To lower cost and increase the utilization of Cloud Field-Programmable Gate Arrays (FPGAs), researchers have recently been exploring the concept of multi-tenant FPGAs, where multiple independent users simultaneously share the same remote FPGA. Despite its benefits, multi-tenancy opens up the possibility of malicious users co-locating on the same FPGA as a victim user, and extracting sensitive information. This issue becomes especially serious when the user is running a machine learning algorithm that is processing sensitive or private information. To demonstrate the dangers, this paper presents a remote, power-based side-channel attack on a deep neural network accelerator running in a variety of Xilinx FPGAs and also on Cloud FPGAs using Amazon Web Services (AWS) F1 instances. This work in particular shows how to remotely obtain voltage estimates as a deep neural network inference circuit executes, and how the information can be used to recover the inputs to the neural network. The attack is demonstrated with a binarized convolutional neural network used to recognize handwriting images from the MNIST handwritten digit database. With the use of precise time-to-digital converters for remote voltage estimation, the MNIST inputs can be successfully recovered with a maximum normalized cross-correlation of 79% between the input image and the recovered image on local FPGA boards and 72% on AWS F1 instances. The attack requires no physical access nor modifications to the FPGA hardware.

中文翻译：

---

对远程 FPGA 中 BNN 加速器的电源侧通道攻击


为了降低成本并提高云现场可编程门阵列 (FPGA) 的利用率，研究人员最近一直在探索多租户 FPGA 的概念，即多个独立用户同时共享同一远程 FPGA。尽管有很多好处，但多租户有可能使恶意用户与受害用户位于同一 FPGA 上并提取敏感信息。当用户运行处理敏感或私人信息的机器学习算法时，这个问题变得尤其严重。为了演示这种危险，本文提出了一种针对在各种 Xilinx FPGA 中运行的深度神经网络加速器以及使用 Amazon Web Services (AWS) F1 实例的云 FPGA 的远程、基于功率的旁道攻击。这项工作特别展示了如何在深度神经网络推理电路执行时远程获取电压估计，以及如何使用这些信息来恢复神经网络的输入。该攻击通过用于识别 MNIST 手写数字数据库中的手写图像的二值化卷积神经网络进行了演示。通过使用精确的时间数字转换器进行远程电压估计，可以成功恢复 MNIST 输入，本地 FPGA 板上输入图像与恢复图像之间的最大归一化互相关性为 79%，在 AWS 上为 72% F1 实例。该攻击不需要物理访问或修改 FPGA 硬件。