research-article

Lightning: Leveraging DVFS-induced Transient Fault Injection to Attack Deep Learning Accelerator of GPUs

Authors:
Rihui Sun

Harbin Institute of Technology, China

Harbin Institute of Technology, China

0000-0002-9948-8653
View Profile

,
Pengfei Qiu

Beijing University of Posts and Telecommunications, China

Beijing University of Posts and Telecommunications, China

0009-0009-4043-2119
View Profile

,
Yongqiang Lyu

Tsinghua University, China

Tsinghua University, China

0000-0003-2573-963X
View Profile

,
Jian Dong

Harbin Institute of Technology, China

Harbin Institute of Technology, China

0000-0002-2980-9431
View Profile

,
Haixia Wang

Tsinghua University, China

Tsinghua University, China

0009-0008-0474-5030
View Profile

,
Dongsheng Wang

Tsinghua University, China

Tsinghua University, China

0000-0001-5779-9026
View Profile

,
Gang Qu

University of Maryland, USA

University of Maryland, USA

0000-0001-6759-8949
View Profile

ACM Transactions on Design Automation of Electronic Systems Volume 29 Issue 1Article No.: 14pp 1–22https://doi.org/10.1145/3617893

Published:15 November 2023Publication History

ACM Transactions on Design Automation of Electronic Systems

Abstract

Graphics Processing Units (GPU) are widely used as deep learning accelerators because of its high performance and low power consumption. Additionally, it remains secure against hardware-induced transient fault injection attacks, a classic type of attacks that have been developed on other computing platforms. In this work, we demonstrate that well-trained machine learning models are robust against hardware fault injection attacks when the faults are generated randomly. However, we discover that these models have components, which we refer to as sensitive targets, that are vulnerable to faults. By exploiting this vulnerability, we propose the Lightning attack, which precisely strikes the model’s sensitive targets with hardware-induced transient faults based on the Dynamic Voltage and Frequency Scaling (DVFS). We design a sensitive targets search algorithm to find the most critical processing units of Deep Neural Network (DNN) models determining the inference results, and develop a genetic algorithm to automatically optimize the attack parameters for DVFS to induce faults. Experiments on three commodity Nvidia GPUs for four widely-used DNN models show that the proposed Lightning attack can reduce the inference accuracy by 69.1% on average for non-targeted attacks, and, more interestingly, achieve a success rate of 67.9% for targeted attacks.

