SCARE: Side Channel Attack on In-Memory Computing for Reverse Engineering

In-memory computing architectures provide a much needed solution to energy-efficiency barriers posed by Von-Neumann computing due to the movement of data between the processor and the memory. Functions implemented in such in-memory architectures are often proprietary and constitute confidential Intellectual Property. Our studies indicate that IMCs implemented using RRAM are susceptible to Side Channel Attack. Unlike conventional SCAs that are aimed to leak private keys from cryptographic implementations, SCARE can reveal the sensitive IP implemented within the memory. Therefore, the adversary does not need to perform invasive Reverse Engineering to unlock the functionality. We demonstrate SCARE by taking recent IMC architectures such as DCIM and MAGIC as test cases. Simulation results indicate that AND, OR, and NOR gates (building blocks of complex functions) yield distinct power and timing signatures based on the number of inputs making them vulnerable to SCA. Although process variations can obfuscate the signatures due to significant overlap, we show that the adversary can use statistical modeling and analysis to identify the structure of the implemented function. SCARE can find the implemented IP by testing a limited number of patterns. For example, the proposed technique reduces the number of patterns by 64% compared to a brute force attack for a+bc function. Additionally, analysis shows improvement in SCAREs detection model due to adversarial change in supply voltage for both DCIM and MAGIC. We also propose countermeasures such as redundant inputs and expansion of literals. Redundant inputs can mask the IP with 25% area and 20% power overhead. However, functions can be found by greater RE effort. Expansion of literals incurs 36% power overhead. However, it imposes brute force search by the adversary for which the RE effort increases by 3.04X.