Security for Embedded AI accelerators

Since the demand of devices running machine learning algorithms is rapidly increasing, hardware security is a growing concern for IoT companies. There are, in fact, multiple works showing that an hypothetical successful attack on a device, could reverse engineer all the details of a pre-trained Neural Network architecture (i.e. number of layers, activation functions, weights...), and compromise the Intellectual property of the company over the algorithm, causing a significant economic damage. One of the most concrete types of threat with this purpose, in fact, are Side-Channel Attacks that have been proved to be really effective and particularly hard to mitigate. In this report I will describe the work that I conducted during my internship with Bosch related to this topic. After a brief introduction on the theory behind these type of attacks, I will explain the hardware structure of the embedded machine learning accelerator focusing on the logic identified as possible target, the used tools to extract the side-channel statistics and then the different attacks which have been conducted. Last but not least, I will describe the countermeasures developed to mitigate these threats.