(An) adversarial side channel attack on neural processing unit

Abstract

Neural Processing Unit (NPU) is a processor to use machine learning efficiently on embedded devices. In comparison to CPU and GPU, research on NPU has drawn less attention among security researchers. Some of the NPUs have adopted a new optimization technique called ”zero-skipping”, which skips all operations with zero-valued operands using a hardware circuit. This technique significantly increases the performance of NPU by decreasing the processing time

however, there have been no studies on investigating the side-effect of such an optimization technique. Can an attacker steal useful information by exploiting the reduced time? To answer this question, we conduct a first study on investigating the feasibility of a side-channel attack on NPUs with the zero-skipping feature. We investigate the relationship between the number of zero-valued operands and the output class in the binary classification model. For this, we conducted a series of experiments on several binary classification models based on neural networks such as CNN and ResNet v1 with MNIST, CIFAR-10, and FVC_2000_DB4_B datasets. As a result, we discovered that the extreme numbers of zero-valued operands, whether they are small or large, are highly biased to a specific output class. From this observation, we propose an adversarial input generation algorithm and demonstrate the feasibility of a timing side-channel attack on NPUs with the zero-skipping feature.