Cryptology ePrint Archive: Report 2021/720

On Reverse Engineering Neural Network Implementation on GPU

Łukasz Chmielewski and Léo Weissbart

Abstract: In recent years machine learning has become increasingly mainstream across industries. Additionally, Graphical Processing Unit (GPU) accelerators are widely deployed in various neural network (NN) applications, including image recognition for autonomous vehicles and natural language processing, among others. Since training a powerful network requires expensive data collection and computing power, its design and parameters are often considered a secret intellectual property of their manufacturers. However, hardware accelerators can leak crucial information about the secret neural network designs through side-channels, like Electro-Magnetic (EM) emanations, power consumption, or timing.

We propose and evaluate non-invasive and passive reverse engineering methods to recover NN designs deployed on GPUs through EM side-channel analysis. We employ a well-known technique of simple EM analysis and timing analysis of NN layers execution. We consider commonly used NN architectures, namely Multilayer Perceptron and Convolutional Neural Networks. We show how to recover the number of layers and neurons as well as the types of activation functions. Our experimental results are obtained on a setup that is as close as possible to a real-world device in order to properly assess the applicability and extendability of our methods.

We analyze the NN execution of a PyTorch python framework implementation running on Nvidia Jetson Nano, a module computer embedding a Tegra X1 SoC that combines an ARM Cortex-A57 CPU and a 128-core GPU within a Maxwell architecture. Our results show the importance of side-channel protections for NN accelerators in real-world applications.

Category / Keywords: applications / Deep Neural Network, Side-channel Analysis, Simple Power Analysis, Reverse Engineering

Original Publication (in the same form): 2nd workshop on Artificial Intelligence in Hardware Security (AIHWS) in conjunction with ACNS 2021

Date: received 30 May 2021

Contact author: lukaszc at cs ru nl

Available format(s): PDF | BibTeX Citation

Version: 20210531:064551 (All versions of this report)

Short URL: ia.cr/2021/720


[ Cryptology ePrint archive ]