Abstract
Graphics Processing Units (GPU) are widely used as deep learning accelerators because of its high performance and low power consumption. Additionally, it remains secure against hardware-induced transient fault injection attacks, a classic type of attacks that have been developed on other computing platforms. In this work, we demonstrate that well-trained machine learning models are robust against hardware fault injection attacks when the faults are generated randomly. However, we discover that these models have components, which we refer to as sensitive targets, that are vulnerable to faults. By exploiting this vulnerability, we propose the Lightning attack, which precisely strikes the model’s sensitive targets with hardware-induced transient faults based on the Dynamic Voltage and Frequency Scaling (DVFS). We design a sensitive targets search algorithm to find the most critical processing units of Deep Neural Network (DNN) models determining the inference results, and develop a genetic algorithm to automatically optimize the attack parameters for DVFS to induce faults. Experiments on three commodity Nvidia GPUs for four widely-used DNN models show that the proposed Lightning attack can reduce the inference accuracy by 69.1% on average for non-targeted attacks, and, more interestingly, achieve a success rate of 67.9% for targeted attacks.
- [1] . 2009. Low voltage fault attacks on the RSA cryptosystem. In 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, Lausanne, Switzerland, 23–31.Google ScholarDigital Library
- [2] . 2010. Low voltage fault attacks to AES. In 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST). IEEE, Anaheim, CA, USA, 7–12.Google ScholarCross Ref
- [3] . 2014. Adjusting laser injections for fully controlled faults. In International Workshop on Constructive Side-channel Analysis and Secure Design. Springer International Publishing, Cham, 229–242.Google Scholar
- [4] . 2017. Clipper: A low-latency online prediction serving system. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17). USENIX Association, Boston, MA, 613–627. https://www.usenix.org/conference/nsdi17/technical-sessions/presentation/crankshawGoogle Scholar
- [5] . 2012. Electromagnetic transient faults injection on a hardware and a software implementations of AES. In 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, Leuven, Belgium, 7–15.Google ScholarDigital Library
- [6] . 2014. Fault injection modeling attacks on 65 nm arbiter and RO sum PUFs via environmental changes. IEEE Transactions on Circuits and Systems I: Regular Papers 61, 6 (2014), 1701–1713.Google ScholarCross Ref
- [7] . 2016. A study of overflow vulnerabilities on GPUs. In IFIP International Conference on Network and Parallel Computing. Springer International Publishing, Cham, 103–115.Google ScholarDigital Library
- [8] . 2011. An on-chip glitchy-clock generator for testing fault injection attacks. Journal of Cryptographic Engineering 1, 4 (2011), 265.Google ScholarCross Ref
- [9] . 2017. Dynamic buffer overflow detection for GPGPUs. IEEE/ACM International Symposium on Code Generation and Optimization (CGO’17), Austin, TX, 61–73.
DOI: Google ScholarCross Ref - [10] . 2020. A survey on fault injection methods of digital integrated circuits. Integration 71 (2020), 154–163.Google ScholarDigital Library
- [11] . 2019. High-accuracy software fault injection in source code with clang. In 2019 IEEE 24th Pacific Rim International Symposium on Dependable Computing (PRDC). IEEE, Kyoto, Japan, 75–7509.Google ScholarCross Ref
- [12] . 2016. FPGA Accelerator Architecture for Q-learning and its Applications in Space Exploration Rovers. Ph.D. Dissertation. Arizona State University.Google Scholar
- [13] . 2015. Explaining and Harnessing Adversarial Examples. (2015).
arxiv:stat.ML/1412.6572 Google Scholar - [14] . 2020. Scaling analysis of specialized tensor processing architectures for deep learning models. In Deep Learning: Concepts and Architectures. Springer International Publishing, Cham, 65–99.Google Scholar
- [15] . 2017. Cloud-based or on-device: An empirical study of mobile deep inference. In 2018 IEEE International Conference on Cloud Engineering (IC2E). IEEE, Orlando, FL, USA, 184–190.Google Scholar
- [16] . 1999. Power optimization of variable-voltage core-based systems. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 18, 12 (1999), 1702–1714.Google ScholarDigital Library
- [17] . 2013. The temperature side channel and heating fault attacks. In International Conference on Smart Card Research and Advanced Applications. Springer International Publishing, Cham, 219–235.Google Scholar
- [18] . 2015. The Movidius Myriad architecture’s potential for scientific computing. IEEE Micro 35, 1 (2015), 6–14.Google ScholarDigital Library
- [19] . 2016. A complete key recovery timing attack on a GPU. In 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, Barcelona, Spain, 394–405.Google ScholarCross Ref
- [20] . 2018. A timing side-channel attack on a mobile GPU. In 2018 IEEE 36th International Conference on Computer Design (ICCD). IEEE, Orlando, FL, USA, 67–74.Google ScholarCross Ref
- [21] . 2020. V0LTpwn: Attacking x86 processor integrity from software. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, MA, USA, 1445–1461. https://www.usenix.org/conference/usenixsecurity20/presentation/kenjarGoogle Scholar
- [22] . 2018. Random untargeted adversarial example on deep neural network. Symmetry 10, 12 (2018), 738.Google ScholarCross Ref
- [23] . 2014. Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In 2014 IEEE Symposium on Security and Privacy. IEEE, San Jose, CA, USA, 19–33.Google ScholarDigital Library
- [24] . 2016. Power attack defense: Securing battery-backed data centers. In 2016 ACM/IEEE 43rd Annual International Symposium on Computer Architecture (ISCA). 493–505.
