Logic locking has been proposed to safeguard intellectual property (IP) during chip fabrication. Logic locking techniques protect hardware IP by making a subset of combinational modules in a design dependent on a secret key that is withheld from untrusted parties. If an incorrect secret key is used, a set of deterministic errors is produced in locked modules, restricting unauthorized use. A common target for logic locking is neural accelerators, especially as machine-learning-as-a-service becomes more prevalent. In this work, we explore how logic locking can be used to compromise the security of a neural accelerator it protects. Specifically, we show how the deterministic errors caused by incorrect keys can be harnessed to produce neural-trojan-style backdoors. To do so, we first outline a motivational attack scenario where a carefully chosen incorrect key, which we call a trojan key, produces misclassifications for an attacker-specified input class in a locked accelerator. We then develop a theoretically-robust attack methodology to automatically identify trojan keys. To evaluate this attack, we launch it on several locked accelerators. In our largest benchmark accelerator, our attack identified a trojan key that caused a 74\% decrease in classification accuracy for attacker-specified trigger inputs, while degrading accuracy by only 1.7\% for other inputs on average.
翻译:逻辑锁定被提出用于在芯片制造过程中保护知识产权(IP)。通过使设计中的一些组合模块依赖于一个对未信任方保密的秘钥,逻辑锁定技术可以保护硬件IP。如果使用了错误的秘钥,锁定模块将产生一组确定性错误,从而限制未经授权的使用。神经加速器是逻辑锁定的常见目标,特别是在机器学习即服务变得越来越普遍的情况下。在这项工作中,我们探讨了如何利用逻辑锁定来破坏它所保护的神经加速器的安全性。具体来说,我们展示了如何利用由错误秘钥引起的确定性错误来产生类似神经特洛伊式的后门攻击。为此,我们首先概述了一种激励攻击场景,在这个场景中,我们选择了一个精心选择的错误秘钥(我们称之为特洛伊秘钥)来在被锁定的加速器中为攻击者指定的输入类别产生误分类。然后,我们开发了一种理论上健壮的攻击方法,用于自动识别特洛伊秘钥。为了评估这种攻击,我们在若干个被锁定的加速器上进行了攻击。在我们最大的基准加速器中,我们的攻击确定了一把特洛伊秘钥,可以使攻击者指定的触发输入的分类准确度降低74%,同时平均降低其它输入1.7%的准确度。