequently, we explore the impact of additive noise in our simulation to establish indicators for early threat evaluation. The presented approach is again validated via a model-vs-netlist comparison, showing high accuracy of the achieved results. This work hence is a solid step towards fast attack deployment and, subsequently, the design of attack-resilient AI accelerators.
Paper Structure (27 sections, 7 equations, 7 figures, 2 tables)

This paper contains 27 sections, 7 equations, 7 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Why a SystemC Model?
  3. Paper Contribution
  4. Related Work
  5. Power Attacks vs. AI Hardware Accelerator
  6. Power Consumption Modeling Challenges
  7. SystemC for Security Evaluation
  8. AI Accelerator ESL Model
  9. Systolic Array for Acceleration
  10. SystemC Model of the Accelerator
  11. Dynamic Power Consumption Model
  12. Power Model of a Single Processing Element
  13. Resource Handler
  14. Threat Model
  15. SCA Simulation using SystemC
  16. ...and 12 more sections

Figures (7)

  • Figure 1: AI Accelerator IC Design Process (Adapted from 5247153).
  • Figure 2: Block diagram of TPU including the threat model.
  • Figure 3: SystemC Implementation Overview.
  • Figure 4: CPA provides multiple weight candidates for $b_{11}$.
  • Figure 5: Correlation coefficient against additive noise.
  • ...and 2 more figures