REFERENCES

[1] Barenghi Alessandro, Bertoni Guido, Parrinello Emanuele, and Pelosi Gerardo. 2009. Low voltage fault attacks on the RSA cryptosystem. In 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, Lausanne, Switzerland, 23–31.Google ScholarDigital Library
[2] Barenghi Alessandro, Bertoni Guido M., Breveglieri Luca, Pellicioli Mauro, and Pelosi Gerardo. 2010. Low voltage fault attacks to AES. In 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST). IEEE, Anaheim, CA, USA, 7–12.Google ScholarCross Ref
[3] Courbon Franck, Loubet-Moundi Philippe, Fournier Jacques J. A., and Tria Assia. 2014. Adjusting laser injections for fully controlled faults. In International Workshop on Constructive Side-channel Analysis and Secure Design. Springer International Publishing, Cham, 229–242.Google Scholar
[4] Crankshaw Daniel, Wang Xin, Zhou Guilio, Franklin Michael J., Gonzalez Joseph E., and Stoica Ion. 2017. Clipper: A low-latency online prediction serving system. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17). USENIX Association, Boston, MA, 613–627. https://www.usenix.org/conference/nsdi17/technical-sessions/presentation/crankshawGoogle Scholar
[5] Dehbaoui Amine, Dutertre Jean-Max, Robisson Bruno, and Tria Assia. 2012. Electromagnetic transient faults injection on a hardware and a software implementations of AES. In 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, Leuven, Belgium, 7–15.Google ScholarDigital Library
[6] Delvaux Jeroen and Verbauwhede Ingrid. 2014. Fault injection modeling attacks on 65 nm arbiter and RO sum PUFs via environmental changes. IEEE Transactions on Circuits and Systems I: Regular Papers 61, 6 (2014), 1701–1713.Google ScholarCross Ref
[7] Di Bang, Sun Jianhua, and Chen Hao. 2016. A study of overflow vulnerabilities on GPUs. In IFIP International Conference on Network and Parallel Computing. Springer International Publishing, Cham, 103–115.Google ScholarDigital Library
[8] Endo Sho, Sugawara Takeshi, Homma Naofumi, Aoki Takafumi, and Satoh Akashi. 2011. An on-chip glitchy-clock generator for testing fault injection attacks. Journal of Cryptographic Engineering 1, 4 (2011), 265.Google ScholarCross Ref
[9] Erb Christopher, Collins Mike, and Greathouse Joseph L.. 2017. Dynamic buffer overflow detection for GPGPUs. IEEE/ACM International Symposium on Code Generation and Optimization (CGO’17), Austin, TX, 61–73. DOI:Google ScholarCross Ref
[10] Eslami Mohammad, Ghavami Behnam, Raji Mohsen, and Mahani Ali. 2020. A survey on fault injection methods of digital integrated circuits. Integration 71 (2020), 154–163.Google ScholarDigital Library
[11] Gabor Ulrich Thomas, Siegert Daniel Ferdinand, and Spinczyk Olaf. 2019. High-accuracy software fault injection in source code with clang. In 2019 IEEE 24th Pacific Rim International Symposium on Dependable Computing (PRDC). IEEE, Kyoto, Japan, 75–7509.Google ScholarCross Ref
[12] Gankidi Pranay Reddy. 2016. FPGA Accelerator Architecture for Q-learning and its Applications in Space Exploration Rovers. Ph.D. Dissertation. Arizona State University.Google Scholar
[13] Goodfellow Ian J., Shlens Jonathon, and Szegedy Christian. 2015. Explaining and Harnessing Adversarial Examples. (2015). arxiv:stat.ML/1412.6572Google Scholar
[14] Gordienko Yuri, Kochura Yuriy, Taran Vlad, Gordienko Nikita, Rokovyi Alexandr, Alienin Oleg, and Stirenko Sergii. 2020. Scaling analysis of specialized tensor processing architectures for deep learning models. In Deep Learning: Concepts and Architectures. Springer International Publishing, Cham, 65–99.Google Scholar
[15] Guo Tian. 2017. Cloud-based or on-device: An empirical study of mobile deep inference. In 2018 IEEE International Conference on Cloud Engineering (IC2E). IEEE, Orlando, FL, USA, 184–190.Google Scholar
[16] Hong Inki, Kirovski Darko, Qu Gang, Potkonjak Miodrag, and Srivastava Mani B.. 1999. Power optimization of variable-voltage core-based systems. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 18, 12 (1999), 1702–1714.Google ScholarDigital Library
[17] Hutter Michael and Schmidt Jörn-Marc. 2013. The temperature side channel and heating fault attacks. In International Conference on Smart Card Research and Advanced Applications. Springer International Publishing, Cham, 219–235.Google Scholar
[18] Ionica Mircea Horea and Gregg David. 2015. The Movidius Myriad architecture’s potential for scientific computing. IEEE Micro 35, 1 (2015), 6–14.Google ScholarDigital Library
[19] Jiang Zhen Hang, Fei Yunsi, and Kaeli David. 2016. A complete key recovery timing attack on a GPU. In 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, Barcelona, Spain, 394–405.Google ScholarCross Ref
[20] Karimi Elmira, Jiang Zhen Hang, Fei Yunsi, and Kaeli David. 2018. A timing side-channel attack on a mobile GPU. In 2018 IEEE 36th International Conference on Computer Design (ICCD). IEEE, Orlando, FL, USA, 67–74.Google ScholarCross Ref
[21] Kenjar Zijo, Frassetto Tommaso, Gens David, Franz Michael, and Sadeghi Ahmad-Reza. 2020. V0LTpwn: Attacking x86 processor integrity from software. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, MA, USA, 1445–1461. https://www.usenix.org/conference/usenixsecurity20/presentation/kenjarGoogle Scholar
[22] Kwon Hyun, Kim Yongchul, Yoon Hyunsoo, and Choi Daeseon. 2018. Random untargeted adversarial example on deep neural network. Symmetry 10, 12 (2018), 738.Google ScholarCross Ref
[23] Lee Sangho, Kim Youngsok, Kim Jangwoo, and Kim Jong. 2014. Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In 2014 IEEE Symposium on Security and Privacy. IEEE, San Jose, CA, USA, 19–33.Google ScholarDigital Library
[24] Li Chao, Wang Zhenhua, Hou Xiaofeng, Chen Haopeng, Liang Xiaoyao, and Guo Minyi. 2016. Power attack defense: Securing battery-backed data centers. In 2016 ACM/IEEE 43rd Annual International Symposium on Computer Architecture (ISCA). 493–505. DOI:Google ScholarDigital Library
