Evaluation of Parameter-based Attacks against Embedded Neural Networks with Laser Injection
This work addresses security evaluation challenges for machine learning systems in hardware, particularly for embedded platforms, by revealing practical implementation-based threats, though it is incremental as it builds on existing parameter-based attack methods.
The authors tackled the vulnerability of embedded neural networks to parameter-based attacks by demonstrating the first successful Bit-Flip Attack variant using laser fault injection on a 32-bit Cortex-M microcontroller, showing how simulations can efficiently identify sensitive bits to avoid brute-force strategies.
Upcoming certification actions related to the security of machine learning (ML) based systems raise major evaluation challenges that are amplified by the large-scale deployment of models in many hardware platforms. Until recently, most of research works focused on API-based attacks that consider a ML model as a pure algorithmic abstraction. However, new implementation-based threats have been revealed, emphasizing the urgency to propose both practical and simulation-based methods to properly evaluate the robustness of models. A major concern is parameter-based attacks (such as the Bit-Flip Attack, BFA) that highlight the lack of robustness of typical deep neural network models when confronted by accurate and optimal alterations of their internal parameters stored in memory. Setting in a security testing purpose, this work practically reports, for the first time, a successful variant of the BFA on a 32-bit Cortex-M microcontroller using laser fault injection. It is a standard fault injection means for security evaluation, that enables to inject spatially and temporally accurate faults. To avoid unrealistic brute-force strategies, we show how simulations help selecting the most sensitive set of bits from the parameters taking into account the laser fault model.