DOI: Google ScholarDigital Library - [25] . 2018. GPU acceleration of RSA is vulnerable to side-channel timing attacks. In Proceedings of the International Conference on Computer-Aided Design. IEEE, San Diego, CA, USA, 1–8.Google ScholarDigital Library
- [26] . 2015. Side-channel power analysis of a GPU AES implementation. In 2015 33rd IEEE International Conference on Computer Design (ICCD). IEEE, San Francisco, CA, USA, 281–288.Google ScholarDigital Library
- [27] . 2018. Power analysis attack of an AES GPU implementation. Journal of Hardware and Systems Security 2, 1 (2018), 69–82.Google ScholarCross Ref
- [28] . 2016. Buffer overflow vulnerabilities in CUDA: A preliminary analysis. Journal of Computer Virology and Hacking Techniques 12, 2 (2016), 113–120.Google ScholarCross Ref
- [29] . 2020. Plundervolt: Software-based fault injection attacks against intel SGX. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA, 1466–1482.Google ScholarCross Ref
- [30] . 2018. Rendered insecure: GPU side channel attacks are practical. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). ACM, New York, NY, USA, 2139–2153.
DOI: Google ScholarDigital Library - [31] . 2017. Implementation of bitsliced AES encryption on CUDA-enabled GPU. In International Conference on Network and System Security. Springer International Publishing, Cham, 273–287.Google ScholarCross Ref
- [32] . 2013. Reverse engineering power management on NVIDIA GPUs-A detailed overview. Power 75, 75W (2013), 150W.Google Scholar
- [33] . 2019. VoltJockey: Breaching TrustZone by software-controlled voltage manipulation over multi-core frequencies. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). ACM, New York, NY, USA, 195–209.
DOI: Google ScholarDigital Library - [34] . 2019. VoltJockey: Breaking SGX by software-controlled voltage-induced hardware faults. In 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST). IEEE, Xi’an, China, 1–6.Google Scholar
- [35] . 2018. Integration of CPU and GPU to accelerate RSA modular exponentiation operation. In 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT). IEEE, Farmingdale, NY, USA, 1–6.Google ScholarCross Ref
- [36] . 2020. A novel GPU overdrive fault attack. In 2020 57th ACM/IEEE Design Automation Conference (DAC). IEEE, San Francisco, CA, USA, 1–6.Google ScholarCross Ref
- [37] . 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat 15 (2015), 71.Google Scholar
- [38] . 2010. On the radiation-induced soft error performance of hardened sequential elements in advanced bulk CMOS technologies. In 2010 IEEE International Reliability Physics Symposium, Anaheim, CA, 188–197.
DOI: Google ScholarCross Ref - [39] . 2021. Sponge examples: Energy-latency attacks on neural networks. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P). 212–231.
DOI: Google ScholarCross Ref - [40] . 2017. CLKSCREW: Exposing the perils of security-oblivious energy management. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1057–1074. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/tangGoogle Scholar
- [41] . 2018. A design space exploration framework for convolutional neural networks implemented on edge devices. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 37, 11 (2018), 2212–2221.Google ScholarCross Ref
- [42] . 2020. Simulation and experimental demonstration of the importance of IR-drops during laser fault-injection. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 39, 6 (2020), 1231–1244.
DOI: Google ScholarCross Ref - [43] . 2018. Graviton: Trusted execution environments on GPUs. In 13th \(\lbrace\)USENIX\(\rbrace\) Symposium on Operating Systems Design and Implementation (\(\lbrace\)OSDI\(\rbrace\) 18). USENIX Association, Carlsbad, CA, 681–696.Google Scholar
- [44] . 2022. Terminator on SkyNet: A practical DVFS attack on DNN hardware IP for UAV object detection. In Proceedings of the 59th ACM/IEEE Design Automation Conference (DAC ’22). Association for Computing Machinery, New York, NY, USA, 685–690.
DOI: Google ScholarDigital Library - [45] . 2019. A pulse shrinking-based test solution for prebond through silicon via in 3-D ICs. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 38, 4, 755–766.
DOI: Google ScholarCross Ref - [46] . 2019. GreenMM: Energy efficient GPU matrix multiplication through undervolting. In Proceedings of the ACM International Conference on Supercomputing (ICS ’19). Association for Computing Machinery, New York, NY, USA, 308–318.
DOI: Google ScholarDigital Library
Index Terms
- Lightning: Leveraging DVFS-induced Transient Fault Injection to Attack Deep Learning Accelerator of GPUs
Recommendations
Roofline-aware DVFS for GPUs
ADAPT '14: Proceedings of International Workshop on Adaptive Self-tuning Computing SystemsGraphics processing units (GPUs) are becoming increasingly popular for compute workloads, mainly because of their large number of processing elements and high-bandwidth to off-chip memory. The roofline model captures the ratio between the two (the ...
Fault injection attack on deep neural network
ICCAD '17: Proceedings of the 36th International Conference on Computer-Aided DesignDeep neural network (DNN), being able to effectively learn from a training set and provide highly accurate classification results, has become the de-facto technique used in many mission-critical systems. The security of DNN itself is therefore of great ...
Transient Fault Resilient QR Factorization on GPUs
FTXS '15: Proceedings of the 5th Workshop on Fault Tolerance for HPC at eXtreme ScaleWith their inherent capability to exploit parallelism, GPUs have become a popular platform for data-intensive scientific computing applications. This trend is expected to continue as the number of computations required by scientific applications reach ...
Comments