[25] Luo Chao, Fei Yunsi, and Kaeli David. 2018. GPU acceleration of RSA is vulnerable to side-channel timing attacks. In Proceedings of the International Conference on Computer-Aided Design. IEEE, San Diego, CA, USA, 1–8.Google ScholarDigital Library
[26] Luo Chao, Fei Yunsi, Luo Pei, Mukherjee Saoni, and Kaeli David. 2015. Side-channel power analysis of a GPU AES implementation. In 2015 33rd IEEE International Conference on Computer Design (ICCD). IEEE, San Francisco, CA, USA, 281–288.Google ScholarDigital Library
[27] Luo Chao, Fei Yunsi, Zhang Liwei, Ding A. Adam, Luo Pei, Mukherjee Saoni, and Kaeli David. 2018. Power analysis attack of an AES GPU implementation. Journal of Hardware and Systems Security 2, 1 (2018), 69–82.Google ScholarCross Ref
[28] Miele Andrea. 2016. Buffer overflow vulnerabilities in CUDA: A preliminary analysis. Journal of Computer Virology and Hacking Techniques 12, 2 (2016), 113–120.Google ScholarCross Ref
[29] Murdock Kit, Oswald David, Garcia Flavio D., Bulck Jo Van, Gruss Daniel, and Piessens Frank. 2020. Plundervolt: Software-based fault injection attacks against intel SGX. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA, 1466–1482.Google ScholarCross Ref
[30] Naghibijouybari Hoda, Neupane Ajaya, Qian Zhiyun, and Abu-Ghazaleh Nael. 2018. Rendered insecure: GPU side channel attacks are practical. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). ACM, New York, NY, USA, 2139–2153. DOI:Google ScholarDigital Library
[31] Nishikawa Naoki, Amano Hideharu, and Iwai Keisuke. 2017. Implementation of bitsliced AES encryption on CUDA-enabled GPU. In International Conference on Network and System Security. Springer International Publishing, Cham, 273–287.Google ScholarCross Ref
[32] Peres Martin. 2013. Reverse engineering power management on NVIDIA GPUs-A detailed overview. Power 75, 75W (2013), 150W.Google Scholar
[33] Qiu Pengfei, Wang Dongsheng, Lyu Yongqiang, and Qu Gang. 2019. VoltJockey: Breaching TrustZone by software-controlled voltage manipulation over multi-core frequencies. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). ACM, New York, NY, USA, 195–209. DOI:Google ScholarDigital Library
[34] Qiu Pengfei, Wang Dongsheng, Lyu Yongqiang, and Qu Gang. 2019. VoltJockey: Breaking SGX by software-controlled voltage-induced hardware faults. In 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST). IEEE, Xi’an, China, 1–6.Google Scholar
[35] Razaque Abdul, Jinrui Wang, Zancheng Wang, Hani Qassim Bani, Khaskheli Murad Ali, and Bhutto Waseem Ahmed. 2018. Integration of CPU and GPU to accelerate RSA modular exponentiation operation. In 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT). IEEE, Farmingdale, NY, USA, 1–6.Google ScholarCross Ref
[36] Sabbagh Majid, Fei Yunsi, and Kaeli David. 2020. A novel GPU overdrive fault attack. In 2020 57th ACM/IEEE Design Automation Conference (DAC). IEEE, San Francisco, CA, USA, 1–6.Google ScholarCross Ref
[37] Seaborn Mark and Dullien Thomas. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat 15 (2015), 71.Google Scholar
[38] Seifert Norbert, Ambrose Vinod, Gill B., Shi Q., Allmon R., Recchia C., Mukherjee S., Nassif N., Krause J., Pickholtz J., and A. Balasubramanian. 2010. On the radiation-induced soft error performance of hardened sequential elements in advanced bulk CMOS technologies. In 2010 IEEE International Reliability Physics Symposium, Anaheim, CA, 188–197. DOI:Google ScholarCross Ref
[39] Shumailov Ilia, Zhao Yiren, Bates Daniel, Papernot Nicolas, Mullins Robert, and Anderson Ross. 2021. Sponge examples: Energy-latency attacks on neural networks. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P). 212–231. DOI:Google ScholarCross Ref
[40] Tang Adrian, Sethumadhavan Simha, and Stolfo Salvatore. 2017. CLKSCREW: Exposing the perils of security-oblivious energy management. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1057–1074. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/tangGoogle Scholar
[41] Tsimpourlas Foivos, Papadopoulos Lazaros, Bartsokas Anastasios, and Soudris Dimitrios. 2018. A design space exploration framework for convolutional neural networks implemented on edge devices. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 37, 11 (2018), 2212–2221.Google ScholarCross Ref
[42] Viera Raphael A. C., Maurine Philippe, Dutertre Jean-Max, and Bastos Rodrigo Possamai. 2020. Simulation and experimental demonstration of the importance of IR-drops during laser fault-injection. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 39, 6 (2020), 1231–1244. DOI:Google ScholarCross Ref
[43] Volos Stavros, Vaswani Kapil, and Bruno Rodrigo. 2018. Graviton: Trusted execution environments on GPUs. In 13th \(\lbrace\)USENIX\(\rbrace\) Symposium on Operating Systems Design and Implementation (\(\lbrace\)OSDI\(\rbrace\) 18). USENIX Association, Carlsbad, CA, 681–696.Google Scholar
[44] Xu Junge, Xuan Bohan, Liu Anlin, Sun Mo, Zhang Fan, Wang Zeke, and Ren Kui. 2022. Terminator on SkyNet: A practical DVFS attack on DNN hardware IP for UAV object detection. In Proceedings of the 59th ACM/IEEE Design Automation Conference (DAC ’22). Association for Computing Machinery, New York, NY, USA, 685–690. DOI:Google ScholarDigital Library
[45] Yi Maoxiang, Bian Jingchang, Ni Tianming, Jiang Cuiyun, Chang Hao, and Liang Huaguo. 2019. A pulse shrinking-based test solution for prebond through silicon via in 3-D ICs. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 38, 4, 755–766. DOI:Google ScholarCross Ref
[46] Zamani Hadi, Liu Yuanlai, Tripathy Devashree, Bhuyan Laxmi, and Chen Zizhong. 2019. GreenMM: Energy efficient GPU matrix multiplication through undervolting. In Proceedings of the ACM International Conference on Supercomputing (ICS ’19). Association for Computing Machinery, New York, NY, USA, 308–318. DOI:Google ScholarDigital Library

