Remote Power Side-Channel Attacks on BNN Accelerators in FPGAs
Shayan Moini1, Shanquan Tian2, Daniel Holcomb1, Jakub Szefer2 and Russell Tessier1
1Department of Electrical and Computer Engineering, University of Massachusetts, Amherst, MA, USA
2Department of Electrical Engineering, Yale University, New Haven, CT, USA
ABSTRACT
Multi-tenant FPGAs have recently been proposed, where multiple independent users simultaneously share a remote FPGA. Despite its benefits for cost and utilization, multi-tenancy opens up the possibility of malicious users extracting sensitive information from co-located victim users. To demonstrate the dangers, this paper presents a remote, power-based side-channel attack on a binarized neural network (BNN) accelerator. This work shows how to remotely obtain voltage estimates as the BNN circuit executes, and how the information can be used to recover the inputs to the BNN. The attack is demonstrated with a BNN used to recognize handwriting images from the MNIST dataset. With the use of precise time-to-digital converters (TDCs) for remote voltage estimation, the MNIST inputs can be successfully recovered with a maximum normalized cross-correlation of 75% between the input image and the recovered image.