Index Terms

Lightning: Leveraging DVFS-induced Transient Fault Injection to Attack Deep Learning Accelerator of GPUs
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures

Recommendations

Roofline-aware DVFS for GPUs
ADAPT '14: Proceedings of International Workshop on Adaptive Self-tuning Computing Systems

Graphics processing units (GPUs) are becoming increasingly popular for compute workloads, mainly because of their large number of processing elements and high-bandwidth to off-chip memory. The roofline model captures the ratio between the two (the ...
Read More
Fault injection attack on deep neural network
ICCAD '17: Proceedings of the 36th International Conference on Computer-Aided Design

Deep neural network (DNN), being able to effectively learn from a training set and provide highly accurate classification results, has become the de-facto technique used in many mission-critical systems. The security of DNN itself is therefore of great ...
Read More
Transient Fault Resilient QR Factorization on GPUs
FTXS '15: Proceedings of the 5th Workshop on Fault Tolerance for HPC at eXtreme Scale

With their inherent capability to exploit parallelism, GPUs have become a popular platform for data-intensive scientific computing applications. This trend is expected to continue as the number of computations required by scientific applications reach ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Design Automation of Electronic Systems Volume 29, Issue 1
January 2024
521 pages
ISSN:1084-4309
EISSN:1557-7309
DOI:10.1145/3613510
Editor:
X. Sharon Hu
University of Notre Dame, USA
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States

Journal Family
ACM Journals for the Design of Smart and Connected Systems
Publication History
- Published: 15 November 2023
- Online AM: 20 September 2023
- Accepted: 12 August 2023
- Revised: 24 June 2023
- Received: 12 March 2023
Published in todaes Volume 29, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Hardware faults
DVFS
deep learning trustworthiness
GPU accelerator
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 344
  Total Downloads
- Downloads (Last 12 months)344
- Downloads (Last 6 weeks)28
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

View Full Text

Lightning: Leveraging DVFS-induced Transient Fault Injection to Attack Deep Learning Accelerator of GPUs

ACM Transactions on Design Automation of Electronic Systems

Abstract

REFERENCES

Cited By

Index Terms

Recommendations

Roofline-aware DVFS for GPUs

Fault injection attack on deep neural network

Transient Fault Resilient QR Factorization on GPUs